catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine managed instances

Create and alter managed instances.

Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms "instance" and "VM" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.

compute.​instances.​getSerialPortOutput

Allows reading data from an instance even if exfiltration is otherwise prevented via firewall rules / limited console access. Requires an additional exploit to write data to the serial port.

Risks

  1. Data exfiltration (CRITICAL)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​compute/​docs/​instances
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​instances
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​instances
  • https:​/​/​cloud.​google.​com/​compute/​docs/​troubleshooting/​viewing-​serial-​port-​output
  • https:​/​/​www.​mitiga.​io/​blog/​misconfiguration-​hidden-​dangers-​cloud-​control-​plane

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog