catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine external VPN gateways

Manage external access points to Compute Engine VPNs (e.g., network gateways).

Multiple organizational functions may often reside within Compute Engine.

compute.​externalVpnGateways.​use

Can be used to gain network access when the attacker has access to both the gateway in question, and the ability to modify the VPN settings.

Risks

  1. Lateral movement (BOOST)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​network-​connectivity/​docs/​vpn/​concepts/​overview
  • https:​/​/​cloud.​google.​com/​network-​connectivity/​docs/​vpn/​how-​to/​configuring-​peer-​gateway

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog