catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine instance groups

Create and alter (unmanaged) instance groups.

Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.

compute.​instanceGroups.​update

Can provide access to a VM by connecting instances to a compromised load-balancing rule; or, remove necessary infrastructure from network access.

Risks

  1. Network destruction (HIGH)
  2. Lateral movement (BOOST)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​compute/​docs/​instance-​groups
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​instance-​groups/​unmanaged
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​instanceGroups

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog