catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine managed instances

Create and alter managed instances.

Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms "instance" and "VM" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.

compute.​instances.​create

Creating an instance can export the instance's service account credentials to an external server using the VM's local access to the instance metadata, including disk encryption keys and short-lived service account tokens. Allows access to network instances to which the VM is connected (e.g. VPCs). Created instances can be used to hijack resources, or create extra spend. Creating an instance with an attached service account requires permissions to impersonate the service account, so access to the service-account token does not present a privilege escalation.

Risks

  1. Network movement (BOOST)
  2. Resource hijacking (MEDIUM)
  3. Spend (MEDIUM)
  4. Network discovery (LOW)
  5. Policy discovery (LOW)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​compute/​docs/​instances
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​instances
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​instances
  • https:​/​/​rhinosecuritylabs.​com/​gcp/​privilege-​escalation-​google-​cloud-​platform-​part-​1/​
  • https:​/​/​cloud.​google.​com/​compute/​docs/​metadata/​default-​metadata-​values

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog