catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine virtual-private-cloud networks

Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it.

VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.

compute.​networks.​mirror

Packet mirroring duplicates packets sent over the VPC and forwards them to another instance. If that instance is compromised, can allow direct read access on all network traffic. Since networks are billed by network traffic, can also significantly increase cloud spend. Exploitation requires additional compute.packetMirrorings permissions.

Risks

  1. Automated data collection (BOOST)
  2. Spend (MEDIUM)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​vpc/​docs/​vpc
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​networks
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​networks
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​packet-​mirrorings

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog