Network destruction

The IAM Privilege Catalog

risks / Network destruction

Description

Allows an attacker to delete network components (such as endpoints, routes, VLANs, VPCs and the like). Implies denial-of-service when the network hosts a service. Removal of network firewall policies is covered by destruction:policy.

Risk: HIGH

Exploited in isolation, this risk has the potential to disrupt ancillary organization operations, cause reputational damage, or run afoul of compliance requirements.

Mitigations

Network redundancy

Links

(No links for this risk)

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Google Cloud Platform

compute.externalVpnGateways.delete

compute.forwardingRules.delete

compute.forwardingRules.pscDelete

compute.forwardingRules.pscUpdate

compute.forwardingRules.update

compute.globalAddresses.delete

compute.globalAddresses.deleteInternal

compute.globalForwardingRules.delete

compute.globalForwardingRules.pscDelete

compute.globalForwardingRules.pscUpdate

compute.globalForwardingRules.update

compute.globalNetworkEndpointGroups.delete

compute.globalNetworkEndpointGroups.detachNetworkEndpoints

compute.healthChecks.delete

compute.healthChecks.update

compute.httpHealthChecks.delete

compute.httpHealthChecks.update

compute.httpsHealthChecks.delete

compute.httpsHealthChecks.update

compute.instanceGroupManagers.delete

compute.instanceGroupManagers.update

compute.instanceGroups.update

compute.instances.deleteAccessConfig

compute.instances.osAdminLogin

compute.instances.simulateMaintenanceEvent

compute.instances.update

compute.instances.updateAccessConfig

compute.instances.updateNetworkInterface

compute.interconnectsAttachments.delete

compute.networkEndpointGroups.delete

compute.networkEndpointGroups.detachNetworkEndpoints

compute.networks.delete

compute.networks.removePeering

container.backendConfigs.create

container.backendConfigs.delete

container.backendConfigs.update

container.clusters.delete

container.clusters.update

container.daemonSets.update

container.deployments.update

container.endpointSlices.delete

container.endpointSlices.update

container.endpoints.delete

container.endpoints.update

container.frontendConfigs.create

container.frontendConfigs.delete

container.frontendConfigs.update

container.ingresses.delete

container.ingresses.update

container.namespaces.delete

container.replicaSets.update

container.services.delete

container.services.update

container.statefulSets.update

dns.managedZones.delete

dns.resourceRecordSets.delete

dns.responsePolicyRules.delete

© 2023–present P0 Security and contributors to the IAM Privilege Catalog