catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine backend buckets

Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN.

Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.

compute.​backendBuckets.​update

Does not allow modification to edge security policies. Allows modifying some CDN policies, but not anything that impacts access control.

Risks

  1. Data destruction (CRITICAL)
  2. Infrastructure destruction (HIGH)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​https/​ext-​load-​balancer-​backend-​buckets
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​backendBuckets
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​backendBuckets/​update

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog