catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine network endpoint groups

Manage network endpoint groups (NEGs) for Google Cloud load balancers.

Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.

compute.​networkEndpointGroups.​use

In combination with the ability to alter health checks, allows creation of health checks based on NEGs. Could lead to DOS if health checks are sufficiently frequent, and the referenced endpoints sufficiently expensive.

Risks

  1. Denial-of-service (HIGH)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​negs
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​network-​endpoint-​groups
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​networkEndpointGroups
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​regionHealthCheckServices/​insert

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog