services / Google Cloud / Compute Engine managed instances

Create and alter managed instances.

Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms "instance" and "VM" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.

compute.​instances.​osAdminLogin

Allows root-level access to the instance, effectively allowing full control of all services hosted on the instance. Allows full access to instance metadata, similar to risks of `get`. Allows access to all data stored on the instance. Allows access to bound service accounts, granting access to all resources accessible by the service account (potentially including data repositories). Allows access to any networks to which the instance is bound. Allows alteration of logs, potentially allowing the attacker to conceal their presence. If the instance has a service account, additionally requires permission to act as that service account.

Risks

1. Data destruction (CRITICAL)
2. Data exfiltration (CRITICAL)
3. Defacement (HIGH)
4. Network destruction (HIGH)
5. Automated data collection (BOOST)
6. Lateral movement (BOOST)
7. Logs destruction (EVASION)
8. Resource hijacking (MEDIUM)
9. Network discovery (LOW)
10. Policy discovery (LOW)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links