catalog logoThe IAM Privilege Catalog

services / Google Cloud / Cloud Logging Sinks

Logging sinks control how logs are routed. They can be used to export logs to Cloud Storage, BigQuery, a Cloud Logging bucket, or a Pub/Sub topic.

logging.​sinks.​update

Updating a log sink can update the filter used to exclude logs from being routed by the sink. This can impair defenses by allowing an attacker to filter out their activity in the system.

Risks

  1. Defense destruction (EVASION)

Scope: MEDIUM

This privilege may grant access to confidential data, or its exploit can incur operational cost.

Links

  • https:​/​/​cloud.​google.​com/​logging/​docs/​routing/​overview#​sinks
  • https:​/​/​cloud.​google.​com/​logging/​docs/​access-​control
  • https:​/​/​cloud.​google.​com/​logging/​docs/​reference/​v2/​rest/​v2/​sinks

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog