catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine firewall policies

Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project.

Multiple organizational functions may often reside within Compute Engine.

compute.​firewallPolicies.​cloneRules

Simultaneously deletes a firewall policy and creates a new policy. Allows escalation when the new policy is overly permissive, or the attacker additionally can alter the copied policy.

Risks

  1. Policy destruction (CRITICAL)
  2. Lateral movement (BOOST)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​vpc/​docs/​firewall-​policies-​overview
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​firewall-​policies
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​firewallPolicies

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog