catalog logoThe IAM Privilege Catalog

services / Google Cloud / Pub/Sub snapshot

A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created.

pubsub.​snapshots.​update

This allows updating snapshot metadata. Potential DOS and data destruction risks if the expiration time is updated.

Risks

  1. Data destruction (CRITICAL)
  2. Denial-of-service (HIGH)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​pubsub/​docs/​replay-​overview#​seek_​to_​a_​snapshot
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​pubsub/​snapshots/​create

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog