risks / Policy discovery


Allows an attacker to read access-control policies. May allow an attacker to focus attacks on policy weak points (e.g. overprovisioned accounts, or unsecured infrastructure).

Risk: LOW

This risk may assist in additional attacks, or gain access to confidential data that do not create organizational risk on their own.


  1. Avoid overprovisioned entitlements


  1. https:/​/​attack.mitre.org/​techniques/​T1069/​

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Google Cloud Platform

© 2023–present P0 Security and contributors to the IAM Privilege Catalog