services / Google Cloud / Compute Engine disks
Read and edit Compute Engine disks and disk assignments.
Multiple organizational functions may often reside within Compute Engine.
compute.disks.useReadOnly
Can allow data access if the attacker can attach the disk to an additionally compromised instance.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog