catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine managed instances

Create and alter managed instances.

Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms "instance" and "VM" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.

compute.​instances.​setScheduling

Can lead to data or log destruction when the instance is configured to terminate on host maintenance. May be used to prevent crashed hosts from automatically restarting. Requires the ability to crash the instance to exploit. Can only be applied to a stopped instance.

Risks

  1. Data destruction (CRITICAL)
  2. Logs destruction (EVASION)

Scope: MEDIUM

This privilege may grant access to confidential data, or its exploit can incur operational cost.

Links

  • https:​/​/​cloud.​google.​com/​compute/​docs/​instances
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​instances
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​instances
  • https:​/​/​cloud.​google.​com/​compute/​docs/​instances/​setting-​vm-​host-​options

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog