{"risks":{"collection:data":{"id":"collection:data","name":"Automated data collection","description":"Allows an attacker to collect organizational data in a central location, or in an automatic fashion over time. Organizational data include application, customer, financial and operational data.","score":"BOOST","mitigations":[],"links":["https://attack.mitre.org/techniques/T1119/","https://attack.mitre.org/techniques/T1530/"]},"escalation:lateral":{"id":"escalation:lateral","name":"Lateral movement","description":"Allows an attacker to gain access to additional components within a service, or to additional services within the system. Often occurs when an attacker can gain access to an additional identity (e.g., a service account) that has broader access.","score":"BOOST","mitigations":["Use least-privileged access","Rotate service account credentials","Prevent unencrypted service-account credential storage","Monitor suspicious account access"],"links":["https://attack.mitre.org/techniques/T1550/"]},"escalation:network":{"id":"escalation:network","name":"Network movement","description":"Allows an attacker to gain access to additional resources on the same network.","score":"BOOST","mitigations":["Use network segmentation"],"links":["https://attack.mitre.org/techniques/T1021/"]},"persistence:account":{"id":"persistence:account","name":"Account persistence","description":"Allows an attacker to maintain access to the target system by manipulating existing accounts or creating new accounts. This can include modifying credentials and permission groups and other activity designed to subvert security policies.","score":"BOOST","mitigations":["Use least-privileged access","Use multi-factor authentication for user and privileged accounts","Use firewalls and other access control mechanisms to isolate critical systems"],"links":["https://attack.mitre.org/techniques/T1098/","https://attack.mitre.org/techniques/T1136/"]},"destruction:account":{"id":"destruction:account","name":"Account destruction","description":"Allows an attacker to delete accounts in the system.","score":"CRITICAL","mitigations":[],"links":[]},"destruction:crypto":{"id":"destruction:crypto","name":"Cryptographic destruction","description":"Allows an attacker to delete secret data, such as encryption keys, or private components of asymmetric keys.\n","score":"CRITICAL","mitigations":[],"links":[]},"destruction:data":{"id":"destruction:data","name":"Data destruction","description":"Allows an attacker to delete organizational data. May cause interruption of services (including critical operations of the organization) and significant legal liability. Data loss can be either permanent or temporary, and is mitigated by frequent data backup.","score":"CRITICAL","mitigations":["Data backup"],"links":["https://attack.mitre.org/techniques/T1485/"]},"destruction:policy":{"id":"destruction:policy","name":"Policy destruction","description":"Allows an attacker to delete IAM policies. When these policies would otherwise deny attacker access, can allow an attacker both vertical and lateral privilege escalation.","score":"CRITICAL","mitigations":["Favor restricted allow policies over deny policies"],"links":["https://attack.mitre.org/techniques/T1098/"]},"escalation:data":{"id":"escalation:data","name":"Data escalation","description":"Allows an attacker to access additional data within an already compromised component.","score":"CRITICAL","mitigations":[],"links":[]},"escalation:privilege":{"id":"escalation:privilege","name":"Privilege escalation","description":"Allows an attacker to either access an account with more sensitive privileges (e.g. an admin-specific account), or add these privileges to an account under the attacker's control.","score":"CRITICAL","mitigations":["Avoid use of admin or root accounts","Securely store admin and root account credentials","Scan for insecurely stored account credentials","Use ephemeral entitlement grants for sensitive operations","Apply permission boundaries to identity entitlements"],"links":["https://attack.mitre.org/techniques/T1078/","https://attack.mitre.org/techniques/T1098/","https://attack.mitre.org/techniques/T1552/"]},"exfiltration:crypto":{"id":"exfiltration:crypto","name":"Cryptographic exfiltration","description":"Allows an attacker to export cryptographic material from a system. Implies \"Account Takeover\" when the cryptographic material is an account credential.","score":"CRITICAL","mitigations":["Rotate credentials","Avoid secret re-use"],"links":["https://attack.mitre.org/techniques/T1552/"]},"exfiltration:data":{"id":"exfiltration:data","name":"Data exfiltration","description":"Allows an attacker to export sensitive data from a system. Often combined with data-collection exploits (see `collection:data`).","score":"CRITICAL","mitigations":["Filter network traffic"],"links":["https://attack.mitre.org/techniques/T1537/"]},"impact:encryption":{"id":"impact:encryption","name":"Data encryption","description":"Allows an attacker to encrypt data within a system. This can be used to either make data permanently inaccessible, or extort compensation for access to the encryption key, in the case of ransomware.","score":"CRITICAL","mitigations":["Backup data"],"links":["https://attack.mitre.org/techniques/T1486/"]},"takeover:account":{"id":"takeover:account","name":"Account takeover","description":"Allows an attacker to export account identification credentials from a system.","score":"CRITICAL","mitigations":["Rotate account credentials","Require multi-factor authentication","Use short-lived tokens"],"links":["https://attack.mitre.org/techniques/T1528/"]},"takeover:domain":{"id":"takeover:domain","name":"Domain takeover","description":"Allows an attacker to arbitrarily route traffic on a domain or subdomain.","score":"CRITICAL","mitigations":["Restrict edit access to DNS records","Use firewalls for internal networks"],"links":["https://attack.mitre.org/techniques/T1584/002/","https://attack.mitre.org/techniques/T1583/002/"]},"destruction:defense":{"id":"destruction:defense","name":"Defense destruction","description":"Allows an attacker to disable or remove defense mechanism, such as IDS, antivirus, and the like. Note that other mechanisms may serve as defense mechanisms but are explicitly separate (see `destruction:logs` and `destruction:policy`)","score":"EVASION","mitigations":["Monitor defense system metrics"],"links":["https://attack.mitre.org/techniques/T1562/"]},"destruction:logs":{"id":"destruction:logs","name":"Logs destruction","description":"Allows an attacker to delete logs data. The most critical effect is that this disrupts security incident response. Can also disrupt support and business-intelligence operations.","score":"EVASION","mitigations":["Backup logs"],"links":[]},"impact:access":{"id":"impact:access","name":"Denial-of-access","description":"Allows an attacker to prevent authorized operational access. This can allow an attacker to continue system abuse.","score":"EVASION","mitigations":[],"links":["https://attack.mitre.org/techniques/T1531/"]},"destruction:infra":{"id":"destruction:infra","name":"Infrastructure destruction","description":"Allows an attacker to delete infrastructure. May cause interruption of services (including central operations of the organization). Can be similar in effect to a denial of service.","score":"HIGH","mitigations":["Define infrastructure as code"],"links":[]},"destruction:network":{"id":"destruction:network","name":"Network destruction","description":"Allows an attacker to delete network components (such as endpoints, routes, VLANs, VPCs and the like). Implies denial-of-service when the network hosts a service. Removal of network firewall policies is covered by destruction:policy.","score":"HIGH","mitigations":["Network redundancy"],"links":[]},"exfiltration:code":{"id":"exfiltration:code","name":"Code exfiltration","description":"Allows an attacker to export system source code.","score":"HIGH","mitigations":[],"links":[]},"impact:defacement":{"id":"impact:defacement","name":"Defacement","description":"Allows an attacker to alter an organization's public-facing assets. Often used to vandalize these properties.","score":"HIGH","mitigations":["Data backup"],"links":["https://attack.mitre.org/techniques/T1491/"]},"impact:dos":{"id":"impact:dos","name":"Denial-of-service","description":"Allows an attacker to disrupt an organization's operations. When applied to critical systems, can disable an organization's core systems.","score":"HIGH","mitigations":["Redundant infrastructure","Rate limiting"],"links":["https://attack.mitre.org/techniques/T1499/"]},"impact:manipulation":{"id":"impact:manipulation","name":"Data manipulation","description":"Allows an attacker to insert, delete, or manipulate organizational data. This may be done to evade detection or impact business/operational processes.","score":"HIGH","mitigations":["Data encryption","Network segmentation","Data backup","Least privilege permissions"],"links":["https://attack.mitre.org/techniques/T1565/"]},"discovery:account":{"id":"discovery:account","name":"Account discovery","description":"Allows an attacker to inventory system accounts. These accounts may then be further targeted for compromise to escalate access.","score":"LOW","mitigations":["Use least-privileged access","Use multi-factor authentication for user accounts","Rotate service-account credentials","Prevent unencrypted service-account credential storage","Monitor suspicious account access","Remove or suspend inactive accounts"],"links":["https://attack.mitre.org/techniques/T1078/","https://attack.mitre.org/techniques/T1087/","https://attack.mitre.org/techniques/T1550/","https://attack.mitre.org/techniques/T1552/"]},"discovery:data":{"id":"discovery:data","name":"Data discovery","description":"Allows an attacker to inventory stored data objects. May allow an attacker to focus attacks on specific data repositories. When object identifiers contain sensitive information (e.g. tenant identifiers), gives attackers access to this information.","score":"LOW","mitigations":["Avoid using sensitive data identifiers"],"links":["https://attack.mitre.org/techniques/T1619/"]},"discovery:finance":{"id":"discovery:finance","name":"Financial discovery","description":"Allows an attacker gain information related to organizational finances and spending, such as invoices and spending history.","score":"LOW","mitigations":[],"links":[]},"discovery:infra":{"id":"discovery:infra","name":"Infrastructure discovery","description":"Allows an attacker to inventory infrastructure resources. May allow an attacker to focus attacks on specific resources. When component identifiers contain sensitive information (e.g. tenant identifiers), gives attackers access to this information.","score":"LOW","mitigations":["Avoid using sensitive component identifiers"],"links":["https://attack.mitre.org/techniques/T1580/"]},"discovery:logs":{"id":"discovery:logs","name":"Logs discovery","description":"Allows an attacker to inventory logs, such as viewing the types of logs collected, log fields, and aggregate statistics on logs.","score":"LOW","mitigations":[],"links":[]},"discovery:metadata":{"id":"discovery:metadata","name":"Metadata discovery","description":"Allows an attacker to inventory metadata schema. May allow an attacker to focus attacks on specific metadata objects.","score":"LOW","mitigations":[],"links":[]},"discovery:network":{"id":"discovery:network","name":"Network discovery","description":"Allows an attacker to inventory network resources. May allow an attacker to focus attacks on specific network locations.","score":"LOW","mitigations":["Use network filtering","Use network segmentation","Apply zero-trust networking principles"],"links":["https://attack.mitre.org/techniques/T1046/"]},"discovery:policy":{"id":"discovery:policy","name":"Policy discovery","description":"Allows an attacker to read access-control policies. May allow an attacker to focus attacks on policy weak points (e.g. overprovisioned accounts, or unsecured infrastructure).","score":"LOW","mitigations":["Avoid overprovisioned entitlements"],"links":["https://attack.mitre.org/techniques/T1069/"]},"impact:consumption":{"id":"impact:consumption","name":"Infrastructure consumption","description":"Allows an attacker to consume resources from a potentially limited pool. This may impact the time to assign resources.","score":"LOW","mitigations":[],"links":[]},"destruction:artifact":{"id":"destruction:artifact","name":"Artifact destruction","description":"Allows an attacker to delete artifacts like machine learning models.\n","score":"MEDIUM","mitigations":[],"links":[]},"destruction:metadata":{"id":"destruction:metadata","name":"Metadata destruction","description":"Allows an attacker to delete metadata. Can be impactful if those metadata are used operationally (e.g. timestamp filtering, customer identification, etc.).","score":"MEDIUM","mitigations":["Backup metadata","Define metadata using infrastructure-as-code"],"links":[]},"discovery:code":{"id":"discovery:code","name":"Code discovery","description":"Allows an attacker to inventory source code repositories or files.","score":"MEDIUM","mitigations":[],"links":[]},"exfiltration:logs":{"id":"exfiltration:logs","name":"Logs exfiltration","description":"Allows an attacker to export logs from a system. Logs may contain sensitive customer or organizational data.","score":"MEDIUM","mitigations":[],"links":[]},"exfiltration:metadata":{"id":"exfiltration:metadata","name":"Metadata exfiltration","description":"Allows an attacker to read object metadata. This may contain sensitive data (for example customer identifiers or the like).","score":"MEDIUM","mitigations":[],"links":[]},"impact:hijack":{"id":"impact:hijack","name":"Resource hijacking","description":"Allows an attacker to use system resources for their own purposes. Typically used for resource-intensive pursuits such as cryptomining, or to provide infrastructure for other illegal activities such as running a bot net.","score":"MEDIUM","mitigations":["Monitor resource usage and spend"],"links":["https://attack.mitre.org/techniques/T1496/"]},"impact:spend":{"id":"impact:spend","name":"Spend","description":"Allows an attacker to cause increased infrastructure spend, without benefit to the attacker.","score":"MEDIUM","mitigations":["Add billing plan limits"],"links":[]}},"privileges":{"aws":{"acm-pca:CreatePermission":{"id":"acm-pca:CreatePermission","name":"acm-pca","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/acm-pca"],"seeAlso":[]},"acm-pca:DeletePermission":{"id":"acm-pca:DeletePermission","name":"acm-pca","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/acm-pca"],"seeAlso":[]},"acm-pca:DeletePolicy":{"id":"acm-pca:DeletePolicy","name":"acm-pca","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/acm-pca"],"seeAlso":[]},"acm-pca:PutPolicy":{"id":"acm-pca:PutPolicy","name":"acm-pca","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/acm-pca"],"seeAlso":[]},"aoss:APIAccessAll":{"id":"aoss:APIAccessAll","name":"aoss","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/aoss"],"seeAlso":[]},"aoss:DashboardsAccessAll":{"id":"aoss:DashboardsAccessAll","name":"aoss","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/aoss"],"seeAlso":[]},"apigateway:UpdateRestApiPolicy":{"id":"apigateway:UpdateRestApiPolicy","name":"apigateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/apigateway"],"seeAlso":[]},"appsync:GetDataSource":{"id":"appsync:GetDataSource","name":"appsync","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/appsync"],"seeAlso":[]},"appsync:GetFunction":{"id":"appsync:GetFunction","name":"appsync","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/appsync"],"seeAlso":[]},"appsync:ListApiKeys":{"id":"appsync:ListApiKeys","name":"appsync","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/appsync"],"seeAlso":[]},"athena:GetQueryExecution":{"id":"athena:GetQueryExecution","name":"athena","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/athena"],"seeAlso":[]},"athena:GetQueryResults":{"id":"athena:GetQueryResults","name":"athena","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/athena"],"seeAlso":[]},"athena:GetQueryResultsStream":{"id":"athena:GetQueryResultsStream","name":"athena","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/athena"],"seeAlso":[]},"athena:GetSession":{"id":"athena:GetSession","name":"athena","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/athena"],"seeAlso":[]},"backup:DeleteBackupVaultAccessPolicy":{"id":"backup:DeleteBackupVaultAccessPolicy","name":"backup","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/backup"],"seeAlso":[]},"backup:PutBackupVaultAccessPolicy":{"id":"backup:PutBackupVaultAccessPolicy","name":"backup","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/backup"],"seeAlso":[]},"cassandra:Select":{"id":"cassandra:Select","name":"cassandra","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cassandra"],"seeAlso":[]},"chatbot:DescribeSlackChannels":{"id":"chatbot:DescribeSlackChannels","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chatbot:DescribeSlackUserIdentities":{"id":"chatbot:DescribeSlackUserIdentities","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chatbot:GetMicrosoftTeamsOauthParameters":{"id":"chatbot:GetMicrosoftTeamsOauthParameters","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chatbot:GetSlackOauthParameters":{"id":"chatbot:GetSlackOauthParameters","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chatbot:ListMicrosoftTeamsConfiguredTeams":{"id":"chatbot:ListMicrosoftTeamsConfiguredTeams","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chatbot:ListMicrosoftTeamsUserIdentities":{"id":"chatbot:ListMicrosoftTeamsUserIdentities","name":"chatbot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chatbot"],"seeAlso":[]},"chime:CreateApiKey":{"id":"chime:CreateApiKey","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:DeleteVoiceConnectorTerminationCredentials":{"id":"chime:DeleteVoiceConnectorTerminationCredentials","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetAttendee":{"id":"chime:GetAttendee","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetChannelMessage":{"id":"chime:GetChannelMessage","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetMeeting":{"id":"chime:GetMeeting","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetMeetingDetail":{"id":"chime:GetMeetingDetail","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetRoom":{"id":"chime:GetRoom","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetUser":{"id":"chime:GetUser","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetUserActivityReportData":{"id":"chime:GetUserActivityReportData","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetUserByEmail":{"id":"chime:GetUserByEmail","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:GetUserSettings":{"id":"chime:GetUserSettings","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:ListAttendees":{"id":"chime:ListAttendees","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:ListMeetingEvents":{"id":"chime:ListMeetingEvents","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:ListMeetings":{"id":"chime:ListMeetings","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:ListUsers":{"id":"chime:ListUsers","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"chime:PutVoiceConnectorTerminationCredentials":{"id":"chime:PutVoiceConnectorTerminationCredentials","name":"chime","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/chime"],"seeAlso":[]},"cleanrooms:GetProtectedQuery":{"id":"cleanrooms:GetProtectedQuery","name":"cleanrooms","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cleanrooms"],"seeAlso":[]},"cloud9:CreateEnvironmentSSH":{"id":"cloud9:CreateEnvironmentSSH","name":"cloud9","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloud9"],"seeAlso":[]},"cloud9:CreateEnvironmentToken":{"id":"cloud9:CreateEnvironmentToken","name":"cloud9","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloud9"],"seeAlso":[]},"cloudformation:GetTemplate":{"id":"cloudformation:GetTemplate","name":"cloudformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudformation"],"seeAlso":[]},"cloudformation:SetStackPolicy":{"id":"cloudformation:SetStackPolicy","name":"cloudformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudformation"],"seeAlso":[]},"cloudfront:GetFunction":{"id":"cloudfront:GetFunction","name":"cloudfront","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudfront"],"seeAlso":[]},"cloudsearch:UpdateServiceAccessPolicies":{"id":"cloudsearch:UpdateServiceAccessPolicies","name":"cloudsearch","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudsearch"],"seeAlso":[]},"cloudtrail:GetQueryResults":{"id":"cloudtrail:GetQueryResults","name":"cloudtrail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudtrail"],"seeAlso":[]},"cloudtrail:LookupEvents":{"id":"cloudtrail:LookupEvents","name":"cloudtrail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cloudtrail"],"seeAlso":[]},"codeartifact:DeleteDomainPermissionsPolicy":{"id":"codeartifact:DeleteDomainPermissionsPolicy","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codeartifact:DeleteRepositoryPermissionsPolicy":{"id":"codeartifact:DeleteRepositoryPermissionsPolicy","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codeartifact:GetAuthorizationToken":{"id":"codeartifact:GetAuthorizationToken","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codeartifact:GetPackageVersionAsset":{"id":"codeartifact:GetPackageVersionAsset","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codeartifact:GetPackageVersionReadme":{"id":"codeartifact:GetPackageVersionReadme","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codeartifact:ReadFromRepository":{"id":"codeartifact:ReadFromRepository","name":"codeartifact","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeartifact"],"seeAlso":[]},"codebuild:BatchGetReportGroups":{"id":"codebuild:BatchGetReportGroups","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codebuild:BatchGetReports":{"id":"codebuild:BatchGetReports","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codebuild:DeleteResourcePolicy":{"id":"codebuild:DeleteResourcePolicy","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codebuild:DeleteSourceCredentials":{"id":"codebuild:DeleteSourceCredentials","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codebuild:ImportSourceCredentials":{"id":"codebuild:ImportSourceCredentials","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codebuild:PutResourcePolicy":{"id":"codebuild:PutResourcePolicy","name":"codebuild","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codebuild"],"seeAlso":[]},"codecommit:BatchGetCommits":{"id":"codecommit:BatchGetCommits","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:BatchGetPullRequests":{"id":"codecommit:BatchGetPullRequests","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:BatchGetRepositories":{"id":"codecommit:BatchGetRepositories","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:DescribeMergeConflicts":{"id":"codecommit:DescribeMergeConflicts","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:DescribePullRequestEvents":{"id":"codecommit:DescribePullRequestEvents","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetApprovalRuleTemplate":{"id":"codecommit:GetApprovalRuleTemplate","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetBlob":{"id":"codecommit:GetBlob","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetBranch":{"id":"codecommit:GetBranch","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetComment":{"id":"codecommit:GetComment","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommentReactions":{"id":"codecommit:GetCommentReactions","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommentsForComparedCommit":{"id":"codecommit:GetCommentsForComparedCommit","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommentsForPullRequest":{"id":"codecommit:GetCommentsForPullRequest","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommit":{"id":"codecommit:GetCommit","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommitHistory":{"id":"codecommit:GetCommitHistory","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetCommitsFromMergeBase":{"id":"codecommit:GetCommitsFromMergeBase","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetDifferences":{"id":"codecommit:GetDifferences","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetFile":{"id":"codecommit:GetFile","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetFolder":{"id":"codecommit:GetFolder","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetMergeCommit":{"id":"codecommit:GetMergeCommit","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetMergeConflicts":{"id":"codecommit:GetMergeConflicts","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetMergeOptions":{"id":"codecommit:GetMergeOptions","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetObjectIdentifier":{"id":"codecommit:GetObjectIdentifier","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetPullRequest":{"id":"codecommit:GetPullRequest","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetPullRequestApprovalStates":{"id":"codecommit:GetPullRequestApprovalStates","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetPullRequestOverrideState":{"id":"codecommit:GetPullRequestOverrideState","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetReferences":{"id":"codecommit:GetReferences","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GetTree":{"id":"codecommit:GetTree","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codecommit:GitPull":{"id":"codecommit:GitPull","name":"codecommit","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codecommit"],"seeAlso":[]},"codeguru-profiler:GetRecommendations":{"id":"codeguru-profiler:GetRecommendations","name":"codeguru-profiler","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeguru-profiler"],"seeAlso":[]},"codeguru-profiler:PutPermission":{"id":"codeguru-profiler:PutPermission","name":"codeguru-profiler","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeguru-profiler"],"seeAlso":[]},"codeguru-profiler:RemovePermission":{"id":"codeguru-profiler:RemovePermission","name":"codeguru-profiler","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeguru-profiler"],"seeAlso":[]},"codeguru-reviewer:DescribeCodeReview":{"id":"codeguru-reviewer:DescribeCodeReview","name":"codeguru-reviewer","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeguru-reviewer"],"seeAlso":[]},"codeguru-reviewer:DescribeRecommendationFeedback":{"id":"codeguru-reviewer:DescribeRecommendationFeedback","name":"codeguru-reviewer","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codeguru-reviewer"],"seeAlso":[]},"codepipeline:GetPipelineExecution":{"id":"codepipeline:GetPipelineExecution","name":"codepipeline","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/codepipeline"],"seeAlso":[]},"codepipeline:PollForJobs":{"id":"codepipeline:PollForJobs","name":"codepipeline","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/codepipeline"],"seeAlso":[]},"codestar:AssociateTeamMember":{"id":"codestar:AssociateTeamMember","name":"codestar","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/codestar"],"seeAlso":[]},"codestar:CreateProject":{"id":"codestar:CreateProject","name":"codestar","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/codestar"],"seeAlso":[]},"codestar:DeleteProject":{"id":"codestar:DeleteProject","name":"codestar","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codestar"],"seeAlso":[]},"codestar:DisassociateTeamMember":{"id":"codestar:DisassociateTeamMember","name":"codestar","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codestar"],"seeAlso":[]},"codestar:UpdateTeamMember":{"id":"codestar:UpdateTeamMember","name":"codestar","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/codestar"],"seeAlso":[]},"cognito-identity:CreateIdentityPool":{"id":"cognito-identity:CreateIdentityPool","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:DeleteIdentities":{"id":"cognito-identity:DeleteIdentities","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:DeleteIdentityPool":{"id":"cognito-identity:DeleteIdentityPool","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:GetCredentialsForIdentity":{"id":"cognito-identity:GetCredentialsForIdentity","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:GetId":{"id":"cognito-identity:GetId","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:GetOpenIdToken":{"id":"cognito-identity:GetOpenIdToken","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:GetOpenIdTokenForDeveloperIdentity":{"id":"cognito-identity:GetOpenIdTokenForDeveloperIdentity","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:LookupDeveloperIdentity":{"id":"cognito-identity:LookupDeveloperIdentity","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:MergeDeveloperIdentities":{"id":"cognito-identity:MergeDeveloperIdentities","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:SetIdentityPoolRoles":{"id":"cognito-identity:SetIdentityPoolRoles","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:UnlinkDeveloperIdentity":{"id":"cognito-identity:UnlinkDeveloperIdentity","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:UnlinkIdentity":{"id":"cognito-identity:UnlinkIdentity","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-identity:UpdateIdentityPool":{"id":"cognito-identity:UpdateIdentityPool","name":"cognito-identity","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-identity"],"seeAlso":[]},"cognito-idp:AdminGetDevice":{"id":"cognito-idp:AdminGetDevice","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:AdminGetUser":{"id":"cognito-idp:AdminGetUser","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:AdminListDevices":{"id":"cognito-idp:AdminListDevices","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:AdminListGroupsForUser":{"id":"cognito-idp:AdminListGroupsForUser","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:AdminListUserAuthEvents":{"id":"cognito-idp:AdminListUserAuthEvents","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:DescribeUserPoolClient":{"id":"cognito-idp:DescribeUserPoolClient","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:GetDevice":{"id":"cognito-idp:GetDevice","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:GetGroup":{"id":"cognito-idp:GetGroup","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:GetUser":{"id":"cognito-idp:GetUser","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:GetUserAttributeVerificationCode":{"id":"cognito-idp:GetUserAttributeVerificationCode","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:ListDevices":{"id":"cognito-idp:ListDevices","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:ListGroups":{"id":"cognito-idp:ListGroups","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-idp:ListUsers":{"id":"cognito-idp:ListUsers","name":"cognito-idp","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-idp"],"seeAlso":[]},"cognito-sync:ListRecords":{"id":"cognito-sync:ListRecords","name":"cognito-sync","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-sync"],"seeAlso":[]},"cognito-sync:QueryRecords":{"id":"cognito-sync:QueryRecords","name":"cognito-sync","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/cognito-sync"],"seeAlso":[]},"connect:GetFederationToken":{"id":"connect:GetFederationToken","name":"connect","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/connect"],"seeAlso":[]},"connect:ListSecurityKeys":{"id":"connect:ListSecurityKeys","name":"connect","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/connect"],"seeAlso":[]},"connect:ListUsers":{"id":"connect:ListUsers","name":"connect","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/connect"],"seeAlso":[]},"datapipeline:QueryObjects":{"id":"datapipeline:QueryObjects","name":"datapipeline","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/datapipeline"],"seeAlso":[]},"dax:BatchGetItem":{"id":"dax:BatchGetItem","name":"dax","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dax"],"seeAlso":[]},"dax:GetItem":{"id":"dax:GetItem","name":"dax","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dax"],"seeAlso":[]},"dax:Query":{"id":"dax:Query","name":"dax","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dax"],"seeAlso":[]},"dax:Scan":{"id":"dax:Scan","name":"dax","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dax"],"seeAlso":[]},"deeplens:AssociateServiceRoleToAccount":{"id":"deeplens:AssociateServiceRoleToAccount","name":"deeplens","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/deeplens"],"seeAlso":[]},"ds:CreateConditionalForwarder":{"id":"ds:CreateConditionalForwarder","name":"ds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ds"],"seeAlso":[]},"ds:CreateDirectory":{"id":"ds:CreateDirectory","name":"ds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ds"],"seeAlso":[]},"ds:CreateMicrosoftAD":{"id":"ds:CreateMicrosoftAD","name":"ds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ds"],"seeAlso":[]},"ds:CreateTrust":{"id":"ds:CreateTrust","name":"ds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ds"],"seeAlso":[]},"ds:ShareDirectory":{"id":"ds:ShareDirectory","name":"ds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ds"],"seeAlso":[]},"dynamodb:BatchGetItem":{"id":"dynamodb:BatchGetItem","name":"dynamodb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dynamodb"],"seeAlso":[]},"dynamodb:GetItem":{"id":"dynamodb:GetItem","name":"dynamodb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dynamodb"],"seeAlso":[]},"dynamodb:GetRecords":{"id":"dynamodb:GetRecords","name":"dynamodb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dynamodb"],"seeAlso":[]},"dynamodb:Query":{"id":"dynamodb:Query","name":"dynamodb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dynamodb"],"seeAlso":[]},"dynamodb:Scan":{"id":"dynamodb:Scan","name":"dynamodb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/dynamodb"],"seeAlso":[]},"ec2-instance-connect:SendSSHPublicKey":{"id":"ec2-instance-connect:SendSSHPublicKey","name":"ec2-instance-connect","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["escalation:privilege","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2-instance-connect"],"seeAlso":[]},"ec2:CreateNetworkInterfacePermission":{"id":"ec2:CreateNetworkInterfacePermission","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:DeleteNetworkInterfacePermission":{"id":"ec2:DeleteNetworkInterfacePermission","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:DisableImageBlockPublicAccess":{"id":"ec2:DisableImageBlockPublicAccess","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:GetPasswordData":{"id":"ec2:GetPasswordData","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:ModifySnapshotAttribute":{"id":"ec2:ModifySnapshotAttribute","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:ModifyVpcEndpointServicePermissions":{"id":"ec2:ModifyVpcEndpointServicePermissions","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ec2:ResetSnapshotAttribute":{"id":"ec2:ResetSnapshotAttribute","name":"ec2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ec2"],"seeAlso":[]},"ecr-public:GetAuthorizationToken":{"id":"ecr-public:GetAuthorizationToken","name":"ecr-public","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/ecr-public"],"seeAlso":[]},"ecr:DeleteRepositoryPolicy":{"id":"ecr:DeleteRepositoryPolicy","name":"ecr","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ecr"],"seeAlso":[]},"ecr:GetAuthorizationToken":{"id":"ecr:GetAuthorizationToken","name":"ecr","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/ecr"],"seeAlso":[]},"ecr:GetDownloadUrlForLayer":{"id":"ecr:GetDownloadUrlForLayer","name":"ecr","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ecr"],"seeAlso":[]},"ecr:SetRepositoryPolicy":{"id":"ecr:SetRepositoryPolicy","name":"ecr","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ecr"],"seeAlso":[]},"elasticfilesystem:DeleteFileSystemPolicy":{"id":"elasticfilesystem:DeleteFileSystemPolicy","name":"elasticfilesystem","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/elasticfilesystem"],"seeAlso":[]},"elasticfilesystem:PutFileSystemPolicy":{"id":"elasticfilesystem:PutFileSystemPolicy","name":"elasticfilesystem","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/elasticfilesystem"],"seeAlso":[]},"elasticmapreduce:PutBlockPublicAccessConfiguration":{"id":"elasticmapreduce:PutBlockPublicAccessConfiguration","name":"elasticmapreduce","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/elasticmapreduce"],"seeAlso":[]},"es:CreateElasticsearchDomain":{"id":"es:CreateElasticsearchDomain","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpDelete":{"id":"es:ESHttpDelete","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpGet":{"id":"es:ESHttpGet","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpHead":{"id":"es:ESHttpHead","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpPatch":{"id":"es:ESHttpPatch","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpPost":{"id":"es:ESHttpPost","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:ESHttpPut":{"id":"es:ESHttpPut","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"es:UpdateElasticsearchDomainConfig":{"id":"es:UpdateElasticsearchDomainConfig","name":"es","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/es"],"seeAlso":[]},"gamelift:GetComputeAuthToken":{"id":"gamelift:GetComputeAuthToken","name":"gamelift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/gamelift"],"seeAlso":[]},"gamelift:GetGameSessionLogUrl":{"id":"gamelift:GetGameSessionLogUrl","name":"gamelift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/gamelift"],"seeAlso":[]},"gamelift:GetInstanceAccess":{"id":"gamelift:GetInstanceAccess","name":"gamelift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/gamelift"],"seeAlso":[]},"gamelift:RequestUploadCredentials":{"id":"gamelift:RequestUploadCredentials","name":"gamelift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/gamelift"],"seeAlso":[]},"glacier:AbortVaultLock":{"id":"glacier:AbortVaultLock","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glacier:CompleteVaultLock":{"id":"glacier:CompleteVaultLock","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glacier:DeleteVaultAccessPolicy":{"id":"glacier:DeleteVaultAccessPolicy","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glacier:InitiateVaultLock":{"id":"glacier:InitiateVaultLock","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glacier:SetDataRetrievalPolicy":{"id":"glacier:SetDataRetrievalPolicy","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glacier:SetVaultAccessPolicy":{"id":"glacier:SetVaultAccessPolicy","name":"glacier","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glacier"],"seeAlso":[]},"glue:DeleteResourcePolicy":{"id":"glue:DeleteResourcePolicy","name":"glue","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glue"],"seeAlso":[]},"glue:PutResourcePolicy":{"id":"glue:PutResourcePolicy","name":"glue","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/glue"],"seeAlso":[]},"glue:UpdateDevEndpoint":{"id":"glue:UpdateDevEndpoint","name":"glue","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/glue"],"seeAlso":[]},"greengrass:AssociateServiceRoleToAccount":{"id":"greengrass:AssociateServiceRoleToAccount","name":"greengrass","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/greengrass"],"seeAlso":[]},"health:DisableHealthServiceAccessForOrganization":{"id":"health:DisableHealthServiceAccessForOrganization","name":"health","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/health"],"seeAlso":[]},"health:EnableHealthServiceAccessForOrganization":{"id":"health:EnableHealthServiceAccessForOrganization","name":"health","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/health"],"seeAlso":[]},"healthlake:ReadResource":{"id":"healthlake:ReadResource","name":"healthlake","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/healthlake"],"seeAlso":[]},"healthlake:SearchWithGet":{"id":"healthlake:SearchWithGet","name":"healthlake","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/healthlake"],"seeAlso":[]},"healthlake:SearchWithPost":{"id":"healthlake:SearchWithPost","name":"healthlake","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/healthlake"],"seeAlso":[]},"iam:AddClientIDToOpenIDConnectProvider":{"id":"iam:AddClientIDToOpenIDConnectProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:AddRoleToInstanceProfile":{"id":"iam:AddRoleToInstanceProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:AddUserToGroup":{"id":"iam:AddUserToGroup","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:AttachGroupPolicy":{"id":"iam:AttachGroupPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:AttachRolePolicy":{"id":"iam:AttachRolePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:AttachUserPolicy":{"id":"iam:AttachUserPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:ChangePassword":{"id":"iam:ChangePassword","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateAccessKey":{"id":"iam:CreateAccessKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateAccountAlias":{"id":"iam:CreateAccountAlias","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateGroup":{"id":"iam:CreateGroup","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateInstanceProfile":{"id":"iam:CreateInstanceProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateLoginProfile":{"id":"iam:CreateLoginProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateOpenIDConnectProvider":{"id":"iam:CreateOpenIDConnectProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreatePolicy":{"id":"iam:CreatePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreatePolicyVersion":{"id":"iam:CreatePolicyVersion","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateRole":{"id":"iam:CreateRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateSAMLProvider":{"id":"iam:CreateSAMLProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateServiceLinkedRole":{"id":"iam:CreateServiceLinkedRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateServiceSpecificCredential":{"id":"iam:CreateServiceSpecificCredential","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateUser":{"id":"iam:CreateUser","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:CreateVirtualMFADevice":{"id":"iam:CreateVirtualMFADevice","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeactivateMFADevice":{"id":"iam:DeactivateMFADevice","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteAccessKey":{"id":"iam:DeleteAccessKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteAccountAlias":{"id":"iam:DeleteAccountAlias","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteAccountPasswordPolicy":{"id":"iam:DeleteAccountPasswordPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteGroup":{"id":"iam:DeleteGroup","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteGroupPolicy":{"id":"iam:DeleteGroupPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteInstanceProfile":{"id":"iam:DeleteInstanceProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteLoginProfile":{"id":"iam:DeleteLoginProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteOpenIDConnectProvider":{"id":"iam:DeleteOpenIDConnectProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeletePolicy":{"id":"iam:DeletePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeletePolicyVersion":{"id":"iam:DeletePolicyVersion","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteRole":{"id":"iam:DeleteRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteRolePermissionsBoundary":{"id":"iam:DeleteRolePermissionsBoundary","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteRolePolicy":{"id":"iam:DeleteRolePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteSAMLProvider":{"id":"iam:DeleteSAMLProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteSSHPublicKey":{"id":"iam:DeleteSSHPublicKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteServerCertificate":{"id":"iam:DeleteServerCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteServiceLinkedRole":{"id":"iam:DeleteServiceLinkedRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteServiceSpecificCredential":{"id":"iam:DeleteServiceSpecificCredential","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteSigningCertificate":{"id":"iam:DeleteSigningCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteUser":{"id":"iam:DeleteUser","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteUserPermissionsBoundary":{"id":"iam:DeleteUserPermissionsBoundary","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteUserPolicy":{"id":"iam:DeleteUserPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DeleteVirtualMFADevice":{"id":"iam:DeleteVirtualMFADevice","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DetachGroupPolicy":{"id":"iam:DetachGroupPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DetachRolePolicy":{"id":"iam:DetachRolePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:DetachUserPolicy":{"id":"iam:DetachUserPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:EnableMFADevice":{"id":"iam:EnableMFADevice","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PassRole":{"id":"iam:PassRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PutGroupPolicy":{"id":"iam:PutGroupPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PutRolePermissionsBoundary":{"id":"iam:PutRolePermissionsBoundary","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PutRolePolicy":{"id":"iam:PutRolePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PutUserPermissionsBoundary":{"id":"iam:PutUserPermissionsBoundary","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:PutUserPolicy":{"id":"iam:PutUserPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:RemoveClientIDFromOpenIDConnectProvider":{"id":"iam:RemoveClientIDFromOpenIDConnectProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:RemoveRoleFromInstanceProfile":{"id":"iam:RemoveRoleFromInstanceProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:RemoveUserFromGroup":{"id":"iam:RemoveUserFromGroup","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:ResetServiceSpecificCredential":{"id":"iam:ResetServiceSpecificCredential","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:ResyncMFADevice":{"id":"iam:ResyncMFADevice","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:SetDefaultPolicyVersion":{"id":"iam:SetDefaultPolicyVersion","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:SetSecurityTokenServicePreferences":{"id":"iam:SetSecurityTokenServicePreferences","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateAccessKey":{"id":"iam:UpdateAccessKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateAccountPasswordPolicy":{"id":"iam:UpdateAccountPasswordPolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateAssumeRolePolicy":{"id":"iam:UpdateAssumeRolePolicy","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateGroup":{"id":"iam:UpdateGroup","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateLoginProfile":{"id":"iam:UpdateLoginProfile","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","escalation:privilege"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateOpenIDConnectProviderThumbprint":{"id":"iam:UpdateOpenIDConnectProviderThumbprint","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateRole":{"id":"iam:UpdateRole","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateRoleDescription":{"id":"iam:UpdateRoleDescription","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateSAMLProvider":{"id":"iam:UpdateSAMLProvider","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateSSHPublicKey":{"id":"iam:UpdateSSHPublicKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateServerCertificate":{"id":"iam:UpdateServerCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateServiceSpecificCredential":{"id":"iam:UpdateServiceSpecificCredential","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateSigningCertificate":{"id":"iam:UpdateSigningCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UpdateUser":{"id":"iam:UpdateUser","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UploadSSHPublicKey":{"id":"iam:UploadSSHPublicKey","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UploadServerCertificate":{"id":"iam:UploadServerCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"iam:UploadSigningCertificate":{"id":"iam:UploadSigningCertificate","name":"iam","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iam"],"seeAlso":[]},"imagebuilder:PutComponentPolicy":{"id":"imagebuilder:PutComponentPolicy","name":"imagebuilder","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/imagebuilder"],"seeAlso":[]},"imagebuilder:PutImagePolicy":{"id":"imagebuilder:PutImagePolicy","name":"imagebuilder","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/imagebuilder"],"seeAlso":[]},"imagebuilder:PutImageRecipePolicy":{"id":"imagebuilder:PutImageRecipePolicy","name":"imagebuilder","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/imagebuilder"],"seeAlso":[]},"iot:AttachPolicy":{"id":"iot:AttachPolicy","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iot:AttachPrincipalPolicy":{"id":"iot:AttachPrincipalPolicy","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iot:DetachPolicy":{"id":"iot:DetachPolicy","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iot:DetachPrincipalPolicy":{"id":"iot:DetachPrincipalPolicy","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iot:SetDefaultAuthorizer":{"id":"iot:SetDefaultAuthorizer","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iot:SetDefaultPolicyVersion":{"id":"iot:SetDefaultPolicyVersion","name":"iot","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iot"],"seeAlso":[]},"iotsitewise:CreateAccessPolicy":{"id":"iotsitewise:CreateAccessPolicy","name":"iotsitewise","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iotsitewise"],"seeAlso":[]},"iotsitewise:DeleteAccessPolicy":{"id":"iotsitewise:DeleteAccessPolicy","name":"iotsitewise","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iotsitewise"],"seeAlso":[]},"iotsitewise:UpdateAccessPolicy":{"id":"iotsitewise:UpdateAccessPolicy","name":"iotsitewise","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/iotsitewise"],"seeAlso":[]},"kendra:Query":{"id":"kendra:Query","name":"kendra","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/kendra"],"seeAlso":[]},"kinesis:GetRecords":{"id":"kinesis:GetRecords","name":"kinesis","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/kinesis"],"seeAlso":[]},"kinesisvideo:GetImages":{"id":"kinesisvideo:GetImages","name":"kinesisvideo","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/kinesisvideo"],"seeAlso":[]},"kinesisvideo:GetMedia":{"id":"kinesisvideo:GetMedia","name":"kinesisvideo","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/kinesisvideo"],"seeAlso":[]},"kms:CreateGrant":{"id":"kms:CreateGrant","name":"kms","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/kms"],"seeAlso":[]},"kms:PutKeyPolicy":{"id":"kms:PutKeyPolicy","name":"kms","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/kms"],"seeAlso":[]},"kms:RetireGrant":{"id":"kms:RetireGrant","name":"kms","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/kms"],"seeAlso":[]},"kms:RevokeGrant":{"id":"kms:RevokeGrant","name":"kms","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/kms"],"seeAlso":[]},"lakeformation:BatchGrantPermissions":{"id":"lakeformation:BatchGrantPermissions","name":"lakeformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lakeformation"],"seeAlso":[]},"lakeformation:BatchRevokePermissions":{"id":"lakeformation:BatchRevokePermissions","name":"lakeformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lakeformation"],"seeAlso":[]},"lakeformation:GrantPermissions":{"id":"lakeformation:GrantPermissions","name":"lakeformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lakeformation"],"seeAlso":[]},"lakeformation:PutDataLakeSettings":{"id":"lakeformation:PutDataLakeSettings","name":"lakeformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lakeformation"],"seeAlso":[]},"lakeformation:RevokePermissions":{"id":"lakeformation:RevokePermissions","name":"lakeformation","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lakeformation"],"seeAlso":[]},"lambda:AddLayerVersionPermission":{"id":"lambda:AddLayerVersionPermission","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:AddPermission":{"id":"lambda:AddPermission","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:DisableReplication":{"id":"lambda:DisableReplication","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:EnableReplication":{"id":"lambda:EnableReplication","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:GetFunction":{"id":"lambda:GetFunction","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:GetLayerVersion":{"id":"lambda:GetLayerVersion","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:RemoveLayerVersionPermission":{"id":"lambda:RemoveLayerVersionPermission","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"lambda:RemovePermission":{"id":"lambda:RemovePermission","name":"lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/lambda"],"seeAlso":[]},"license-manager:UpdateServiceSettings":{"id":"license-manager:UpdateServiceSettings","name":"license-manager","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/license-manager"],"seeAlso":[]},"lightsail:DownloadDefaultKeyPair":{"id":"lightsail:DownloadDefaultKeyPair","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"lightsail:GetBucketAccessKeys":{"id":"lightsail:GetBucketAccessKeys","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"lightsail:GetContainerImages":{"id":"lightsail:GetContainerImages","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"lightsail:GetKeyPair":{"id":"lightsail:GetKeyPair","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"lightsail:GetKeyPairs":{"id":"lightsail:GetKeyPairs","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"lightsail:GetRelationalDatabaseMasterUserPassword":{"id":"lightsail:GetRelationalDatabaseMasterUserPassword","name":"lightsail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/lightsail"],"seeAlso":[]},"logs:DeleteResourcePolicy":{"id":"logs:DeleteResourcePolicy","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"logs:GetLogEvents":{"id":"logs:GetLogEvents","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"logs:GetLogRecord":{"id":"logs:GetLogRecord","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"logs:GetQueryResults":{"id":"logs:GetQueryResults","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"logs:PutResourcePolicy":{"id":"logs:PutResourcePolicy","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"logs:Unmask":{"id":"logs:Unmask","name":"logs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/logs"],"seeAlso":[]},"macie2:GetFindings":{"id":"macie2:GetFindings","name":"macie2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/macie2"],"seeAlso":[]},"mediapackage:RotateChannelCredentials":{"id":"mediapackage:RotateChannelCredentials","name":"mediapackage","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/mediapackage"],"seeAlso":[]},"mediapackage:RotateIngestEndpointCredentials":{"id":"mediapackage:RotateIngestEndpointCredentials","name":"mediapackage","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/mediapackage"],"seeAlso":[]},"mediastore:DeleteContainerPolicy":{"id":"mediastore:DeleteContainerPolicy","name":"mediastore","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/mediastore"],"seeAlso":[]},"mediastore:GetObject":{"id":"mediastore:GetObject","name":"mediastore","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/mediastore"],"seeAlso":[]},"mediastore:PutContainerPolicy":{"id":"mediastore:PutContainerPolicy","name":"mediastore","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/mediastore"],"seeAlso":[]},"opsworks:SetPermission":{"id":"opsworks:SetPermission","name":"opsworks","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/opsworks"],"seeAlso":[]},"opsworks:UpdateUserProfile":{"id":"opsworks:UpdateUserProfile","name":"opsworks","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/opsworks"],"seeAlso":[]},"qldb:GetBlock":{"id":"qldb:GetBlock","name":"qldb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/qldb"],"seeAlso":[]},"quicksight:CreateAdmin":{"id":"quicksight:CreateAdmin","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:CreateGroup":{"id":"quicksight:CreateGroup","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:CreateGroupMembership":{"id":"quicksight:CreateGroupMembership","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:CreateIAMPolicyAssignment":{"id":"quicksight:CreateIAMPolicyAssignment","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:CreateUser":{"id":"quicksight:CreateUser","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:DeleteGroup":{"id":"quicksight:DeleteGroup","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:DeleteGroupMembership":{"id":"quicksight:DeleteGroupMembership","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:DeleteIAMPolicyAssignment":{"id":"quicksight:DeleteIAMPolicyAssignment","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:DeleteUser":{"id":"quicksight:DeleteUser","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:DeleteUserByPrincipalId":{"id":"quicksight:DeleteUserByPrincipalId","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:RegisterUser":{"id":"quicksight:RegisterUser","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:UpdateDashboardPermissions":{"id":"quicksight:UpdateDashboardPermissions","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:UpdateGroup":{"id":"quicksight:UpdateGroup","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:UpdateIAMPolicyAssignment":{"id":"quicksight:UpdateIAMPolicyAssignment","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:UpdateTemplatePermissions":{"id":"quicksight:UpdateTemplatePermissions","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"quicksight:UpdateUser":{"id":"quicksight:UpdateUser","name":"quicksight","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/quicksight"],"seeAlso":[]},"ram:AcceptResourceShareInvitation":{"id":"ram:AcceptResourceShareInvitation","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:AssociateResourceShare":{"id":"ram:AssociateResourceShare","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:CreateResourceShare":{"id":"ram:CreateResourceShare","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:DeleteResourceShare":{"id":"ram:DeleteResourceShare","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:DisassociateResourceShare":{"id":"ram:DisassociateResourceShare","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:EnableSharingWithAwsOrganization":{"id":"ram:EnableSharingWithAwsOrganization","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:RejectResourceShareInvitation":{"id":"ram:RejectResourceShareInvitation","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"ram:UpdateResourceShare":{"id":"ram:UpdateResourceShare","name":"ram","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ram"],"seeAlso":[]},"rds-db:connect":{"id":"rds-db:connect","name":"rds-db","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy","exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/rds-db"],"seeAlso":[]},"rds:AuthorizeDBSecurityGroupIngress":{"id":"rds:AuthorizeDBSecurityGroupIngress","name":"rds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/rds"],"seeAlso":[]},"rds:DownloadCompleteDBLogFile":{"id":"rds:DownloadCompleteDBLogFile","name":"rds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/rds"],"seeAlso":[]},"rds:DownloadDBLogFilePortion":{"id":"rds:DownloadDBLogFilePortion","name":"rds","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/rds"],"seeAlso":[]},"redshift:AuthorizeSnapshotAccess":{"id":"redshift:AuthorizeSnapshotAccess","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:CreateClusterUser":{"id":"redshift:CreateClusterUser","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:CreateSnapshotCopyGrant":{"id":"redshift:CreateSnapshotCopyGrant","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:GetClusterCredentials":{"id":"redshift:GetClusterCredentials","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:JoinGroup":{"id":"redshift:JoinGroup","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:ModifyClusterIamRoles":{"id":"redshift:ModifyClusterIamRoles","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"redshift:RevokeSnapshotAccess":{"id":"redshift:RevokeSnapshotAccess","name":"redshift","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/redshift"],"seeAlso":[]},"robomaker:GetWorldTemplateBody":{"id":"robomaker:GetWorldTemplateBody","name":"robomaker","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/robomaker"],"seeAlso":[]},"route53resolver:PutResolverRulePolicy":{"id":"route53resolver:PutResolverRulePolicy","name":"route53resolver","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/route53resolver"],"seeAlso":[]},"s3-object-lambda:GetObject":{"id":"s3-object-lambda:GetObject","name":"s3-object-lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3-object-lambda"],"seeAlso":[]},"s3-object-lambda:GetObjectVersion":{"id":"s3-object-lambda:GetObjectVersion","name":"s3-object-lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3-object-lambda"],"seeAlso":[]},"s3-object-lambda:ListBucket":{"id":"s3-object-lambda:ListBucket","name":"s3-object-lambda","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3-object-lambda"],"seeAlso":[]},"s3:BypassGovernanceRetention":{"id":"s3:BypassGovernanceRetention","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:DeleteAccessPointPolicy":{"id":"s3:DeleteAccessPointPolicy","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:DeleteBucketPolicy":{"id":"s3:DeleteBucketPolicy","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:GetObject":{"id":"s3:GetObject","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:GetObjectVersion":{"id":"s3:GetObjectVersion","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:ObjectOwnerOverrideToBucketOwner":{"id":"s3:ObjectOwnerOverrideToBucketOwner","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutAccessPointPolicy":{"id":"s3:PutAccessPointPolicy","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutAccountPublicAccessBlock":{"id":"s3:PutAccountPublicAccessBlock","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutBucketAcl":{"id":"s3:PutBucketAcl","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutBucketPolicy":{"id":"s3:PutBucketPolicy","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutBucketPublicAccessBlock":{"id":"s3:PutBucketPublicAccessBlock","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutObjectAcl":{"id":"s3:PutObjectAcl","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"s3:PutObjectVersionAcl":{"id":"s3:PutObjectVersionAcl","name":"s3","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/s3"],"seeAlso":[]},"sagemaker:Search":{"id":"sagemaker:Search","name":"sagemaker","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sagemaker"],"seeAlso":[]},"sdb:Select":{"id":"sdb:Select","name":"sdb","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sdb"],"seeAlso":[]},"secretsmanager:DeleteResourcePolicy":{"id":"secretsmanager:DeleteResourcePolicy","name":"secretsmanager","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/secretsmanager"],"seeAlso":[]},"secretsmanager:PutResourcePolicy":{"id":"secretsmanager:PutResourcePolicy","name":"secretsmanager","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/secretsmanager"],"seeAlso":[]},"secretsmanager:ValidateResourcePolicy":{"id":"secretsmanager:ValidateResourcePolicy","name":"secretsmanager","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/secretsmanager"],"seeAlso":[]},"serverlessrepo:GetApplication":{"id":"serverlessrepo:GetApplication","name":"serverlessrepo","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/serverlessrepo"],"seeAlso":[]},"serverlessrepo:GetCloudFormationTemplate":{"id":"serverlessrepo:GetCloudFormationTemplate","name":"serverlessrepo","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/serverlessrepo"],"seeAlso":[]},"servicecatalog:CreatePortfolioShare":{"id":"servicecatalog:CreatePortfolioShare","name":"servicecatalog","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/servicecatalog"],"seeAlso":[]},"servicecatalog:DeletePortfolioShare":{"id":"servicecatalog:DeletePortfolioShare","name":"servicecatalog","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/servicecatalog"],"seeAlso":[]},"snowball:GetJobUnlockCode":{"id":"snowball:GetJobUnlockCode","name":"snowball","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/snowball"],"seeAlso":[]},"sns:AddPermission":{"id":"sns:AddPermission","name":"sns","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sns"],"seeAlso":[]},"sns:CreateTopic":{"id":"sns:CreateTopic","name":"sns","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sns"],"seeAlso":[]},"sns:RemovePermission":{"id":"sns:RemovePermission","name":"sns","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sns"],"seeAlso":[]},"sns:SetTopicAttributes":{"id":"sns:SetTopicAttributes","name":"sns","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sns"],"seeAlso":[]},"sqs:AddPermission":{"id":"sqs:AddPermission","name":"sqs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sqs"],"seeAlso":[]},"sqs:CreateQueue":{"id":"sqs:CreateQueue","name":"sqs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sqs"],"seeAlso":[]},"sqs:ReceiveMessage":{"id":"sqs:ReceiveMessage","name":"sqs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sqs"],"seeAlso":[]},"sqs:RemovePermission":{"id":"sqs:RemovePermission","name":"sqs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sqs"],"seeAlso":[]},"sqs:SetQueueAttributes":{"id":"sqs:SetQueueAttributes","name":"sqs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sqs"],"seeAlso":[]},"ssm:GetDocument":{"id":"ssm:GetDocument","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"ssm:GetParameter":{"id":"ssm:GetParameter","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"ssm:GetParameterHistory":{"id":"ssm:GetParameterHistory","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"ssm:GetParameters":{"id":"ssm:GetParameters","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"ssm:GetParametersByPath":{"id":"ssm:GetParametersByPath","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"ssm:ModifyDocumentPermission":{"id":"ssm:ModifyDocumentPermission","name":"ssm","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/ssm"],"seeAlso":[]},"sso-directory:AddMemberToGroup":{"id":"sso-directory:AddMemberToGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:CreateAlias":{"id":"sso-directory:CreateAlias","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:CreateGroup":{"id":"sso-directory:CreateGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:CreateUser":{"id":"sso-directory:CreateUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:DeleteGroup":{"id":"sso-directory:DeleteGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:DeleteUser":{"id":"sso-directory:DeleteUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:DescribeGroup":{"id":"sso-directory:DescribeGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:DescribeUser":{"id":"sso-directory:DescribeUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:DisableUser":{"id":"sso-directory:DisableUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:EnableUser":{"id":"sso-directory:EnableUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:ListBearerTokens":{"id":"sso-directory:ListBearerTokens","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:RemoveMemberFromGroup":{"id":"sso-directory:RemoveMemberFromGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:SearchGroups":{"id":"sso-directory:SearchGroups","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:SearchUsers":{"id":"sso-directory:SearchUsers","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:UpdateGroup":{"id":"sso-directory:UpdateGroup","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:UpdatePassword":{"id":"sso-directory:UpdatePassword","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:UpdateUser":{"id":"sso-directory:UpdateUser","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso-directory:VerifyEmail":{"id":"sso-directory:VerifyEmail","name":"sso-directory","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso-directory"],"seeAlso":[]},"sso:AssociateDirectory":{"id":"sso:AssociateDirectory","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:AssociateProfile":{"id":"sso:AssociateProfile","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:CreateApplicationInstance":{"id":"sso:CreateApplicationInstance","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:CreateApplicationInstanceCertificate":{"id":"sso:CreateApplicationInstanceCertificate","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:CreatePermissionSet":{"id":"sso:CreatePermissionSet","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:CreateProfile":{"id":"sso:CreateProfile","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:CreateTrust":{"id":"sso:CreateTrust","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DeleteApplicationInstance":{"id":"sso:DeleteApplicationInstance","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DeleteApplicationInstanceCertificate":{"id":"sso:DeleteApplicationInstanceCertificate","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DeletePermissionSet":{"id":"sso:DeletePermissionSet","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DeletePermissionsPolicy":{"id":"sso:DeletePermissionsPolicy","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DeleteProfile":{"id":"sso:DeleteProfile","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DisassociateDirectory":{"id":"sso:DisassociateDirectory","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:DisassociateProfile":{"id":"sso:DisassociateProfile","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:ImportApplicationInstanceServiceProviderMetadata":{"id":"sso:ImportApplicationInstanceServiceProviderMetadata","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:PutPermissionsPolicy":{"id":"sso:PutPermissionsPolicy","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:SearchGroups":{"id":"sso:SearchGroups","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:SearchUsers":{"id":"sso:SearchUsers","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:StartSSO":{"id":"sso:StartSSO","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceActiveCertificate":{"id":"sso:UpdateApplicationInstanceActiveCertificate","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceDisplayData":{"id":"sso:UpdateApplicationInstanceDisplayData","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceResponseConfiguration":{"id":"sso:UpdateApplicationInstanceResponseConfiguration","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceResponseSchemaConfiguration":{"id":"sso:UpdateApplicationInstanceResponseSchemaConfiguration","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceSecurityConfiguration":{"id":"sso:UpdateApplicationInstanceSecurityConfiguration","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceServiceProviderConfiguration":{"id":"sso:UpdateApplicationInstanceServiceProviderConfiguration","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateApplicationInstanceStatus":{"id":"sso:UpdateApplicationInstanceStatus","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateDirectoryAssociation":{"id":"sso:UpdateDirectoryAssociation","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdatePermissionSet":{"id":"sso:UpdatePermissionSet","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateProfile":{"id":"sso:UpdateProfile","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateSSOConfiguration":{"id":"sso:UpdateSSOConfiguration","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"sso:UpdateTrust":{"id":"sso:UpdateTrust","name":"sso","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/sso"],"seeAlso":[]},"storagegateway:DeleteChapCredentials":{"id":"storagegateway:DeleteChapCredentials","name":"storagegateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/storagegateway"],"seeAlso":[]},"storagegateway:DescribeChapCredentials":{"id":"storagegateway:DescribeChapCredentials","name":"storagegateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/storagegateway"],"seeAlso":[]},"storagegateway:SetLocalConsolePassword":{"id":"storagegateway:SetLocalConsolePassword","name":"storagegateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/storagegateway"],"seeAlso":[]},"storagegateway:SetSMBGuestPassword":{"id":"storagegateway:SetSMBGuestPassword","name":"storagegateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/storagegateway"],"seeAlso":[]},"storagegateway:UpdateChapCredentials":{"id":"storagegateway:UpdateChapCredentials","name":"storagegateway","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/storagegateway"],"seeAlso":[]},"sts:AssumeRole":{"id":"sts:AssumeRole","name":"sts","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sts"],"seeAlso":[]},"sts:AssumeRoleWithSAML":{"id":"sts:AssumeRoleWithSAML","name":"sts","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sts"],"seeAlso":[]},"sts:AssumeRoleWithWebIdentity":{"id":"sts:AssumeRoleWithWebIdentity","name":"sts","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sts"],"seeAlso":[]},"sts:GetFederationToken":{"id":"sts:GetFederationToken","name":"sts","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sts"],"seeAlso":[]},"sts:GetSessionToken":{"id":"sts:GetSessionToken","name":"sts","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/sts"],"seeAlso":[]},"support:DescribeAttachment":{"id":"support:DescribeAttachment","name":"support","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/support"],"seeAlso":[]},"support:DescribeCommunications":{"id":"support:DescribeCommunications","name":"support","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/support"],"seeAlso":[]},"waf-regional:DeletePermissionPolicy":{"id":"waf-regional:DeletePermissionPolicy","name":"waf-regional","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf-regional"],"seeAlso":[]},"waf-regional:GetChangeToken":{"id":"waf-regional:GetChangeToken","name":"waf-regional","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf-regional"],"seeAlso":[]},"waf-regional:PutPermissionPolicy":{"id":"waf-regional:PutPermissionPolicy","name":"waf-regional","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf-regional"],"seeAlso":[]},"waf:DeletePermissionPolicy":{"id":"waf:DeletePermissionPolicy","name":"waf","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf"],"seeAlso":[]},"waf:GetChangeToken":{"id":"waf:GetChangeToken","name":"waf","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:crypto"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf"],"seeAlso":[]},"waf:PutPermissionPolicy":{"id":"waf:PutPermissionPolicy","name":"waf","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/waf"],"seeAlso":[]},"wafv2:CreateWebACL":{"id":"wafv2:CreateWebACL","name":"wafv2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/wafv2"],"seeAlso":[]},"wafv2:DeletePermissionPolicy":{"id":"wafv2:DeletePermissionPolicy","name":"wafv2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/wafv2"],"seeAlso":[]},"wafv2:DeleteWebACL":{"id":"wafv2:DeleteWebACL","name":"wafv2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/wafv2"],"seeAlso":[]},"wafv2:PutPermissionPolicy":{"id":"wafv2:PutPermissionPolicy","name":"wafv2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/wafv2"],"seeAlso":[]},"wafv2:UpdateWebACL":{"id":"wafv2:UpdateWebACL","name":"wafv2","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/wafv2"],"seeAlso":[]},"workdocs:GetDocument":{"id":"workdocs:GetDocument","name":"workdocs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workdocs"],"seeAlso":[]},"workdocs:GetDocumentPath":{"id":"workdocs:GetDocumentPath","name":"workdocs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workdocs"],"seeAlso":[]},"workdocs:GetDocumentVersion":{"id":"workdocs:GetDocumentVersion","name":"workdocs","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workdocs"],"seeAlso":[]},"worklink:UpdateDevicePolicyConfiguration":{"id":"worklink:UpdateDevicePolicyConfiguration","name":"worklink","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/worklink"],"seeAlso":[]},"workmail:ListGroupMembers":{"id":"workmail:ListGroupMembers","name":"workmail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workmail"],"seeAlso":[]},"workmail:ListGroups":{"id":"workmail:ListGroups","name":"workmail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workmail"],"seeAlso":[]},"workmail:ListUsers":{"id":"workmail:ListUsers","name":"workmail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["exfiltration:data"],"notes":null,"links":["https://aws.permissions.cloud/iam/workmail"],"seeAlso":[]},"workmail:ResetPassword":{"id":"workmail:ResetPassword","name":"workmail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/workmail"],"seeAlso":[]},"workmail:ResetUserPassword":{"id":"workmail:ResetUserPassword","name":"workmail","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/workmail"],"seeAlso":[]},"xray:PutEncryptionConfig":{"id":"xray:PutEncryptionConfig","name":"xray","scope":"HIGH","parent":{"notes":"The contents of this file were automatically generated using the data hosted on aws.permissions.cloud (see links).","description":"Automatically imported from aws.permissions.cloud."},"risks":["destruction:policy"],"notes":null,"links":["https://aws.permissions.cloud/iam/xray"],"seeAlso":[]}},"gcp":{"apikeys.keys.create":{"id":"apikeys.keys.create","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["impact:spend","impact:consumption"],"notes":"There is a maximum of 300 API keys per project that cannot be increased. The key creation API response does not actually return the key.","links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.delete":{"id":"apikeys.keys.delete","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.get":{"id":"apikeys.keys.get","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["discovery:infra"],"notes":"Does not include the key value.","links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.getKeyString":{"id":"apikeys.keys.getKeyString","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["escalation:privilege"],"notes":null,"links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.list":{"id":"apikeys.keys.list","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["discovery:infra"],"notes":"Does not include the key value.","links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.lookup":{"id":"apikeys.keys.lookup","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":[],"notes":"This is used to look-up the key from the key value.  It is not useful unless someone already has the key value.","links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.undelete":{"id":"apikeys.keys.undelete","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["impact:spend","impact:consumption"],"notes":null,"links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"apikeys.keys.update":{"id":"apikeys.keys.update","name":"Google API Keys","scope":"CRITICAL","parent":{"notes":"Because API keys do not provide a principal or check any additional authorization information, an individual that gains access to an API key will be able to use it to call supported Google APIs without detection.","description":"An API Key can be used to authenticate to supported Google REST APIs. Not all Google APIs support authentication via API key."},"risks":["impact:dos","destruction:defense"],"notes":"Can be used to add or remove restrictions (API restrictions or application restrictions) on how the key can be used.","links":["https://cloud.google.com/docs/authentication/api-keys","https://cloud.google.com/api-keys/docs/reference/rest/v2/keys","https://cloud.google.com/api-keys/docs/overview"],"seeAlso":[]},"appengine.applications.create":{"id":"appengine.applications.create","name":"Google App Engine Applications","scope":"CRITICAL","parent":{"notes":"App Engine applications can be used for a broad range of organizational functions and may include publicly available web applications. Therefore, viewing and modifying application configuration has the potential to significantly disrupt organizational operations.","description":"A Google App Engine Applications are serverless web applications hosted and fully managed by Google."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.applications.get":{"id":"appengine.applications.get","name":"Google App Engine Applications","scope":"CRITICAL","parent":{"notes":"App Engine applications can be used for a broad range of organizational functions and may include publicly available web applications. Therefore, viewing and modifying application configuration has the potential to significantly disrupt organizational operations.","description":"A Google App Engine Applications are serverless web applications hosted and fully managed by Google."},"risks":["discovery:infra","discovery:data"],"notes":"Includes data discovery because it reveals Cloud Storage bucket names","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.applications.update":{"id":"appengine.applications.update","name":"Google App Engine Applications","scope":"CRITICAL","parent":{"notes":"App Engine applications can be used for a broad range of organizational functions and may include publicly available web applications. Therefore, viewing and modifying application configuration has the potential to significantly disrupt organizational operations.","description":"A Google App Engine Applications are serverless web applications hosted and fully managed by Google."},"risks":["impact:dos","impact:access","destruction:policy","escalation:lateral","destruction:defense"],"notes":"Allows modification of app IAP settings (which controls app authentication).  This can a create DOS if the IAP config is changed in a way that disallows access. Also allows  disabling IAP, in which case App Engine will stop requiring authentication for all incoming requests. This allows the attacker to gain access to your web application. Also allows modification of SSL keys, including modification of private keys. This allows the attacker to  decrypt customer traffic and potentially perform a man-in-the-middle attack. Does not allow deploying to the application.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services","https://cloud.google.com/beyondcorp-enterprise/docs/securing-app-engine"],"seeAlso":[]},"appengine.applications.disable":{"id":"appengine.applications.disable","name":"Google App Engine Applications","scope":"CRITICAL","parent":{"notes":"App Engine applications can be used for a broad range of organizational functions and may include publicly available web applications. Therefore, viewing and modifying application configuration has the potential to significantly disrupt organizational operations.","description":"A Google App Engine Applications are serverless web applications hosted and fully managed by Google."},"risks":[],"notes":"This permission is part of some predefined roles but doesn't provide access to anything","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.applications.list":{"id":"appengine.applications.list","name":"Google App Engine Applications","scope":"CRITICAL","parent":{"notes":"App Engine applications can be used for a broad range of organizational functions and may include publicly available web applications. Therefore, viewing and modifying application configuration has the potential to significantly disrupt organizational operations.","description":"A Google App Engine Applications are serverless web applications hosted and fully managed by Google."},"risks":[],"notes":"This permission is part of some predefined roles but doesn't do anything.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.instances.delete":{"id":"appengine.instances.delete","name":"Google App Engine Instances","scope":"CRITICAL","parent":{"notes":null,"description":"An instance is the computing unit that fully hosts an App Engine application. An application may be running on one or more instances, with scaling and request routing managed by Google."},"risks":["impact:dos"],"notes":"App Engine will recreate the instance based on the scaling settings for the app,  but repeated deletions could still cause a DOS since in-flight requests may be dropped on deletion  (the app has 30 seconds to finish processing in-flight requests.)","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/java/how-instances-are-managed","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions.instances"],"seeAlso":[]},"appengine.instances.enableDebug":{"id":"appengine.instances.enableDebug","name":"Google App Engine Instances","scope":"CRITICAL","parent":{"notes":null,"description":"An instance is the computing unit that fully hosts an App Engine application. An application may be running on one or more instances, with scaling and request routing managed by Google."},"risks":["collection:data","discovery:network","discovery:policy","escalation:lateral","exfiltration:data","impact:defacement","impact:hijack"],"notes":"Allows the user to SSH into the VM where the instance lives.  Specific risks depend on instance and application configuration (and may require additional permissions based on configuration),  but can potentially allow data exfiltration from the application or defacement of the application. There are no destruction risks since instances are intended to be short-lived (deleted/created according to demand) and do not store data intended to be persistent.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/java/how-instances-are-managed","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions.instances"],"seeAlso":[]},"appengine.instances.get":{"id":"appengine.instances.get","name":"Google App Engine Instances","scope":"CRITICAL","parent":{"notes":null,"description":"An instance is the computing unit that fully hosts an App Engine application. An application may be running on one or more instances, with scaling and request routing managed by Google."},"risks":["discovery:infra","discovery:network"],"notes":"This only exposes basic information about the VM it is running on (ID, zone, IP, etc) and application metrics (requests, errors, memory usage, etc)","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/java/how-instances-are-managed","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions.instances"],"seeAlso":[]},"appengine.instances.list":{"id":"appengine.instances.list","name":"Google App Engine Instances","scope":"CRITICAL","parent":{"notes":null,"description":"An instance is the computing unit that fully hosts an App Engine application. An application may be running on one or more instances, with scaling and request routing managed by Google."},"risks":["discovery:infra","discovery:network"],"notes":"This only exposes basic information about the VM it is running on (ID, zone, IP, etc) and application metrics (requests, errors, memory usage, etc)","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/java/how-instances-are-managed","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions.instances"],"seeAlso":[]},"appengine.instances.update":{"id":"appengine.instances.update","name":"Google App Engine Instances","scope":"CRITICAL","parent":{"notes":null,"description":"An instance is the computing unit that fully hosts an App Engine application. An application may be running on one or more instances, with scaling and request routing managed by Google."},"risks":[],"notes":"This permission is part of some predefined roles but doesn't do anything.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/java/how-instances-are-managed","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions.instances"],"seeAlso":[]},"appengine.memcache.addKey":{"id":"appengine.memcache.addKey","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.memcache.flush":{"id":"appengine.memcache.flush","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["impact:dos"],"notes":"This removes all key-value pairs from the cache, but it does not cause destruction since values may expire anytime and applications need to design around that. Repeated flushes may result in a DoS.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.memcache.get":{"id":"appengine.memcache.get","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.memcache.getKey":{"id":"appengine.memcache.getKey","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["exfiltration:data"],"notes":"The difference between getKey and get is not clear in Google's documentation.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.memcache.list":{"id":"appengine.memcache.list","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.memcache.update":{"id":"appengine.memcache.update","name":"Google App Engine Memcache","scope":"HIGH","parent":{"notes":"Memcache is not intended for persistent storage. Values can expire anytime, so users are recommended to only use memcache for values that the application can behave acceptably without. Examples of data  commonly stored in memcache are session data and user preferences, as well as results of commonly used datastore queries. Scope is HIGH because this service may include sensitive customer data from cached datastore queries used by the application.","description":"Memcache is a key-value store accessible to App Engine applications."},"risks":["impact:manipulation"],"notes":"Destruction is not a concern since memcache is only intended for temporary storage.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache/using","https://cloud.google.com/appengine/docs/legacy/standard/python/memcache"],"seeAlso":[]},"appengine.operations.get":{"id":"appengine.operations.get","name":"App Engine operations","scope":"MEDIUM","parent":{"notes":"The operation includes the data returned from the API call the operation is associated with. This means that viewing an operation includes access to view resource metadata, and would be the same risk as get and list on the resources.","description":"Operations represent long-running App Engine API calls. They are used for operations on applications, domainMappings, services, and versions."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"See applications.get, services.get, versions.get","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.operations"],"seeAlso":[]},"appengine.operations.list":{"id":"appengine.operations.list","name":"App Engine operations","scope":"MEDIUM","parent":{"notes":"The operation includes the data returned from the API call the operation is associated with. This means that viewing an operation includes access to view resource metadata, and would be the same risk as get and list on the resources.","description":"Operations represent long-running App Engine API calls. They are used for operations on applications, domainMappings, services, and versions."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"See notes for functions.get","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.operations"],"seeAlso":[]},"appengine.services.delete":{"id":"appengine.services.delete","name":"Google App Engine services","scope":"CRITICAL","parent":{"notes":"Application functionality relies on services: deleting or updating services can prevent normal application function.","description":"A service is a logical component of an application that can share state and securely communicate with other services."},"risks":["impact:dos","destruction:infra"],"notes":null,"links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.services.get":{"id":"appengine.services.get","name":"Google App Engine services","scope":"CRITICAL","parent":{"notes":"Application functionality relies on services: deleting or updating services can prevent normal application function.","description":"A service is a logical component of an application that can share state and securely communicate with other services."},"risks":["discovery:infra","discovery:policy"],"notes":"Includes network discovery since it allows viewing of ingress traffic policies.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.services.list":{"id":"appengine.services.list","name":"Google App Engine services","scope":"CRITICAL","parent":{"notes":"Application functionality relies on services: deleting or updating services can prevent normal application function.","description":"A service is a logical component of an application that can share state and securely communicate with other services."},"risks":["discovery:infra","discovery:policy"],"notes":"See get","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.services.update":{"id":"appengine.services.update","name":"Google App Engine services","scope":"CRITICAL","parent":{"notes":"Application functionality relies on services: deleting or updating services can prevent normal application function.","description":"A service is a logical component of an application that can share state and securely communicate with other services."},"risks":["impact:dos","destruction:policy","escalation:lateral","impact:access","impact:defacement"],"notes":"Allows modifying network traffic settings. An attacker could divert traffic to invalid versions, creating a DOS. Defacement impact when combined with versions.create, since they could deploy a version and then divert traffic to it. Also allows modifying ingress traffic settings, which could either lead to escalation by making access public,  or restrict previously authorized access by narrowing the policy.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.services.create":{"id":"appengine.services.create","name":"Google App Engine services","scope":"CRITICAL","parent":{"notes":"Application functionality relies on services: deleting or updating services can prevent normal application function.","description":"A service is a logical component of an application that can share state and securely communicate with other services."},"risks":[],"notes":"This permission is part of some predefined roles but doesn't do anything.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services"],"seeAlso":[]},"appengine.versions.create":{"id":"appengine.versions.create","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["impact:hijack","impact:spend"],"notes":"Creating a version will deploy the provided source code to App Engine.  This does not route any external traffic to the new version, but allows for resource hijacking.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions"],"seeAlso":[]},"appengine.versions.delete":{"id":"appengine.versions.delete","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["impact:dos","destruction:infra"],"notes":"App Engine does not allow deleting the default version for the application. However, non-default versions may still be configured to receive traffic and can be deleted.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions"],"seeAlso":[]},"appengine.versions.get":{"id":"appengine.versions.get","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["discovery:infra","discovery:policy","discovery:network","discovery:data"],"notes":"Includes data discovery since it exposes names of Cloud Storage buckets, policy discovery since it includes VPC egress settings, and network discovery for network settings in the application environment..","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions"],"seeAlso":[]},"appengine.versions.getFileContents":{"id":"appengine.versions.getFileContents","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["exfiltration:code"],"notes":"Read access to deployed source code.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions"],"seeAlso":[]},"appengine.versions.list":{"id":"appengine.versions.list","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["discovery:infra","discovery:policy","discovery:network","discovery:data"],"notes":"See get","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions"],"seeAlso":[]},"appengine.versions.update":{"id":"appengine.versions.update","name":"Google App Engine version","scope":"CRITICAL","parent":{"notes":"Resources for a version, including source code, must first be uploaded to a Cloud Storage bucket.","description":"A version is a specific set of source code and configuration files that are deployed to a service."},"risks":["impact:spend"],"notes":"Only allows updating scaling settings for the version.","links":["https://cloud.google.com/appengine/docs/admin-api/access-control#roles","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions","https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions/patch"],"seeAlso":[]},"bigquery.capacityCommitments.create":{"id":"bigquery.capacityCommitments.create","name":"BigQuery capacity commitments","scope":"MEDIUM","parent":{"notes":"Capacity commitments affect operational cost.","description":"Privileges to view and edit BigQuery capacity commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.capacityCommitments.delete":{"id":"bigquery.capacityCommitments.delete","name":"BigQuery capacity commitments","scope":"MEDIUM","parent":{"notes":"Capacity commitments affect operational cost.","description":"Privileges to view and edit BigQuery capacity commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.capacityCommitments.get":{"id":"bigquery.capacityCommitments.get","name":"BigQuery capacity commitments","scope":"LOW","parent":{"notes":"Capacity commitments affect operational cost.","description":"Privileges to view and edit BigQuery capacity commitments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.capacityCommitments.list":{"id":"bigquery.capacityCommitments.list","name":"BigQuery capacity commitments","scope":"LOW","parent":{"notes":"Capacity commitments affect operational cost.","description":"Privileges to view and edit BigQuery capacity commitments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.capacityCommitments.update":{"id":"bigquery.capacityCommitments.update","name":"BigQuery capacity commitments","scope":"MEDIUM","parent":{"notes":"Capacity commitments affect operational cost.","description":"Privileges to view and edit BigQuery capacity commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.config.get":{"id":"bigquery.config.get","name":"BigQuery config","scope":"MEDIUM","parent":{"notes":"Certain of these settings can affect operations (such as modification of default time-outs or timezones) when those operations operate with default settings.","description":"A BigQuery config is a set of organization settings applied across BigQuery. It is modified using the `ALTER ORGANIZATION` SQL statement, and read by executing a `SELECT` statement on tables in the `{region}.INFORMATION_SCHEMA` schema."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/default-configuration"],"seeAlso":[]},"bigquery.config.update":{"id":"bigquery.config.update","name":"BigQuery config","scope":"MEDIUM","parent":{"notes":"Certain of these settings can affect operations (such as modification of default time-outs or timezones) when those operations operate with default settings.","description":"A BigQuery config is a set of organization settings applied across BigQuery. It is modified using the `ALTER ORGANIZATION` SQL statement, and read by executing a `SELECT` statement on tables in the `{region}.INFORMATION_SCHEMA` schema."},"risks":["impact:dos"],"notes":"Can cause query timeouts.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/default-configuration"],"seeAlso":[]},"bigquery.connections.create":{"id":"bigquery.connections.create","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.delegate":{"id":"bigquery.connections.delegate","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":[],"notes":"May be unused.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.delete":{"id":"bigquery.connections.delete","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.get":{"id":"bigquery.connections.get","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["discovery:infra"],"notes":"Exposes SQL connection metadata. Per Google documentation, SQL credentials are omitted.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.getIamPolicy":{"id":"bigquery.connections.getIamPolicy","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.list":{"id":"bigquery.connections.list","name":"BigQuery connections","scope":"LOW","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.setIamPolicy":{"id":"bigquery.connections.setIamPolicy","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.update":{"id":"bigquery.connections.update","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.updateTag":{"id":"bigquery.connections.updateTag","name":"BigQuery connections","scope":"HIGH","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":[],"notes":"Appears unused.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.connections.use":{"id":"bigquery.connections.use","name":"BigQuery connections","scope":"LOW","parent":{"notes":"Deletion or alteration of connections can interrupt dependent operations. Reading connection metadata can expose database accounts.","description":"External read-only connections to data in other services (both within and without GCP)."},"risks":["exfiltration:data"],"notes":"In order to exploit a connection to read data from a third-party source, all of the following must be true:\n  - The attacker must have permission to create a connection of the correct type\n  - The attacker must already have read access to the target data system, or have a mechanism to give\n    the connection read access to the target data system\n  - The attacker can then use this permission to run queries against the connection\nIn general, therefore, exfiltration is only possible when the attacker already otherwise has access to the target system.\n","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/working-with-connections"],"seeAlso":[]},"bigquery.dataPolicies.create":{"id":"bigquery.dataPolicies.create","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.delete":{"id":"bigquery.dataPolicies.delete","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["escalation:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.get":{"id":"bigquery.dataPolicies.get","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.getIamPolicy":{"id":"bigquery.dataPolicies.getIamPolicy","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.list":{"id":"bigquery.dataPolicies.list","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.setIamPolicy":{"id":"bigquery.dataPolicies.setIamPolicy","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.dataPolicies.update":{"id":"bigquery.dataPolicies.update","name":"BigQuery data policies","scope":"HIGH","parent":{"notes":"Alteration of data-masking policies can allow access to sensitive data or deny access to necessary data.","description":"Column-level data-masking policies for BigQuery tables."},"risks":["impact:dos","escalation:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.create":{"id":"bigquery.datasets.create","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":[],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.createTagBinding":{"id":"bigquery.datasets.createTagBinding","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.delete":{"id":"bigquery.datasets.delete","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["destruction:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.deleteTagBinding":{"id":"bigquery.datasets.deleteTagBinding","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.get":{"id":"bigquery.datasets.get","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.getIamPolicy":{"id":"bigquery.datasets.getIamPolicy","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.link":{"id":"bigquery.datasets.link","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":[],"notes":"Possibly used by the AnalyticsHub API projects.locations.dataExchanges/create, although this is undocumented by Google. More likely is that creating linked datasets is actually solely enabled by analyticshub.listings.create, and this permission is unused.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/reference/analytics-hub/rest/v1/projects.locations.dataExchanges/create"],"seeAlso":[]},"bigquery.datasets.listEffectiveTags":{"id":"bigquery.datasets.listEffectiveTags","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.listTagBindings":{"id":"bigquery.datasets.listTagBindings","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.setIamPolicy":{"id":"bigquery.datasets.setIamPolicy","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.update":{"id":"bigquery.datasets.update","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["destruction:data"],"notes":"Data can be destroyed if default table expiration is modified.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.datasets.updateTag":{"id":"bigquery.datasets.updateTag","name":"BigQuery datasets","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"Datasets in BigQuery are a primary unit of organizing and controlling access to data. They are analogous to schemata in relational data systems."},"risks":["escalation:privilege","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.create":{"id":"bigquery.models.create","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["impact:hijack","impact:spend"],"notes":"From Google: \"Create new models.\". Requires read access to any source data.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.delete":{"id":"bigquery.models.delete","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["destruction:data","destruction:infra"],"notes":"From Google: \"Delete models.\"","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.getData":{"id":"bigquery.models.getData","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["exfiltration:data"],"notes":"From Google: \"Get model data.\"","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.getMetadata":{"id":"bigquery.models.getMetadata","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["discovery:infra"],"notes":"From Google: \"Get model metadata.\"","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.list":{"id":"bigquery.models.list","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["discovery:infra"],"notes":"From Google: \"List models and metadata on models.\"","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.updateData":{"id":"bigquery.models.updateData","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":[],"notes":"From Google: \"Update model data.\". Appears unused.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.models.updateMetadata":{"id":"bigquery.models.updateMetadata","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["destruction:artifact"],"notes":"'From Google: \"Update model metadata.\". Allows users to update description, labels and change model expiration time.' Allows users to destroy a model by setting its expiration to 0.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/updating-model-metadata","https://cloud.google.com/bigquery/docs/reference/rest/v2/models/patch"],"seeAlso":[]},"bigquery.models.export":{"id":"bigquery.models.export","name":"BigQuery jobs","scope":"HIGH","parent":{"notes":"Marked as HIGH (vs. CRITICAL), as the scope of data accessible via models is generally likely to be more limited than direct query access. This may underestimate scope in the event that an organization's primary function depends on machine learning implemented within BigQuery models.","description":"BigQuery models allow users to build machine-learning pipelines within BigQuery."},"risks":["exfiltration:data"],"notes":"From Google: \"Export a model.\". Requires bigquery.jobs.create in order to create the export job.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/exporting-models"],"seeAlso":[]},"bigquery.reservationAssignments.create":{"id":"bigquery.reservationAssignments.create","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Assignments do not directly incur additional cost beyond previously purchased reservations.","description":"Assigns projects to previously purchased BigQuery reservations"},"risks":[],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservationAssignments.delete":{"id":"bigquery.reservationAssignments.delete","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Assignments do not directly incur additional cost beyond previously purchased reservations.","description":"Assigns projects to previously purchased BigQuery reservations"},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservationAssignments.list":{"id":"bigquery.reservationAssignments.list","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Assignments do not directly incur additional cost beyond previously purchased reservations.","description":"Assigns projects to previously purchased BigQuery reservations"},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservationAssignments.search":{"id":"bigquery.reservationAssignments.search","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Assignments do not directly incur additional cost beyond previously purchased reservations.","description":"Assigns projects to previously purchased BigQuery reservations"},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservations.create":{"id":"bigquery.reservations.create","name":"BigQuery reservations","scope":"MEDIUM","parent":{"notes":"Reservations affect operational cost.","description":"Works with capacity commitments to assign BigQuery slots to commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservations.delete":{"id":"bigquery.reservations.delete","name":"BigQuery reservations","scope":"MEDIUM","parent":{"notes":"Reservations affect operational cost.","description":"Works with capacity commitments to assign BigQuery slots to commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservations.get":{"id":"bigquery.reservations.get","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Reservations affect operational cost.","description":"Works with capacity commitments to assign BigQuery slots to commitments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservations.list":{"id":"bigquery.reservations.list","name":"BigQuery reservations","scope":"LOW","parent":{"notes":"Reservations affect operational cost.","description":"Works with capacity commitments to assign BigQuery slots to commitments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.reservations.update":{"id":"bigquery.reservations.update","name":"BigQuery reservations","scope":"MEDIUM","parent":{"notes":"Reservations affect operational cost.","description":"Works with capacity commitments to assign BigQuery slots to commitments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/reservations-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.create":{"id":"bigquery.routines.create","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":[],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.delete":{"id":"bigquery.routines.delete","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.get":{"id":"bigquery.routines.get","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.list":{"id":"bigquery.routines.list","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.update":{"id":"bigquery.routines.update","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.updateTag":{"id":"bigquery.routines.updateTag","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":[],"notes":"Appears unused.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.routines.use":{"id":"bigquery.routines.use","name":"BigQuery routines","scope":"LOW","parent":{"notes":"Deletion or alteration of functions can alter data returned by queries.","description":"Includes stored procedures, user-defined functions, and table functions."},"risks":[],"notes":"Appears unused.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.create":{"id":"bigquery.rowAccessPolicies.create","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.delete":{"id":"bigquery.rowAccessPolicies.delete","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["escalation:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.get":{"id":"bigquery.rowAccessPolicies.get","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.getFilteredData":{"id":"bigquery.rowAccessPolicies.getFilteredData","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["exfiltration:data"],"notes":"Should only be granted per row-access policy","links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/best-practices-row-level-security#use_the_filtered_data_viewer_role_with_caution"],"seeAlso":[]},"bigquery.rowAccessPolicies.getIamPolicy":{"id":"bigquery.rowAccessPolicies.getIamPolicy","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.overrideTimeTravelRestrictions":{"id":"bigquery.rowAccessPolicies.overrideTimeTravelRestrictions","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.list":{"id":"bigquery.rowAccessPolicies.list","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.setIamPolicy":{"id":"bigquery.rowAccessPolicies.setIamPolicy","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.rowAccessPolicies.update":{"id":"bigquery.rowAccessPolicies.update","name":"BigQuery row-access policies","scope":"HIGH","parent":{"notes":"Alteration of row-access policies can allow access to sensitive data or deny access to necessary data.","description":"Row-level access policies for BigQuery tables."},"risks":["impact:dos","escalation:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/row-level-security-intro","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.create":{"id":"bigquery.savedqueries.create","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":[],"notes":null,"links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.delete":{"id":"bigquery.savedqueries.delete","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.get":{"id":"bigquery.savedqueries.get","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":["discovery:data","discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.list":{"id":"bigquery.savedqueries.list","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":["discovery:data","discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.update":{"id":"bigquery.savedqueries.update","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.updateTag":{"id":"bigquery.savedqueries.updateTag","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":[],"notes":"Appears unused.","links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.savedqueries.use":{"id":"bigquery.savedqueries.use","name":"BigQuery saved queries","scope":"MEDIUM","parent":{"notes":"Queries can expose relation identifiers and schemata.","description":"Access to persist query SQL."},"risks":[],"notes":"Appears unused.","links":["https://cloud.google.com/bigquery/docs/work-with-saved-queries","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.create":{"id":"bigquery.tables.create","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":[],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.createIndex":{"id":"bigquery.tables.createIndex","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.createSnapshot":{"id":"bigquery.tables.createSnapshot","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.delete":{"id":"bigquery.tables.delete","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.deleteIndex":{"id":"bigquery.tables.deleteIndex","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:infra","impact:spend","impact:dos"],"notes":"Can cause service interruptions by reducing query performance.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.deleteSnapshot":{"id":"bigquery.tables.deleteSnapshot","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.export":{"id":"bigquery.tables.export","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.get":{"id":"bigquery.tables.get","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.getData":{"id":"bigquery.tables.getData","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.getIamPolicy":{"id":"bigquery.tables.getIamPolicy","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.list":{"id":"bigquery.tables.list","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.restoreSnapshot":{"id":"bigquery.tables.restoreSnapshot","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:data"],"notes":"Can destroy data more recent than the restored snapshot.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.setCategory":{"id":"bigquery.tables.setCategory","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["escalation:privilege","impact:access"],"notes":"Categories alter table access.","links":["https://cloud.google.com/bigquery/docs/access-control","https://cloud.google.com/bigquery/docs/managing-policy-tags-across-locations"],"seeAlso":[]},"bigquery.tables.setIamPolicy":{"id":"bigquery.tables.setIamPolicy","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.update":{"id":"bigquery.tables.update","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.updateData":{"id":"bigquery.tables.updateData","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["destruction:data"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.tables.updateTag":{"id":"bigquery.tables.updateTag","name":"BigQuery tables","scope":"CRITICAL","parent":{"notes":"BigQuery can potentially store sensitive information from across an organization's functions.","description":"BigQuery tables hold data."},"risks":["escalation:privilege","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.transfers.get":{"id":"bigquery.transfers.get","name":"BigQuery transfers","scope":"MEDIUM","parent":{"notes":"Creation or alteration of transfers can interrupt service and incur spend. Note that the `bigquery.datasets.update` privilege is required to alter data. Additionally, the BigQuery Data Transfer Service must be enabled separately from BigQuery itself.","description":"Automates data import into BigQuery."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/bigquery/docs/dts-introduction","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"bigquery.transfers.update":{"id":"bigquery.transfers.update","name":"BigQuery transfers","scope":"MEDIUM","parent":{"notes":"Creation or alteration of transfers can interrupt service and incur spend. Note that the `bigquery.datasets.update` privilege is required to alter data. Additionally, the BigQuery Data Transfer Service must be enabled separately from BigQuery itself.","description":"Automates data import into BigQuery."},"risks":["impact:dos","impact:spend"],"notes":"Can interrupt services that rely on data transfers.","links":["https://cloud.google.com/bigquery/docs/dts-introduction","https://cloud.google.com/bigquery/docs/access-control"],"seeAlso":[]},"billing.accounts.close":{"id":"billing.accounts.close","name":"Cloud Billing Accounts","scope":"HIGH","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["impact:dos"],"notes":"It is possible to close an active account. This stops all billable services in linked projects.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles","https://cloud.google.com/billing/docs/how-to/close-or-reopen-billing-account"],"seeAlso":[]},"billing.accounts.create":{"id":"billing.accounts.create","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.get":{"id":"billing.accounts.get","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:account"],"notes":"This includes only the resource name of the billing account and whether it's open.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getCarbonInformation":{"id":"billing.accounts.getCarbonInformation","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getIamPolicy":{"id":"billing.accounts.getIamPolicy","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getPaymentInfo":{"id":"billing.accounts.getPaymentInfo","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:data"],"notes":"Allows viewing full name and address associated with payment information.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getPricing":{"id":"billing.accounts.getPricing","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":[],"notes":"Only exposes Google's pricing for your organization.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getSpendingInformation":{"id":"billing.accounts.getSpendingInformation","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:finance"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.getUsageExportSpec":{"id":"billing.accounts.getUsageExportSpec","name":"Cloud Billing Accounts","scope":"LOW","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:infra"],"notes":"Shows where usage data is currently exported to (Cloud Storage Bucket or BigQuery table)","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.list":{"id":"billing.accounts.list","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["discovery:account"],"notes":"This includes only the resource name of the billing account and whether it's open.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.move":{"id":"billing.accounts.move","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["impact:spend"],"notes":"Along with billing.accounts.removeFromOrganization, allows moving the account to a new organization.  This could allow the new organization to use the account and existing payment info for billing.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.redeemPromotion":{"id":"billing.accounts.redeemPromotion","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.removeFromOrganization":{"id":"billing.accounts.removeFromOrganization","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.reopen":{"id":"billing.accounts.reopen","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.setIamPolicy":{"id":"billing.accounts.setIamPolicy","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.update":{"id":"billing.accounts.update","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["impact:spend"],"notes":"Only allows changing display name, upgrading from a free trial, or redeeming promotional codes.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.accounts.updatePaymentInfo":{"id":"billing.accounts.updatePaymentInfo","name":"Cloud Billing Accounts","scope":"MEDIUM","parent":{"notes":"Removing or updating billing information may render billable Google services or APIs unavailable.","description":"A cloud billing account is used to define who pays for a given set of Google Cloud resources and APIs. It is connected to a Google payments profile through which costs are charged."},"risks":["impact:dos"],"notes":"An account must have at least one payment method at all times, so the only payment method cannot be removed. However, the payment method could be updated to a card that will get declined, causing a DOS.","links":["https://cloud.google.com/billing/docs/how-to/billing-access","https://cloud.google.com/billing/docs/reference/rest/v1/billingAccounts","https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.budgets.get":{"id":"billing.budgets.get","name":"Cloud Billing Budgets","scope":"LOW","parent":{"notes":null,"description":"Budgets allow you to monitor cloud spend by triggering alerts if spend reaches thresholds. This does not automatically cap usage."},"risks":["discovery:finance"],"notes":"This includes monthly spend info","links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.budgets.list":{"id":"billing.budgets.list","name":"Cloud Billing Budgets","scope":"LOW","parent":{"notes":null,"description":"Budgets allow you to monitor cloud spend by triggering alerts if spend reaches thresholds. This does not automatically cap usage."},"risks":["discovery:finance"],"notes":"This includes monthly spend info","links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.budgets.create":{"id":"billing.budgets.create","name":"Cloud Billing Budgets","scope":"LOW","parent":{"notes":null,"description":"Budgets allow you to monitor cloud spend by triggering alerts if spend reaches thresholds. This does not automatically cap usage."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.budgets.update":{"id":"billing.budgets.update","name":"Cloud Billing Budgets","scope":"LOW","parent":{"notes":null,"description":"Budgets allow you to monitor cloud spend by triggering alerts if spend reaches thresholds. This does not automatically cap usage."},"risks":[],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.credits.list":{"id":"billing.credits.list","name":"Cloud Billing Credits","scope":"LOW","parent":{"notes":null,"description":"Credits include various ways to save on cloud spend, such as free-tier, committed use discounts, etc."},"risks":["discovery:finance"],"notes":"Allows viewing both the original credit and the current usage amount.","links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.resourceAssociations copy.list":{"id":"billing.resourceAssociations copy.list","name":"Cloud Billing Resource Associations","scope":"MEDIUM","parent":{"notes":null,"description":"A \"resource association\" associates a project with the billing account used for it."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.resourceAssociations copy.create":{"id":"billing.resourceAssociations copy.create","name":"Cloud Billing Resource Associations","scope":"MEDIUM","parent":{"notes":null,"description":"A \"resource association\" associates a project with the billing account used for it."},"risks":["impact:spend"],"notes":"Can be used to associate the billing account with another project.","links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.resourceAssociations copy.delete":{"id":"billing.resourceAssociations copy.delete","name":"Cloud Billing Resource Associations","scope":"MEDIUM","parent":{"notes":null,"description":"A \"resource association\" associates a project with the billing account used for it."},"risks":["impact:dos"],"notes":"Can render the project without a billing method, interrupting service.","links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"billing.resourceCosts.list":{"id":"billing.resourceCosts.list","name":"Cloud Billing Resource Costs","scope":"LOW","parent":{"notes":null,"description":"Resource costs include costs and usage information for Google Cloud resources."},"risks":["discovery:finance"],"notes":null,"links":["https://cloud.google.com/billing/docs/how-to/custom-roles"],"seeAlso":[]},"cloudbuild.builds.approve":{"id":"cloudbuild.builds.approve","name":"Cloud Build","scope":"MEDIUM","parent":{"notes":"Code and artifacts are generally stored in other services, such as Cloud storage.","description":"A Cloud build describes where to find source code, how to build it, and where to store built artifacts."},"risks":["impact:dos"],"notes":"This allows the user to both approve or deny an existing build.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/overview#how_builds_work","https://cloud.google.com/build/docs/cloud-build-service-account#default_permissions_of_service_account","https://cloud.google.com/build/docs/api/reference/rest/v1/projects.builds#Build"],"seeAlso":[]},"cloudbuild.builds.create":{"id":"cloudbuild.builds.create","name":"Cloud Build","scope":"MEDIUM","parent":{"notes":"Code and artifacts are generally stored in other services, such as Cloud storage.","description":"A Cloud build describes where to find source code, how to build it, and where to store built artifacts."},"risks":["impact:spend","impact:dos","escalation:lateral"],"notes":"This permission allows users to run builds as the Cloud Build service account. This can allow the user to have escalated build-time privileges. Google explicitly cautions against granting this permission for that reason.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/overview#how_builds_work","https://cloud.google.com/build/docs/cloud-build-service-account#default_permissions_of_service_account","https://cloud.google.com/build/docs/api/reference/rest/v1/projects.builds#Build"],"seeAlso":[]},"cloudbuild.builds.get":{"id":"cloudbuild.builds.get","name":"Cloud Build","scope":"MEDIUM","parent":{"notes":"Code and artifacts are generally stored in other services, such as Cloud storage.","description":"A Cloud build describes where to find source code, how to build it, and where to store built artifacts."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/overview#how_builds_work","https://cloud.google.com/build/docs/cloud-build-service-account#default_permissions_of_service_account","https://cloud.google.com/build/docs/api/reference/rest/v1/projects.builds#Build"],"seeAlso":[]},"cloudbuild.builds.list":{"id":"cloudbuild.builds.list","name":"Cloud Build","scope":"MEDIUM","parent":{"notes":"Code and artifacts are generally stored in other services, such as Cloud storage.","description":"A Cloud build describes where to find source code, how to build it, and where to store built artifacts."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/overview#how_builds_work","https://cloud.google.com/build/docs/cloud-build-service-account#default_permissions_of_service_account","https://cloud.google.com/build/docs/api/reference/rest/v1/projects.builds#Build"],"seeAlso":[]},"cloudbuild.builds.update":{"id":"cloudbuild.builds.update","name":"Cloud Build","scope":"MEDIUM","parent":{"notes":"Code and artifacts are generally stored in other services, such as Cloud storage.","description":"A Cloud build describes where to find source code, how to build it, and where to store built artifacts."},"risks":["impact:dos"],"notes":"This allows the user to cancel a build.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/overview#how_builds_work","https://cloud.google.com/build/docs/cloud-build-service-account#default_permissions_of_service_account","https://cloud.google.com/build/docs/api/reference/rest/v1/projects.builds#Build"],"seeAlso":[]},"cloudbuild.connections.create":{"id":"cloudbuild.connections.create","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":[],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.delete":{"id":"cloudbuild.connections.delete","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.fetchLinkableRepositories":{"id":"cloudbuild.connections.fetchLinkableRepositories","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["discovery:code"],"notes":"This fetches repositories from the system the connection is with.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.get":{"id":"cloudbuild.connections.get","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["discovery:infra","discovery:code"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.getIamPolicy":{"id":"cloudbuild.connections.getIamPolicy","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.list":{"id":"cloudbuild.connections.list","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["discovery:infra","discovery:code"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.setIamPolicy":{"id":"cloudbuild.connections.setIamPolicy","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.connections.update":{"id":"cloudbuild.connections.update","name":"Cloud Build Connection","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build connection is a connection to an external Source Code Management system, like Github and Gitlab."},"risks":["impact:dos"],"notes":"You can change the user token secret used for the connection, effectively resulting in a DOS.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/sdk/gcloud/reference/alpha/builds/connections","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections"],"seeAlso":[]},"cloudbuild.repositories.accessReadToken":{"id":"cloudbuild.repositories.accessReadToken","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":["exfiltration:code"],"notes":"Fetches the read token for the connected repository","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.accessReadWriteToken":{"id":"cloudbuild.repositories.accessReadWriteToken","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":["exfiltration:code","impact:defacement","impact:dos"],"notes":"Fetches the read/write token for the connected repository","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.create":{"id":"cloudbuild.repositories.create","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":[],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.delete":{"id":"cloudbuild.repositories.delete","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.fetchGitRefs":{"id":"cloudbuild.repositories.fetchGitRefs","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":[],"notes":"Could not find any documentation on this and it is not included in any Cloud Build roles, so I think this permission is unused.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.get":{"id":"cloudbuild.repositories.get","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":["discovery:infra","discovery:code"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.repositories.list":{"id":"cloudbuild.repositories.list","name":"Cloud Build Repository","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build repository is a connection to a repository located in an external Source Code Management provider, like Github and Gitlab."},"risks":["discovery:infra","discovery:code"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/api/reference/rest/v2/projects.locations.connections.repositories","https://cloud.google.com/build/docs/repositories"],"seeAlso":[]},"cloudbuild.workerpools.create":{"id":"cloudbuild.workerpools.create","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":[],"notes":"Build is priced per build minute, so just creating a worker pool does not add spend.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudbuild.workerpools.delete":{"id":"cloudbuild.workerpools.delete","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudbuild.workerpools.get":{"id":"cloudbuild.workerpools.get","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":["discovery:infra","discovery:network"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudbuild.workerpools.list":{"id":"cloudbuild.workerpools.list","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":["discovery:infra","discovery:network"],"notes":null,"links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudbuild.workerpools.update":{"id":"cloudbuild.workerpools.update","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":["impact:dos","impact:spend"],"notes":"Can effectively create a DOS by reducing disk size. Spend impact via increasing disk size or changing machine type.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudbuild.workerpools.use":{"id":"cloudbuild.workerpools.use","name":"Cloud Build Worker Pools","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud build worker pool is a dedicated pool of workers that offers customization over the build environment, including the ability to access resources in a private network."},"risks":["impact:spend","escalation:network"],"notes":"This also requires builds.create. Allows a user to run a build on the worker pool. If the worker pool has access to a VPC network, provides an opportunity for network escalation.","links":["https://cloud.google.com/build/docs/iam-roles-permissions","https://cloud.google.com/build/docs/private-pools/private-pools-overview"],"seeAlso":[]},"cloudfunctions.functions.get":{"id":"cloudfunctions.functions.get","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"Function metadata includes the following: \n  - labels and descriptions associated with the function\n  - build config (docker registry/repository, source code location, build-time env variables)\n  - service deployment config (memory info, env variables available during execution, network traffic settings: ingress for function, egress for VPC connector, secret volume and env variable configuration)\n  - configuration for events that trigger the function (service info for the service that triggers the info, filters on event fields)\n  - encryption key name","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.list":{"id":"cloudfunctions.functions.list","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"See notes for get","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.call":{"id":"cloudfunctions.functions.call","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["discovery:account","discovery:infra","discovery:data","exfiltration:data","impact:spend","impact:dos","impact:manipulation"],"notes":"Allows execution of a cloud function. Can expose a variety of risks depending on the contents of the cloud function. Also allows for DOS via spamming executions and data injection via execution with fake parameters.","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.invoke":{"id":"cloudfunctions.functions.invoke","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["discovery:account","discovery:infra","discovery:data","exfiltration:data","impact:spend","impact:dos","impact:manipulation"],"notes":"Allows execution of a cloud function.  Can expose a variety of risks depending on the contents of the cloud function.  Also allows for DOS via spamming executions and data injection via execution with fake parameters.","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.create":{"id":"cloudfunctions.functions.create","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["impact:spend","impact:hijack"],"notes":"Creating a cloud function requires permissions on the cloud functions runtime service account. Includes a vulnerability where the user can export service account credentials, but exploiting this  vulnerability requires the user to already have iam.serviceAccounts.actAs on the target service account.","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/","https://cloud.google.com/functions/docs/calling","https://cloud.google.com/functions/docs/reference/iam/roles#additional-configuration"],"seeAlso":[]},"cloudfunctions.functions.delete":{"id":"cloudfunctions.functions.delete","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["destruction:infra","destruction:data"],"notes":null,"links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.sourceCodeGet":{"id":"cloudfunctions.functions.sourceCodeGet","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["exfiltration:code"],"notes":null,"links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.update":{"id":"cloudfunctions.functions.update","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["impact:encryption","impact:dos","impact:spend"],"notes":"Allows for updating ingress and egress network traffic settings as well as updating encryption keys","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.sourceCodeSet":{"id":"cloudfunctions.functions.sourceCodeSet","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["impact:dos","impact:manipulation","impact:spend","impact:hijack"],"notes":"Includes DOS, data manipulation, spend, and hijack risks.","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.getIamPolicy":{"id":"cloudfunctions.functions.getIamPolicy","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.functions.setIamPolicy":{"id":"cloudfunctions.functions.setIamPolicy","name":"Cloud functions","scope":"CRITICAL","parent":{"notes":null,"description":"Cloud functions is a serverless computing service. Functions are triggered in response to events and the code runs in an environment fully managed by Google."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.functions"],"seeAlso":[]},"cloudfunctions.locations.list":{"id":"cloudfunctions.locations.list","name":"Cloud Functions Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud Functions.","description":"Infrastructure regions available for Google Cloud functions."},"risks":[],"notes":null,"links":["https://cloud.google.com/functions/docs/locations","https://cloud.google.com/functions/docs/reference/iam/permissions"],"seeAlso":[]},"cloudfunctions.operations.get":{"id":"cloudfunctions.operations.get","name":"Cloud functions operations","scope":"CRITICAL","parent":{"notes":"The operation includes the data returned from the API call the operation is associated with. This means that viewing an operation includes access to view function metadata, and contains the same risks as get and list operations directly on functions.","description":"Operations represent long-running cloud functions API calls. They are used for create, delete, and update operations on cloud functions."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"See notes for functions.get","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.operations"],"seeAlso":[]},"cloudfunctions.operations.list":{"id":"cloudfunctions.operations.list","name":"Cloud functions operations","scope":"CRITICAL","parent":{"notes":"The operation includes the data returned from the API call the operation is associated with. This means that viewing an operation includes access to view function metadata, and contains the same risks as get and list operations directly on functions.","description":"Operations represent long-running cloud functions API calls. They are used for create, delete, and update operations on cloud functions."},"risks":["discovery:infra","discovery:network","discovery:data","discovery:policy"],"notes":"See notes for functions.get","links":["https://cloud.google.com/functions/docs/reference/iam/permissions","https://cloud.google.com/functions/docs/reference/rest/v2/projects.locations.operations"],"seeAlso":[]},"cloudfunctions.runtimes.list":{"id":"cloudfunctions.runtimes.list","name":"Cloud Functions runtimes","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's runtime offerings for Cloud Functions.","description":"Runtimes available for Google Cloud functions."},"risks":[],"notes":null,"links":["https://cloud.google.com/functions/docs/runtime-support","https://cloud.google.com/functions/docs/reference/iam/permissions"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.create":{"id":"cloudkms.cryptoKeyVersions.create","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.destroy":{"id":"cloudkms.cryptoKeyVersions.destroy","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["destruction:crypto","impact:encryption"],"notes":"Destroyed key versions cannot be recovered. Any data encrypted with the key version will no longer be able to be decrypted.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.get":{"id":"cloudkms.cryptoKeyVersions.get","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["discovery:infra"],"notes":"This includes infra discovery because key metadata such as the algorithm are exposed. Does not give access to keys.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.list":{"id":"cloudkms.cryptoKeyVersions.list","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["discovery:infra"],"notes":"See get.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.manageRawAesCbcKeys":{"id":"cloudkms.cryptoKeyVersions.manageRawAesCbcKeys","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":[],"notes":"This permission is required to manage AES CBC keys.  It has no risks because it provides no access on its own: the user still needs permissions on the keys.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.manageRawAesCtrKeys":{"id":"cloudkms.cryptoKeyVersions.manageRawAesCtrKeys","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":[],"notes":"This permission is required to manage AES CTR keys.  It has no risks because it provides no access on its own: the user still needs permissions on the keys.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.manageRawPKCS1Keys":{"id":"cloudkms.cryptoKeyVersions.manageRawPKCS1Keys","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":[],"notes":"This permission is required to manage AES CTR keys.  It has no risks because it provides no access on its own: the user still needs permissions on the keys.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.restore":{"id":"cloudkms.cryptoKeyVersions.restore","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend"],"notes":"Restores a key that was scheduled for destruction.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.update":{"id":"cloudkms.cryptoKeyVersions.update","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:dos","destruction:metadata"],"notes":"Can be used to disable a key version. While a key version is disabled, data encrypted with it cannot be accessed. The secret content of the key cannot be edited or destroyed via this method.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToDecrypt":{"id":"cloudkms.cryptoKeyVersions.useToDecrypt","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend","exfiltration:data"],"notes":"Can be used to decrypt data encrypted with the key version.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToDecryptViaDelegation":{"id":"cloudkms.cryptoKeyVersions.useToDecryptViaDelegation","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend","exfiltration:data"],"notes":"Can be used to decrypt data encrypted with the key version through other Google Services.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToEncrypt":{"id":"cloudkms.cryptoKeyVersions.useToEncrypt","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend"],"notes":"Can be used to encrypt data with the key version.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToEncryptViaDelegation":{"id":"cloudkms.cryptoKeyVersions.useToEncryptViaDelegation","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend"],"notes":"Can be used to encrypt data with the key version through other Google Services.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToSign":{"id":"cloudkms.cryptoKeyVersions.useToSign","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend","impact:manipulation"],"notes":"Can be used to sign data with the key version.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.useToVerify":{"id":"cloudkms.cryptoKeyVersions.useToVerify","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":["impact:spend"],"notes":"Can be used to verify data signed with the key version.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeyVersions.viewPublicKey":{"id":"cloudkms.cryptoKeyVersions.viewPublicKey","name":"Cloud KMS Crypto Key Versions","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key version contains key material used for encryption or signing."},"risks":[],"notes":"This only shows public keys","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeys.create":{"id":"cloudkms.cryptoKeys.create","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":[],"notes":"Billing is based on key versions, so keys do not incur billing.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeys.get":{"id":"cloudkms.cryptoKeys.get","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":["discovery:infra"],"notes":"Does not provide access to keys: raw key material can never be viewed.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions#CryptoKeyVersion"],"seeAlso":[]},"cloudkms.cryptoKeys.getIamPolicy":{"id":"cloudkms.cryptoKeys.getIamPolicy","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeys.list":{"id":"cloudkms.cryptoKeys.list","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":["discovery:infra"],"notes":"Does not provide access to keys: raw key material can never be viewed.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions#CryptoKeyVersion"],"seeAlso":[]},"cloudkms.cryptoKeys.setIamPolicy":{"id":"cloudkms.cryptoKeys.setIamPolicy","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.cryptoKeys.update":{"id":"cloudkms.cryptoKeys.update","name":"Cloud KMS Crypto Keys","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A key contains one or more versions along with metadata.  The actual contents of the key are stored in the version."},"risks":["destruction:defense","destruction:metadata"],"notes":"Can be used to change key rotation settings, impairing defense.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/iam","https://cloud.google.com/kms/docs/reference/rest"],"seeAlso":[]},"cloudkms.ekmConfigs.get":{"id":"cloudkms.ekmConfigs.get","name":"Cloud KMS EKM Configs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS EKM config applies to all keys with a protection level of EXTERNAL_VPC in a given project or location. These are keys managed by and stored in an external key management system and accessed by Cloud KMS over VPC."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/EkmConfig"],"seeAlso":[]},"cloudkms.ekmConfigs.getIamPolicy":{"id":"cloudkms.ekmConfigs.getIamPolicy","name":"Cloud KMS EKM Configs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS EKM config applies to all keys with a protection level of EXTERNAL_VPC in a given project or location. These are keys managed by and stored in an external key management system and accessed by Cloud KMS over VPC."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/EkmConfig"],"seeAlso":[]},"cloudkms.ekmConfigs.setIamPolicy":{"id":"cloudkms.ekmConfigs.setIamPolicy","name":"Cloud KMS EKM Configs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS EKM config applies to all keys with a protection level of EXTERNAL_VPC in a given project or location. These are keys managed by and stored in an external key management system and accessed by Cloud KMS over VPC."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/EkmConfig"],"seeAlso":[]},"cloudkms.ekmConfigs.update":{"id":"cloudkms.ekmConfigs.update","name":"Cloud KMS EKM Configs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS EKM config applies to all keys with a protection level of EXTERNAL_VPC in a given project or location. These are keys managed by and stored in an external key management system and accessed by Cloud KMS over VPC."},"risks":["impact:dos"],"notes":"Allows changing or removing the default EKM connection for this project and location. This may cause keys to be inaccessible, creating a DOS.","links":["https://cloud.google.com/kms/docs/reference/rest/v1/EkmConfig"],"seeAlso":[]},"cloudkms.ekmConnections.create":{"id":"cloudkms.ekmConnections.create","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":[],"notes":"EKM connections do not incur storage costs.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.get":{"id":"cloudkms.ekmConnections.get","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.getIamPolicy":{"id":"cloudkms.ekmConnections.getIamPolicy","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.list":{"id":"cloudkms.ekmConnections.list","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.setIamPolicy":{"id":"cloudkms.ekmConnections.setIamPolicy","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.update":{"id":"cloudkms.ekmConnections.update","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":["impact:dos"],"notes":"Can update the settings used connect to the external key management instance, such as the EKM hostname and the server hostname. Changing these settings can render keys inaccessible.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.use":{"id":"cloudkms.ekmConnections.use","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.ekmConnections.verifyConnectivity":{"id":"cloudkms.ekmConnections.verifyConnectivity","name":"Cloud KMS EKM Connections","scope":"MEDIUM","parent":{"notes":null,"description":"An EKM connection organizes VPC connections to your on-premises external key managers  in a specific Google Cloud location. An EKM connection allows you to connect to and use keys  from an external key manager over a VPC network"},"risks":[],"notes":"Returns only a success or failure indicating whether Cloud KMS can connect to the external key manager.","links":["https://cloud.google.com/kms/docs/resource-hierarchy","https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections"],"seeAlso":[]},"cloudkms.importJobs.create":{"id":"cloudkms.importJobs.create","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.importJobs.get":{"id":"cloudkms.importJobs.get","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.importJobs.getIamPolicy":{"id":"cloudkms.importJobs.getIamPolicy","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.importJobs.list":{"id":"cloudkms.importJobs.list","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.importJobs.setIamPolicy":{"id":"cloudkms.importJobs.setIamPolicy","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.importJobs.useToImport":{"id":"cloudkms.importJobs.useToImport","name":"Cloud KMS Import Jobs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud KMS import job is used to create KMS Crypto Keys and Crypto Key Versions using pre-existing key material."},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs"],"seeAlso":[]},"cloudkms.keyRings.create":{"id":"cloudkms.keyRings.create","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":[],"notes":"Billing is based on key versions, so key rings do not incur billing.","links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.createTagBinding":{"id":"cloudkms.keyRings.createTagBinding","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.deleteTagBinding":{"id":"cloudkms.keyRings.deleteTagBinding","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.get":{"id":"cloudkms.keyRings.get","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.getIamPolicy":{"id":"cloudkms.keyRings.getIamPolicy","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.list":{"id":"cloudkms.keyRings.list","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.listEffectiveTags":{"id":"cloudkms.keyRings.listEffectiveTags","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.listTagBindings":{"id":"cloudkms.keyRings.listTagBindings","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.keyRings.setIamPolicy":{"id":"cloudkms.keyRings.setIamPolicy","name":"Cloud KMS Key Rings","scope":"CRITICAL","parent":{"notes":"Cloud KMS is an extremely sensitive service. Keys can be used for encryption/decryption of  sensitive data or for the creation or verification of digital signatures.","description":"A Cloud KMS key ring is a logical grouping of keys in the same location."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"cloudkms.locations.list":{"id":"cloudkms.locations.list","name":"Cloud KMS Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud KMS","description":"Infrastructure regions available for Cloud KMS resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"cloudkms.locations.get":{"id":"cloudkms.locations.get","name":"Cloud KMS Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud KMS","description":"Infrastructure regions available for Cloud KMS resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"cloudkms.locations.generateRandomBytes":{"id":"cloudkms.locations.generateRandomBytes","name":"Cloud KMS Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud KMS","description":"Infrastructure regions available for Cloud KMS resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"cloudkms.locations.optOutKeyDeletionMsa":{"id":"cloudkms.locations.optOutKeyDeletionMsa","name":"Cloud KMS Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud KMS","description":"Infrastructure regions available for Cloud KMS resources"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"cloudkms.protectedResources.search":{"id":"cloudkms.protectedResources.search","name":"Cloud KMS Protected Resources","scope":"MEDIUM","parent":{"notes":"This resource may contain information about a broad range of Google Cloud resources.","description":"Cloud KMS Protected Resources are Google Cloud resources secured with Cloud KMS keys."},"risks":["discovery:infra"],"notes":"Allows searching resources secured by Cloud KMS keys.","links":["https://cloud.google.com/kms/docs/reference/inventory/rest/v1/organizations.protectedResources"],"seeAlso":[]},"cloudsql.backupRuns.create":{"id":"cloudsql.backupRuns.create","name":"Google Cloud SQL","scope":"LOW","parent":{"notes":null,"description":"Cloud SQL backups contain the data stored in your Cloud SQL instance, to be used for recovery and rollback purposes."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.backupRuns.delete":{"id":"cloudsql.backupRuns.delete","name":"Google Cloud SQL","scope":"LOW","parent":{"notes":null,"description":"Cloud SQL backups contain the data stored in your Cloud SQL instance, to be used for recovery and rollback purposes."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.backupRuns.get":{"id":"cloudsql.backupRuns.get","name":"Google Cloud SQL","scope":"LOW","parent":{"notes":null,"description":"Cloud SQL backups contain the data stored in your Cloud SQL instance, to be used for recovery and rollback purposes."},"risks":["discovery:infra"],"notes":"Access to backup metadata.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.backupRuns.list":{"id":"cloudsql.backupRuns.list","name":"Google Cloud SQL","scope":"LOW","parent":{"notes":null,"description":"Cloud SQL backups contain the data stored in your Cloud SQL instance, to be used for recovery and rollback purposes."},"risks":["discovery:infra"],"notes":"Access to backup metadata.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.databases.create":{"id":"cloudsql.databases.create","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"The Cloud SQL database is the set of software and files that operates the MySQL, PostgreSQL, or SQL Server database service."},"risks":["impact:spend","impact:consumption"],"notes":"This privilege enables users to create databases within a Cloud SQL instance. Adding databases can increase spend.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.databases.delete":{"id":"cloudsql.databases.delete","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"The Cloud SQL database is the set of software and files that operates the MySQL, PostgreSQL, or SQL Server database service."},"risks":["destruction:data","destruction:infra","destruction:logs"],"notes":"With this privilege, users can delete databases within a Cloud SQL instance.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.databases.get":{"id":"cloudsql.databases.get","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"The Cloud SQL database is the set of software and files that operates the MySQL, PostgreSQL, or SQL Server database service."},"risks":["discovery:infra"],"notes":"Access to database metadata.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.databases.list":{"id":"cloudsql.databases.list","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"The Cloud SQL database is the set of software and files that operates the MySQL, PostgreSQL, or SQL Server database service."},"risks":["discovery:infra"],"notes":"Access to database metadata.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.databases.update":{"id":"cloudsql.databases.update","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"The Cloud SQL database is the set of software and files that operates the MySQL, PostgreSQL, or SQL Server database service."},"risks":[],"notes":"Allows updating database charset and collation settings.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.addServerCa":{"id":"cloudsql.instances.addServerCa","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"Adds a new trusted Certificate Authority version for the specified instance. It does not actually update the existing CA,  that requires a separate permission (rotateServerCa), so this poses no risks.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances/addServerCa"],"seeAlso":[]},"cloudsql.instances.clone":{"id":"cloudsql.instances.clone","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:spend"],"notes":"Cloning an instance also requires the create privilege.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.connect":{"id":"cloudsql.instances.connect","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["escalation:network"],"notes":"This command temporarily changes the authorized networks for this instance to allow connections from your IP address. Note that authentication into the database is still separate, so this does not provide access to data.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sdk/gcloud/reference/sql/connect"],"seeAlso":[]},"cloudsql.instances.create":{"id":"cloudsql.instances.create","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:spend"],"notes":"This privilege allows users to create new Cloud SQL instances, potentially incurring cost due to resource usage.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.createTagBinding":{"id":"cloudsql.instances.createTagBinding","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. If the user has any policies that use tag bindings to enforce conditions, creating a tag on a resource allows them to escalate their access to that resource. Also requires getIamPolicy or knowledge of the IAM policy from some other means.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.delete":{"id":"cloudsql.instances.delete","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["destruction:data","destruction:infra"],"notes":"With this privilege, users can delete Cloud SQL instances. It poses risks of service disruption, permanent data loss, and infrastructure damage.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.deleteTagBinding":{"id":"cloudsql.instances.deleteTagBinding","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The \"destruction:policy\" and \"impact:access\" risks apply if the tag is used in any policies.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.demoteMaster":{"id":"cloudsql.instances.demoteMaster","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos"],"notes":"This permission allows converting an instance to a read replica. Since read replicas do not allow write requests, this can cause a denial of service if the instance is handling write requests.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/replication"],"seeAlso":[]},"cloudsql.instances.export":{"id":"cloudsql.instances.export","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["exfiltration:data"],"notes":"This permission allows exporting the results of a SQL query run on the instance database as a CSV, or exporting the entire database as a SQL dump.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.failover":{"id":"cloudsql.instances.failover","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos"],"notes":"This causes Cloud SQL to switch to serving data from a secondary instance instead of the primary. Google expects the failover operation to render the instance inaccessible for about 60 seconds, so this could  produce a DOS if executed repeatedly.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.get":{"id":"cloudsql.instances.get","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["discovery:infra","discovery:policy"],"notes":"Allows access to instance metadata and settings, including IP addresses, authorized networks, and backup settings.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.getDiskShrinkConfig":{"id":"cloudsql.instances.getDiskShrinkConfig","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.import":{"id":"cloudsql.instances.import","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:consumption","impact:dos","impact:manipulation"],"notes":"Allows importing data to an instance. If enough data is imported to exceed the disk space of the instance,  will cause a DOS until the instance is manually resized.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.list":{"id":"cloudsql.instances.list","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["discovery:infra","discovery:policy"],"notes":"Allows access to instance metadata and settings, including IP addresses, authorized networks, and backup settings.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.listEffectiveTags":{"id":"cloudsql.instances.listEffectiveTags","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.listServerCas":{"id":"cloudsql.instances.listServerCas","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.listTagBindings":{"id":"cloudsql.instances.listTagBindings","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.login":{"id":"cloudsql.instances.login","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.migrate":{"id":"cloudsql.instances.migrate","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.performDiskShrink":{"id":"cloudsql.instances.performDiskShrink","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.promoteReplica":{"id":"cloudsql.instances.promoteReplica","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:spend"],"notes":"This permission allows converting a read replica to a primary instance.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/replication"],"seeAlso":[]},"cloudsql.instances.reencrypt":{"id":"cloudsql.instances.reencrypt","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"This permission re-encrypts the instance with the existing primary key.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.resetReplicaSize":{"id":"cloudsql.instances.resetReplicaSize","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.resetSslConfig":{"id":"cloudsql.instances.resetSslConfig","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos"],"notes":"Deletes all client certificates and generates a new server SSL certificate for the instance. This can cause a denial of service since clients will not be updated to use the new certificate.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances/resetSslConfig"],"seeAlso":[]},"cloudsql.instances.restart":{"id":"cloudsql.instances.restart","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos"],"notes":"Restarts the instance. This can cause a denial of service since it closes all existing connections.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.restoreBackup":{"id":"cloudsql.instances.restoreBackup","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["destruction:data","destruction:logs"],"notes":"The restore process overwrites all the current data on the instance and it cannot be recovered.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/backup-recovery/restoring"],"seeAlso":[]},"cloudsql.instances.rotateServerCa":{"id":"cloudsql.instances.rotateServerCa","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos"],"notes":"Rotates the server certificate to one signed by the certificate authority version previously added.  Can cause a denial of service if clients have not been updated to use the new certificate. There must be another certificate authority already added to exploit this.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances/addServerCa"],"seeAlso":[]},"cloudsql.instances.startReplica":{"id":"cloudsql.instances.startReplica","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":[],"notes":"Starts replication from the primary instance on a read replica.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/postgres/replication/manage-replicas"],"seeAlso":[]},"cloudsql.instances.stopReplica":{"id":"cloudsql.instances.stopReplica","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["destruction:defense"],"notes":"Stops replication from the primary instance on a read replica. Requests are made directly to a replica,  so any subsequent requests to that read replica will get outdated data.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/postgres/replication/manage-replicas"],"seeAlso":[]},"cloudsql.instances.truncateLog":{"id":"cloudsql.instances.truncateLog","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["destruction:logs"],"notes":"This allows truncating log entries from the instance. Will only pose a risk to logs that are stored as tables in the database, which is configured in database settings.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.instances.update":{"id":"cloudsql.instances.update","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"A Cloud SQL instance is a VM managed by Google that runs the SQL database instance (as well as any accompanying containers)"},"risks":["impact:dos","destruction:defense","impact:spend","impact:encryption"],"notes":"Allows updating various instance metadata and settings, including authorized networks, backup settings,  and encryption keys.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.sslCerts.create":{"id":"cloudsql.sslCerts.create","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"SSL client certificates for connecting to a Cloud SQL instance. Each instance can have 10 client certificates."},"risks":["impact:consumption","escalation:network"],"notes":"This permission allows creating a client SSL certificate for the instance, which allows the user to establish a connection to the instance. Note that authentication into the database is still separate, so this does not provide access to data.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.sslCerts.createEphemeral":{"id":"cloudsql.sslCerts.createEphemeral","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"SSL client certificates for connecting to a Cloud SQL instance. Each instance can have 10 client certificates."},"risks":["escalation:network"],"notes":"This permission allows creating an ephemeral client SSL certificate for the instance, which allows the user to establish a connection to the instance. Note that authentication into the database is still separate, so this does not provide access to data.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.sslCerts.delete":{"id":"cloudsql.sslCerts.delete","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"SSL client certificates for connecting to a Cloud SQL instance. Each instance can have 10 client certificates."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.sslCerts.get":{"id":"cloudsql.sslCerts.get","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"SSL client certificates for connecting to a Cloud SQL instance. Each instance can have 10 client certificates."},"risks":[],"notes":"Does not include private keys.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.sslCerts.list":{"id":"cloudsql.sslCerts.list","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"SSL client certificates for connecting to a Cloud SQL instance. Each instance can have 10 client certificates."},"risks":[],"notes":"Does not include private keys.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.users.create":{"id":"cloudsql.users.create","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"Cloud SQL users are used to authenticate into Cloud SQL databases."},"risks":["destruction:data","destruction:logs","exfiltration:data","exfiltration:logs","impact:manipulation"],"notes":"This permission allows creating a new user with a provided username/password.  It grants the created user super user privileges on the database.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions","https://cloud.google.com/sql/docs/postgres/create-manage-users"],"seeAlso":[]},"cloudsql.users.get":{"id":"cloudsql.users.get","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"Cloud SQL users are used to authenticate into Cloud SQL databases."},"risks":["discovery:account"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.users.list":{"id":"cloudsql.users.list","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"Cloud SQL users are used to authenticate into Cloud SQL databases."},"risks":["discovery:account"],"notes":null,"links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.users.update":{"id":"cloudsql.users.update","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"Cloud SQL users are used to authenticate into Cloud SQL databases."},"risks":["impact:access","destruction:data","destruction:logs","exfiltration:data","exfiltration:logs","impact:manipulation"],"notes":"Allows updating the password of an existing user.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"cloudsql.users.delete":{"id":"cloudsql.users.delete","name":"Google Cloud SQL","scope":"CRITICAL","parent":{"notes":"Cloud SQL is used to store and serve sensitive and application-critical data. Breach of a cloud SQL database can lead to exfiltration of highly sensitive data, or interruption of mission-critical applications.","description":"Cloud SQL users are used to authenticate into Cloud SQL databases."},"risks":["destruction:account"],"notes":"Users with this privilege can delete database users within a Cloud SQL instance.","links":["https://cloud.google.com/sql/docs/mysql/iam-permissions","https://cloud.google.com/sql/docs/mysql/iam-overview","https://cloud.google.com/sql/docs/mysql/roles-and-permissions"],"seeAlso":[]},"compute.acceleratorTypes.get":{"id":"compute.acceleratorTypes.get","name":"Compute Engine accelerator-optimized machines","scope":"PUBLIC","parent":{"notes":"Reads publicly available data from Google Cloud","description":"Read accelerator-optimized machine types"},"risks":[],"notes":null,"links":["https://cloud.google.com/compute/docs/accelerator-optimized-machines"],"seeAlso":[]},"compute.acceleratorTypes.list":{"id":"compute.acceleratorTypes.list","name":"Compute Engine accelerator-optimized machines","scope":"PUBLIC","parent":{"notes":"Reads publicly available data from Google Cloud","description":"Read accelerator-optimized machine types"},"risks":[],"notes":null,"links":["https://cloud.google.com/compute/docs/accelerator-optimized-machines"],"seeAlso":[]},"compute.addresses.create":{"id":"compute.addresses.create","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.createInternal":{"id":"compute.addresses.createInternal","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.delete":{"id":"compute.addresses.delete","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["destruction:infra"],"notes":"Can not delete an address that is in use by an instance.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.deleteInternal":{"id":"compute.addresses.deleteInternal","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["destruction:infra"],"notes":"Can not delete an address that is in use by an instance.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.get":{"id":"compute.addresses.get","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["discovery:network"],"notes":"May allow an attacker to identify network resources to target.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.list":{"id":"compute.addresses.list","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["discovery:network"],"notes":"May allow an attacker to identify network resources to target.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.setLabels":{"id":"compute.addresses.setLabels","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.use":{"id":"compute.addresses.use","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["escalation:lateral"],"notes":"If used to attach a network address to an already compromised access, can allow lateral movement across a network.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.addresses.useInternal":{"id":"compute.addresses.useInternal","name":"Compute Engine addresses","scope":"LOW","parent":{"notes":"Allows discovering, reserving, and modifying IP addresses within Compute Engine. If IP ranges are narrowly constrained (e.g., from a /28 range), may allow an attacker to deny access to infrastructure.","description":"Read and edit Compute Engine addresses"},"risks":["escalation:lateral"],"notes":"If used to attach a network address to an already compromised access, can allow lateral movement across a network.","links":["https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address","https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address"],"seeAlso":[]},"compute.autoscalers.create":{"id":"compute.autoscalers.create","name":"Compute Engine autoscalers","scope":"MEDIUM","parent":{"notes":"Note that autoscaling is only applicable if the resource uses managed instance groups (MIGs). Generally requires `compute.instanceGroupManagers.use`.","description":"Read and edit Compute Engine autoscaling groups."},"risks":["impact:spend","impact:hijack"],"notes":null,"links":["https://cloud.google.com/compute/docs/autoscaler"],"seeAlso":[]},"compute.autoscalers.delete":{"id":"compute.autoscalers.delete","name":"Compute Engine autoscalers","scope":"MEDIUM","parent":{"notes":"Note that autoscaling is only applicable if the resource uses managed instance groups (MIGs). Generally requires `compute.instanceGroupManagers.use`.","description":"Read and edit Compute Engine autoscaling groups."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/autoscaler"],"seeAlso":[]},"compute.autoscalers.get":{"id":"compute.autoscalers.get","name":"Compute Engine autoscalers","scope":"MEDIUM","parent":{"notes":"Note that autoscaling is only applicable if the resource uses managed instance groups (MIGs). Generally requires `compute.instanceGroupManagers.use`.","description":"Read and edit Compute Engine autoscaling groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/autoscaler"],"seeAlso":[]},"compute.autoscalers.list":{"id":"compute.autoscalers.list","name":"Compute Engine autoscalers","scope":"MEDIUM","parent":{"notes":"Note that autoscaling is only applicable if the resource uses managed instance groups (MIGs). Generally requires `compute.instanceGroupManagers.use`.","description":"Read and edit Compute Engine autoscaling groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/autoscaler"],"seeAlso":[]},"compute.autoscalers.update":{"id":"compute.autoscalers.update","name":"Compute Engine autoscalers","scope":"MEDIUM","parent":{"notes":"Note that autoscaling is only applicable if the resource uses managed instance groups (MIGs). Generally requires `compute.instanceGroupManagers.use`.","description":"Read and edit Compute Engine autoscaling groups."},"risks":["impact:spend","impact:hijack","destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/autoscaler"],"seeAlso":[]},"compute.backendBuckets.addSignedUrlKey":{"id":"compute.backendBuckets.addSignedUrlKey","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege"],"notes":"Allows an attacker to forge signed URLs, potentially gaining access to additional data.","links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.create":{"id":"compute.backendBuckets.create","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":[],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.delete":{"id":"compute.backendBuckets.delete","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra","destruction:data"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.deleteSignedUrlKey":{"id":"compute.backendBuckets.deleteSignedUrlKey","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.get":{"id":"compute.backendBuckets.get","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.getIamPolicy":{"id":"compute.backendBuckets.getIamPolicy","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.list":{"id":"compute.backendBuckets.list","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.setIamPolicy":{"id":"compute.backendBuckets.setIamPolicy","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.setSecurityPolicy":{"id":"compute.backendBuckets.setSecurityPolicy","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege"],"notes":"Allows an attacker to defeat content security, gaining access to bucket contents.","links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets","https://cloud.google.com/armor/docs/security-policy-overview"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.update":{"id":"compute.backendBuckets.update","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra","destruction:data"],"notes":"Does not allow modification to edge security policies. Allows modifying some CDN policies, but not anything that impacts access control.","links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets/update"],"seeAlso":["compute.backendServices"]},"compute.backendBuckets.use":{"id":"compute.backendBuckets.use","name":"Compute Engine backend buckets","scope":"HIGH","parent":{"notes":"Generally used for providing publicly accessible data via a load balancer. This scope may depend on the exact configuration of the load balancer (e.g. if the load balancer requires certain cookies or auth tokens), and whether the load balancer itself is intended to be publicly accessible. The scope of read permissions should be downgraded to PUBLIC if only publicly accessible data are contained within these buckets.","description":"Cloud Storage buckets that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:lateral"],"notes":"When combined with the ability to edit URL maps, allows an attacker to point a load-balancer URL to a backend bucket.","links":["https://cloud.google.com/load-balancing/docs/https/ext-load-balancer-backend-buckets","https://cloud.google.com/compute/docs/reference/rest/v1/backendBuckets","https://cloud.google.com/compute/docs/reference/rest/v1/urlMaps/insert"],"seeAlso":["compute.backendServices"]},"compute.backendServices.addSignedUrlKey":{"id":"compute.backendServices.addSignedUrlKey","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege"],"notes":"Allows an attacker to forge signed URLs, potentially gaining access to additional data.","links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.create":{"id":"compute.backendServices.create","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":[],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.delete":{"id":"compute.backendServices.delete","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.deleteSignedUrlKey":{"id":"compute.backendServices.deleteSignedUrlKey","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.get":{"id":"compute.backendServices.get","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.getIamPolicy":{"id":"compute.backendServices.getIamPolicy","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.list":{"id":"compute.backendServices.list","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.setIamPolicy":{"id":"compute.backendServices.setIamPolicy","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.setSecurityPolicy":{"id":"compute.backendServices.setSecurityPolicy","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:privilege"],"notes":"Allows an attacker to defeat content security, potentially gaining layer-7 access to the service.","links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices","https://cloud.google.com/armor/docs/security-policy-overview"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.update":{"id":"compute.backendServices.update","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["destruction:infra","destruction:data"],"notes":"Does not allow modification of security policies. Allows CDN policy modification but  nothing that affects access control.","links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices/update"],"seeAlso":["compute.backendBuckets"]},"compute.backendServices.use":{"id":"compute.backendServices.use","name":"Compute Engine backend services","scope":"HIGH","parent":{"notes":"Used to serve dynamic content via a load balancer.","description":"Backend endpoints that may be referenced by load-balancer URL maps, or via Cloud CDN."},"risks":["escalation:lateral"],"notes":"When combined with the ability to edit URL maps, allows an attacker to point a load-balancer URL to a backend service.","links":["https://cloud.google.com/load-balancing/docs/backend-service","https://cloud.google.com/compute/docs/reference/rest/v1/backendServices","https://cloud.google.com/compute/docs/reference/rest/v1/urlMaps/insert"],"seeAlso":["compute.backendBuckets"]},"compute.commitments.create":{"id":"compute.commitments.create","name":"Compute Engine commitments","scope":"MEDIUM","parent":{"notes":"Commitments affect operational cost.","description":"Manage committed use discounts."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances/committed-use-discounts-overview"],"seeAlso":[]},"compute.commitments.get":{"id":"compute.commitments.get","name":"Compute Engine commitments","scope":"LOW","parent":{"notes":"Commitments affect operational cost.","description":"Manage committed use discounts."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances/committed-use-discounts-overview"],"seeAlso":[]},"compute.commitments.list":{"id":"compute.commitments.list","name":"Compute Engine commitments","scope":"LOW","parent":{"notes":"Commitments affect operational cost.","description":"Manage committed use discounts."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances/committed-use-discounts-overview"],"seeAlso":[]},"compute.commitments.update":{"id":"compute.commitments.update","name":"Compute Engine commitments","scope":"MEDIUM","parent":{"notes":"Commitments affect operational cost.","description":"Manage committed use discounts."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances/committed-use-discounts-overview"],"seeAlso":[]},"compute.commitments.updateReservations":{"id":"compute.commitments.updateReservations","name":"Compute Engine commitments","scope":"MEDIUM","parent":{"notes":"Commitments affect operational cost.","description":"Manage committed use discounts."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances/committed-use-discounts-overview"],"seeAlso":[]},"compute.diskTypes.get":{"id":"compute.diskTypes.get","name":"Compute Engine disk types","scope":"PUBLIC","parent":{"notes":"Reads publicly available data from Google Cloud","description":"Read available disk types"},"risks":[],"notes":null,"links":["https://cloud.google.com/compute/docs/disks","https://cloud.google.com/compute/docs/reference/rest/v1/diskTypes"],"seeAlso":[]},"compute.diskTypes.list":{"id":"compute.diskTypes.list","name":"Compute Engine disk types","scope":"PUBLIC","parent":{"notes":"Reads publicly available data from Google Cloud","description":"Read available disk types"},"risks":[],"notes":null,"links":["https://cloud.google.com/compute/docs/disks","https://cloud.google.com/compute/docs/reference/rest/v1/diskTypes"],"seeAlso":[]},"compute.disks.addResourcePolicies":{"id":"compute.disks.addResourcePolicies","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["impact:spend","collection:data"],"notes":"Requires a useful resource policy to otherwise exist.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/reference/rest/v1/resourcePolicies","https://cloud.google.com/compute/docs/disks/scheduled-snapshots"],"seeAlso":[]},"compute.disks.create":{"id":"compute.disks.create","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.createSnapshot":{"id":"compute.disks.createSnapshot","name":"Compute Engine disks","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["collection:data"],"notes":"When combined with the ability to read disk images, can allow access to disk data.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.createTagBinding":{"id":"compute.disks.createTagBinding","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["impact:access","escalation:privilege"],"notes":"Tag bindings are used to dynamically modify IAM policies.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.delete":{"id":"compute.disks.delete","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["destruction:infra","destruction:data"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.deleteTagBinding":{"id":"compute.disks.deleteTagBinding","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"Tag bindings are used to dynamically modify IAM policies.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.get":{"id":"compute.disks.get","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.getIamPolicy":{"id":"compute.disks.getIamPolicy","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.list":{"id":"compute.disks.list","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.listEffectiveTags":{"id":"compute.disks.listEffectiveTags","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.listTagBindings":{"id":"compute.disks.listTagBindings","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.removeResourceBindings":{"id":"compute.disks.removeResourceBindings","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/reference/rest/v1/resourcePolicies","https://cloud.google.com/compute/docs/disks/scheduled-snapshots"],"seeAlso":[]},"compute.disks.resize":{"id":"compute.disks.resize","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["impact:spend"],"notes":"Disks can only be increased in size.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/reference/rest/v1/disks/resize"],"seeAlso":[]},"compute.disks.setIamPolicy":{"id":"compute.disks.setIamPolicy","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.setLabels":{"id":"compute.disks.setLabels","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.startAsyncReplication":{"id":"compute.disks.startAsyncReplication","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":[],"notes":null,"links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/disks/async-pd/about"],"seeAlso":[]},"compute.disks.stopAsyncReplication":{"id":"compute.disks.stopAsyncReplication","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["destruction:infra"],"notes":"Can effectively turn off disk replication if applied repeatedly.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/disks/async-pd/about"],"seeAlso":[]},"compute.disks.stopGroupAsyncReplication":{"id":"compute.disks.stopGroupAsyncReplication","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["destruction:infra"],"notes":"Can effectively turn off disk replication if applied repeatedly.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks","https://cloud.google.com/compute/docs/disks/async-pd/about"],"seeAlso":[]},"compute.disks.update":{"id":"compute.disks.update","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["escalation:data","destruction:infra"],"notes":"Can allow data access via modifying disk or snapshot encryption keys.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.use":{"id":"compute.disks.use","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["collection:data","destruction:data"],"notes":"Can allow data access if the attacker can attach the disk to an additionally compromised instance.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.disks.useReadOnly":{"id":"compute.disks.useReadOnly","name":"Compute Engine disks","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Read and edit Compute Engine disks and disk assignments."},"risks":["collection:data"],"notes":"Can allow data access if the attacker can attach the disk to an additionally compromised instance.","links":["https://cloud.google.com/compute/docs/disks/persistent-disks"],"seeAlso":[]},"compute.externalVpnGateways.create":{"id":"compute.externalVpnGateways.create","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":[],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.externalVpnGateways.delete":{"id":"compute.externalVpnGateways.delete","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.externalVpnGateways.get":{"id":"compute.externalVpnGateways.get","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.externalVpnGateways.list":{"id":"compute.externalVpnGateways.list","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.externalVpnGateways.setLabels":{"id":"compute.externalVpnGateways.setLabels","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.externalVpnGateways.use":{"id":"compute.externalVpnGateways.use","name":"Compute Engine external VPN gateways","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage external access points to Compute Engine VPNs (e.g., network gateways)."},"risks":["escalation:lateral"],"notes":"Can be used to gain network access when the attacker has access to both the gateway in question, and the ability to modify the VPN settings.","links":["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview","https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-peer-gateway"],"seeAlso":[]},"compute.firewallPolicies.addAssociation":{"id":"compute.firewallPolicies.addAssociation","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["escalation:lateral"],"notes":"Appears to be an alias for compute.firewallPolicies.use.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies","https://cloud.google.com/vpc/docs/use-network-firewall-policies#associate"],"seeAlso":[]},"compute.firewallPolicies.cloneRules":{"id":"compute.firewallPolicies.cloneRules","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["destruction:policy","escalation:lateral"],"notes":"Simultaneously deletes a firewall policy and creates a new policy. Allows escalation when the new policy is overly permissive, or the attacker additionally can alter the copied policy.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.copyRules":{"id":"compute.firewallPolicies.copyRules","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":[],"notes":"Unknown or undocumented functionality. Likely unused.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.create":{"id":"compute.firewallPolicies.create","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":[],"notes":"No direct risks, but may increase the severity of attacks using other privileges (see addAssociation, cloneRules, and move).","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.delete":{"id":"compute.firewallPolicies.delete","name":"Compute Engine firewall policies","scope":"LOW","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["destruction:policy"],"notes":"All associations must be removed prior to deletion.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.get":{"id":"compute.firewallPolicies.get","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["discovery:network","discovery:policy"],"notes":null,"links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.getIamPolicy":{"id":"compute.firewallPolicies.getIamPolicy","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.list":{"id":"compute.firewallPolicies.list","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["discovery:network","discovery:policy"],"notes":null,"links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.move":{"id":"compute.firewallPolicies.move","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":[],"notes":null,"links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.removeAssociation":{"id":"compute.firewallPolicies.removeAssociation","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["destruction:policy","escalation:lateral"],"notes":"Allows removal of a policy from a VPC.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.setIamPolicy":{"id":"compute.firewallPolicies.setIamPolicy","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.update":{"id":"compute.firewallPolicies.update","name":"Compute Engine firewall policies","scope":"LOW","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["destruction:infra"],"notes":"Only allows for modification of a policy's description.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies"],"seeAlso":[]},"compute.firewallPolicies.use":{"id":"compute.firewallPolicies.use","name":"Compute Engine firewall policies","scope":"CRITICAL","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine.","description":"Manage groups of firewall rules. Groupings can be across VPCs, regions, or an entire project."},"risks":["escalation:lateral"],"notes":"Allows application of a firewall policy to a VPC.","links":["https://cloud.google.com/vpc/docs/firewall-policies-overview","https://cloud.google.com/sdk/gcloud/reference/compute/firewall-policies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies","https://cloud.google.com/compute/docs/reference/rest/v1/firewallPolicies/addAssociation"],"seeAlso":[]},"compute.forwardingRules.create":{"id":"compute.forwardingRules.create","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral"],"notes":"Can be used to directly create a load balancer.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.delete":{"id":"compute.forwardingRules.delete","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["destruction:network"],"notes":"Also can terminate a load balancer.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.get":{"id":"compute.forwardingRules.get","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["discovery:network","discovery:infra"],"notes":"Discovers infrastructure when the target is identified by resource identifier.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.list":{"id":"compute.forwardingRules.list","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["discovery:network","discovery:infra"],"notes":"Discovers infrastructure when the target is identified by resource identifier.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.pscCreate":{"id":"compute.forwardingRules.pscCreate","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral"],"notes":"Can be used to access Google managed services when a VM is already compromised.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.pscDelete":{"id":"compute.forwardingRules.pscDelete","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.pscSetLabels":{"id":"compute.forwardingRules.pscSetLabels","name":"Compute Engine forwarding rules","scope":"MEDIUM","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["destruction:infra"],"notes":"Labels are generally low-sensitivity infrastructure.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.pscSetTarget":{"id":"compute.forwardingRules.pscSetTarget","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral"],"notes":"Can be used to access Google managed services when a VM is already compromised.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.pscUpdate":{"id":"compute.forwardingRules.pscUpdate","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral","destruction:network"],"notes":"Can not be used to change targets. Can be used to access Google managed services when the rule already directs traffic to a target service and the attacker has access to a particular source VM.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.setLabels":{"id":"compute.forwardingRules.setLabels","name":"Compute Engine forwarding rules","scope":"MEDIUM","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["destruction:infra"],"notes":"Labels are generally low-sensitivity infrastructure.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.setTargets":{"id":"compute.forwardingRules.setTargets","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral"],"notes":"Can be used to escalate access when an attacker can reach the loadbalancer source endpoint.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.update":{"id":"compute.forwardingRules.update","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral","destruction:network"],"notes":"Can not be used to change targets. Can be used to escalate access when the rule already directs traffic to a target system and the attacker has access to a particular source endpoint.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.forwardingRules.use":{"id":"compute.forwardingRules.use","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer."},"risks":["escalation:lateral"],"notes":"This privilege is undocumented by Google. In analogy to other .use privileges, this *may* allow connection of an existing forwarding rule to an (existing) load balancer, thereby potentially allowing access to a service. This has not been tested by the catalog maintainers.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.globalForwardingRules"]},"compute.globalAddresses.create":{"id":"compute.globalAddresses.create","name":"Compute Engine global addresses","scope":"HIGH","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["impact:consumption"],"notes":"Reserves a global IP address, but does not assign it to any infrastructure.","links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.createInternal":{"id":"compute.globalAddresses.createInternal","name":"Compute Engine global addresses","scope":"HIGH","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["impact:consumption"],"notes":"Reserves a global IP address, but does not assign it to any infrastructure. Requires access to the internal network for exploitation.","links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.delete":{"id":"compute.globalAddresses.delete","name":"Compute Engine global addresses","scope":"LOW","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["destruction:network"],"notes":"An address can only be released if it is not in use.","links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.deleteInternal":{"id":"compute.globalAddresses.deleteInternal","name":"Compute Engine global addresses","scope":"LOW","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["destruction:network"],"notes":"An address can only be released if it is not in use.","links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.get":{"id":"compute.globalAddresses.get","name":"Compute Engine global addresses","scope":"HIGH","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.list":{"id":"compute.globalAddresses.list","name":"Compute Engine global addresses","scope":"HIGH","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.setLabels":{"id":"compute.globalAddresses.setLabels","name":"Compute Engine global addresses","scope":"LOW","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalAddresses.use":{"id":"compute.globalAddresses.use","name":"Compute Engine global addresses","scope":"HIGH","parent":{"notes":"Limited attack compared to direct VM access; exploitation involves also exercising risks in load-balancer routing.","description":"Manage global addresses used by cloud load balancers."},"risks":["escalation:lateral"],"notes":"Requires an attacker to also be able to manipulate load-balancer routing rules to gain access to any network resource.","links":["https://cloud.google.com/compute/docs/ip-addresses/","https://cloud.google.com/load-balancing/docs/choosing-load-balancer#global-regional","https://cloud.google.com/sdk/gcloud/reference/compute/addresses","https://cloud.google.com/compute/docs/reference/rest/v1/globalAddresses"],"seeAlso":[]},"compute.globalForwardingRules.create":{"id":"compute.globalForwardingRules.create","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral"],"notes":"Can be used to directly create a load balancer.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.delete":{"id":"compute.globalForwardingRules.delete","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["destruction:network"],"notes":"Also can terminate a load balancer.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.get":{"id":"compute.globalForwardingRules.get","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["discovery:network","discovery:infra"],"notes":"Discovers infrastructure when the target is identified by resource identifier.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.list":{"id":"compute.globalForwardingRules.list","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["discovery:network","discovery:infra"],"notes":"Discovers infrastructure when the target is identified by resource identifier.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscCreate":{"id":"compute.globalForwardingRules.pscCreate","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral"],"notes":"Can be used to access Google managed services when a VM is already compromised.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscGet":{"id":"compute.globalForwardingRules.pscGet","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["discovery:network","discovery:infra"],"notes":"Discovers infrastructure when the target is identified by resource identifier.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscDelete":{"id":"compute.globalForwardingRules.pscDelete","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscSetLabels":{"id":"compute.globalForwardingRules.pscSetLabels","name":"Compute Engine forwarding rules","scope":"MEDIUM","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["destruction:infra"],"notes":"Labels are generally low-sensitivity infrastructure.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscSetTarget":{"id":"compute.globalForwardingRules.pscSetTarget","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral"],"notes":"Can be used to access Google managed services when a VM is already compromised.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.pscUpdate":{"id":"compute.globalForwardingRules.pscUpdate","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral","destruction:network"],"notes":"Can not be used to change targets. Can be used to access Google managed services when the rule already directs traffic to a target service and the attacker has access to a particular source VM.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.setLabels":{"id":"compute.globalForwardingRules.setLabels","name":"Compute Engine forwarding rules","scope":"MEDIUM","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["destruction:infra"],"notes":"Labels are generally low-sensitivity infrastructure.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.setTargets":{"id":"compute.globalForwardingRules.setTargets","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral"],"notes":"Can be used to escalate access when an attacker can reach the loadbalancer source endpoint.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.update":{"id":"compute.globalForwardingRules.update","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral","destruction:network"],"notes":"Can not be used to change targets. Can be used to escalate access when the rule already directs traffic to a target system and the attacker has access to a particular source endpoint.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalForwardingRules.use":{"id":"compute.globalForwardingRules.use","name":"Compute Engine forwarding rules","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing."},"risks":["escalation:lateral"],"notes":"This privilege is undocumented by Google. In analogy to other .use privileges, this *may* allow connection of an existing forwarding rule to an (existing) load balancer, thereby potentially allowing access to a service. This has not been tested by the catalog maintainers.","links":["https://cloud.google.com/load-balancing/docs/using-forwarding-rules","https://cloud.google.com/load-balancing/docs/protocol-forwarding","https://cloud.google.com/load-balancing/docs/access-control","https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd","https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules","https://cloud.google.com/vpc/docs/private-service-connect"],"seeAlso":["compute.forwardingRules"]},"compute.globalNetworkEndpointGroups.attachNetworkEndpoints":{"id":"compute.globalNetworkEndpointGroups.attachNetworkEndpoints","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:lateral"],"notes":"With a NEG on an already accessible network, can be used to connect to sensitive backend services. Can be combined with `create` to broaden attack surface.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.create":{"id":"compute.globalNetworkEndpointGroups.create","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:lateral"],"notes":"When combined with attachNetworkEndpoints, can be used to connect to sensitive backend services.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.delete":{"id":"compute.globalNetworkEndpointGroups.delete","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.detachNetworkEndpoints":{"id":"compute.globalNetworkEndpointGroups.detachNetworkEndpoints","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.get":{"id":"compute.globalNetworkEndpointGroups.get","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.getIamPolicy":{"id":"compute.globalNetworkEndpointGroups.getIamPolicy","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.list":{"id":"compute.globalNetworkEndpointGroups.list","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.setIamPolicy":{"id":"compute.globalNetworkEndpointGroups.setIamPolicy","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.networkEndpointGroups"]},"compute.globalNetworkEndpointGroups.use":{"id":"compute.globalNetworkEndpointGroups.use","name":"Compute Engine global network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage global network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["impact:dos"],"notes":"In combination with the ability to alter health checks, slows creation of health checks based on NEGs. Could lead to DOS if health checks are sufficiently frequent, and the referenced endpoints sufficiently expensive.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups","https://cloud.google.com/compute/docs/reference/rest/v1/regionHealthCheckServices/insert"],"seeAlso":["compute.networkEndpointGroups"]},"compute.healthChecks.create":{"id":"compute.healthChecks.create","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.delete":{"id":"compute.healthChecks.delete","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["destruction:network"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.get":{"id":"compute.healthChecks.get","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.list":{"id":"compute.healthChecks.list","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.update":{"id":"compute.healthChecks.update","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["destruction:infra","destruction:network","impact:dos"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.use":{"id":"compute.healthChecks.use","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.healthChecks.useReadOnly":{"id":"compute.healthChecks.useReadOnly","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/healthChecks"],"seeAlso":["compute.httpHealthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.create":{"id":"compute.httpHealthChecks.create","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.delete":{"id":"compute.httpHealthChecks.delete","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["destruction:network"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.get":{"id":"compute.httpHealthChecks.get","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.list":{"id":"compute.httpHealthChecks.list","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.update":{"id":"compute.httpHealthChecks.update","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["destruction:infra","destruction:network","impact:dos"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.use":{"id":"compute.httpHealthChecks.use","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpHealthChecks.useReadOnly":{"id":"compute.httpHealthChecks.useReadOnly","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTP health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/http-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpsHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.create":{"id":"compute.httpsHealthChecks.create","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.delete":{"id":"compute.httpsHealthChecks.delete","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["destruction:network"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.get":{"id":"compute.httpsHealthChecks.get","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.list":{"id":"compute.httpsHealthChecks.list","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.update":{"id":"compute.httpsHealthChecks.update","name":"Compute Engine health checks","scope":"HIGH","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["destruction:infra","destruction:network","impact:dos"],"notes":"May make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.use":{"id":"compute.httpsHealthChecks.use","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.httpsHealthChecks.useReadOnly":{"id":"compute.httpsHealthChecks.useReadOnly","name":"Compute Engine health checks","scope":"MEDIUM","parent":{"notes":"Exploitation relies on multiple additional exercisable risks, including poorly secured backend endpoints, the ability to route to this infrastructure, and provisioned forwarding rules to the subject backends.","description":"Create and manage legacy HTTPS health checks used by Cloud load balancers."},"risks":["impact:dos"],"notes":"When combined with tailored health checks, may make backend infrastructure unroutable for intended uses.","links":["https://cloud.google.com/load-balancing/docs/health-checks","https://cloud.google.com/sdk/gcloud/reference/compute/https-health-checks","https://cloud.google.com/compute/docs/reference/rest/v1/httpsHealthChecks"],"seeAlso":["compute.healthChecks","compute.httpHealthChecks","compute.regionalHealthChecks"]},"compute.images.create":{"id":"compute.images.create","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["exfiltration:data"],"notes":"When combined with a compromised source, a compromised storage bucket, and a known encryption key, can allow an attacker to exfiltrate a disk image.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.createTagBinding":{"id":"compute.images.createTagBinding","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["impact:access","escalation:privilege"],"notes":"An attacker can exploit tag-based IAM policies to gain access to image data.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.delete":{"id":"compute.images.delete","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["destruction:data"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.deleteTagBinding":{"id":"compute.images.deleteTagBinding","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"An attacker can exploit tag-based IAM policies to gain access to image data.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.deprecate":{"id":"compute.images.deprecate","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":[],"notes":"No particular impact.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.get":{"id":"compute.images.get","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:metadata"],"notes":"The customer managed key ids, configured for the image, are be returned in the api. No raw encryption keys are exposed.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.getFromFamily":{"id":"compute.images.getFromFamily","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.getIamPolicy":{"id":"compute.images.getIamPolicy","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.list":{"id":"compute.images.list","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.listEffectiveTags":{"id":"compute.images.listEffectiveTags","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.listTagBindings":{"id":"compute.images.listTagBindings","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.setIamPolicy":{"id":"compute.images.setIamPolicy","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.setLabels":{"id":"compute.images.setLabels","name":"Compute Engine images","scope":"LOW","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.update":{"id":"compute.images.update","name":"Compute Engine images","scope":"LOW","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.images.useReadOnly":{"id":"compute.images.useReadOnly","name":"Compute Engine images","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. Risks generally require exploiting multiple privileges.","description":"Manage disk images."},"risks":["escalation:data"],"notes":"When combined with compute.instances.create, can allow access to image data.","links":["https://cloud.google.com/compute/docs/images","https://cloud.google.com/sdk/gcloud/reference/compute/images","https://cloud.google.com/compute/docs/reference/rest/v1/images"],"seeAlso":[]},"compute.instanceGroupManagers.create":{"id":"compute.instanceGroupManagers.create","name":"Compute Engine managed instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["impact:spend","impact:hijack"],"notes":"Can be exploited for cryptojacking purposes, but additionally requires creation of corresponding instance templates. Instances may be accessible via addition to target groups.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroupManagers.delete":{"id":"compute.instanceGroupManagers.delete","name":"Compute Engine managed instance groups","scope":"HIGH","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["destruction:infra","destruction:network"],"notes":"Does not delete instances themselves, but can effectively remove network access to instances.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroupManagers.get":{"id":"compute.instanceGroupManagers.get","name":"Compute Engine managed instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroupManagers.list":{"id":"compute.instanceGroupManagers.list","name":"Compute Engine managed instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroupManagers.update":{"id":"compute.instanceGroupManagers.update","name":"Compute Engine managed instance groups","scope":"CRITICAL","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["impact:spend","destruction:infra","destruction:data","destruction:network","escalation:lateral"],"notes":"Groups can be resized, either increasing spend or destroying infrastructure. Groups can be added to target pools, granting access via unsecured network endpoints.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroupManagers.use":{"id":"compute.instanceGroupManagers.use","name":"Compute Engine managed instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of auto-scaling instance groups. Except for resizing, can not critically impact organizational functions.","description":"Create and alter managed instance groups."},"risks":["escalation:lateral"],"notes":"No known or documented application; may be necessary to assign the group to a load balancer.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/managed","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroupManagers"],"seeAlso":["compute.instances","compute.instanceGroups","compute.regionInstanceGroupManagers"]},"compute.instanceGroups.create":{"id":"compute.instanceGroups.create","name":"Compute Engine instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":[],"notes":"Instances must be manually added to the group; therefore no directly impactful risks.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instanceGroups.delete":{"id":"compute.instanceGroups.delete","name":"Compute Engine instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instanceGroups.get":{"id":"compute.instanceGroups.get","name":"Compute Engine instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instanceGroups.list":{"id":"compute.instanceGroups.list","name":"Compute Engine instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instanceGroups.update":{"id":"compute.instanceGroups.update","name":"Compute Engine instance groups","scope":"HIGH","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":["escalation:lateral","destruction:network"],"notes":"Can provide access to a VM by connecting instances to a compromised load-balancing rule; or, remove necessary infrastructure from network access.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instanceGroups.use":{"id":"compute.instanceGroups.use","name":"Compute Engine instance groups","scope":"MEDIUM","parent":{"notes":"Allows creation, modification, and destruction of manually managed instance groups. Generally requires exercise of multiple risks to exploit.","description":"Create and alter (unmanaged) instance groups."},"risks":["escalation:lateral"],"notes":"No known or documented application; may be necessary to assign the group to a load balancer.","links":["https://cloud.google.com/compute/docs/instance-groups","https://cloud.google.com/sdk/gcloud/reference/compute/instance-groups/unmanaged","https://cloud.google.com/compute/docs/reference/rest/v1/instanceGroups"],"seeAlso":["compute.instances","compute.instanceGroupManagers"]},"compute.instances.addAccessConfig":{"id":"compute.instances.addAccessConfig","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:privilege"],"notes":"Allows a public IP address to be assigned to the instance. Further access depends on the instance's firewall rules.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.addMaintenancePolicies":{"id":"compute.instances.addMaintenancePolicies","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":[],"notes":"Appears to be unused, or replaced with `setScheduling`.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.addResourcePolicies":{"id":"compute.instances.addResourcePolicies","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos","impact:spend"],"notes":"Requires an existing resource policy and `compute.resourcePolicies.use` or `compute.resourcePolicies.useReadOnly` on the policy. Resource policies can automatically start or stop instances.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/instances/schedule-instance-start-stop"],"seeAlso":[]},"compute.instances.attachDisk":{"id":"compute.instances.attachDisk","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:lateral"],"notes":"When combined with `compute.disks.use`, can escalate access to disk data.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.create":{"id":"compute.instances.create","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:network","discovery:policy","escalation:network","impact:spend","impact:hijack"],"notes":"Creating an instance can export the instance's service account credentials to an external server using the VM's local access to the instance metadata, including disk encryption keys and short-lived service account tokens. Allows access to network instances to which the VM is connected (e.g. VPCs). Created instances can be used to hijack resources, or create extra spend. Creating an instance with an attached service account requires permissions to impersonate the service account, so access to the service-account token does not present a privilege escalation.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/","https://cloud.google.com/compute/docs/metadata/default-metadata-values"],"seeAlso":[]},"compute.instances.createTagBinding":{"id":"compute.instances.createTagBinding","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:access","escalation:privilege"],"notes":"Depending on IAM policy configuration, can gain access to, or remove access from, the instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.delete":{"id":"compute.instances.delete","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","destruction:data","destruction:logs"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.deleteAccessConfig":{"id":"compute.instances.deleteAccessConfig","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:network"],"notes":"Can remove public IP addresses from the instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.deleteTagBinding":{"id":"compute.instances.deleteTagBinding","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"Depending on IAM policy configuration, can gain access to, or remove access from, the instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.detachDisk":{"id":"compute.instances.detachDisk","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.get":{"id":"compute.instances.get","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:account","discovery:network","discovery:policy"],"notes":"Allows access to a wide array of metadata including account public keys, network configuration, and service account permissions. Note that, although the Google API documentation suggests that access is also granted to secret material such as disk encryption keys or service-account tokens, these are not included in the API response returned by the API.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/metadata/default-metadata-values"],"seeAlso":[]},"compute.instances.getEffectiveFirewalls":{"id":"compute.instances.getEffectiveFirewalls","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.getGuestAttributes":{"id":"compute.instances.getGuestAttributes","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["exfiltration:data"],"notes":"Guest attributes may be used by applications to store small quantities of quasi-static data.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/metadata/overview"],"seeAlso":[]},"compute.instances.getIamPolicy":{"id":"compute.instances.getIamPolicy","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.getScreenshot":{"id":"compute.instances.getScreenshot","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["exfiltration:data"],"notes":"Requires sensitive data to appear in the VM's screen output.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/troubleshooting/capturing-vm-screenshots"],"seeAlso":[]},"compute.instances.getSerialPortOutput":{"id":"compute.instances.getSerialPortOutput","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["exfiltration:data"],"notes":"Allows reading data from an instance even if exfiltration is otherwise prevented via firewall rules / limited console access. Requires an additional exploit to write data to the serial port.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/troubleshooting/viewing-serial-port-output","https://www.mitiga.io/blog/misconfiguration-hidden-dangers-cloud-control-plane"],"seeAlso":[]},"compute.instances.getShieldedInstanceIdentity":{"id":"compute.instances.getShieldedInstanceIdentity","name":"Compute Engine managed instances","scope":"LOW","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:account"],"notes":"Provides access to the public components of the instance's virtual trusted platform module (vTPM). While labeled \"public\", these components may not be intended for consumption by the broader public.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/shielded-vm/docs/shielded-vm"],"seeAlso":[]},"compute.instances.getShieldedVmIdentity":{"id":"compute.instances.getShieldedVmIdentity","name":"Compute Engine managed instances","scope":"LOW","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:account"],"notes":"Provides access to the public components of the VM's virtual trusted platform module (vTPM). While labeled \"public\", these components may not be intended for consumption by the broader public.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/shielded-vm/docs/shielded-vm"],"seeAlso":[]},"compute.instances.list":{"id":"compute.instances.list","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:account","discovery:network","discovery:policy"],"notes":"Per compute.instances.get.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/metadata/default-metadata-values"],"seeAlso":[]},"compute.instances.listEffectiveTags":{"id":"compute.instances.listEffectiveTags","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.listReferrers":{"id":"compute.instances.listReferrers","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.listTagBindings":{"id":"compute.instances.listTagBindings","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.osAdminLogin":{"id":"compute.instances.osAdminLogin","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["collection:data","destruction:data","destruction:logs","destruction:network","discovery:network","discovery:policy","escalation:lateral","exfiltration:data","impact:defacement","impact:hijack"],"notes":"Allows root-level access to the instance, effectively allowing full control of all services hosted on the instance. Allows full access to instance metadata, similar to risks of `get`. Allows access to all data stored on the instance. Allows access to bound service accounts, granting access to all resources accessible by the service account (potentially including data repositories). Allows access to any networks to which the instance is bound. Allows alteration of logs, potentially allowing the attacker to conceal their presence. If the instance has a service account, additionally requires permission to act as that service account.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.osLogin":{"id":"compute.instances.osLogin","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["collection:data","destruction:data","discovery:network","discovery:policy","escalation:lateral","exfiltration:data","impact:defacement","impact:hijack"],"notes":"Specific risks depend on the instance configuration, but can include most of the risks of `osAdminLogin`, subject to privileges granted within the instance OS and file systems. If the instance has a service account, additionally requires permission to act as that service account. Assuming traditionally root-level permissions are unavailable to users that log in via this privilege, alteration of services, logs, and networks, as well as metadata exfiltration, may be prevented. Compute resources may still be consumed assuming relatively liberal instance user limits. Backend services that serve or store data in accessible locations may be altered, or their data collected.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.removeMaintenancePolicies":{"id":"compute.instances.removeMaintenancePolicies","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":[],"notes":"Appears to be unused, or replaced with `setScheduling`.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.removeResourcePolicies":{"id":"compute.instances.removeResourcePolicies","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos","impact:spend"],"notes":"Resource policies can automatically start or stop instances, leading to denial-of-service (if instances are no longer started), or additional spend (if instances are no longer stopped).","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/instances/schedule-instance-start-stop"],"seeAlso":[]},"compute.instances.reset":{"id":"compute.instances.reset","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data","impact:dos"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.resume":{"id":"compute.instances.resume","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.sendDiagnosticInterrupt":{"id":"compute.instances.sendDiagnosticInterrupt","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["collection:data"],"notes":"Requires additional privileges to exploit: for Linux systems, the ability to configure NMI response behavior and to read crash logs; for Windows systems, the ability to read the console.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/troubleshooting/collecting-core-dumps"],"seeAlso":[]},"compute.instances.setDeletionProtection":{"id":"compute.instances.setDeletionProtection","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","destruction:data","destruction:logs"],"notes":"Additionally requires the ability to delete the instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setDiskAutoDelete":{"id":"compute.instances.setDiskAutoDelete","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","destruction:data","destruction:logs"],"notes":"Leads to destruction when the instance is deleted.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setIamPolicy":{"id":"compute.instances.setIamPolicy","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setLabels":{"id":"compute.instances.setLabels","name":"Compute Engine managed instances","scope":"LOW","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra"],"notes":"Used generally for filtering instance lists.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setMachineResources":{"id":"compute.instances.setMachineResources","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos"],"notes":"Allows the replacement of attached GPUs. The machine must be stopped. Could potentially lead to a denial-of-service if the instance is restarted and is undersized for its workload.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setMachineType":{"id":"compute.instances.setMachineType","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos"],"notes":"Allows reconfiguration of the instance machine type. The machine must be stopped. Could potentially lead to a denial-of-service if the instance is restarted and is undersized for its workload.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setMetadata":{"id":"compute.instances.setMetadata","name":"Compute Engine managed instances","scope":"LOW","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data"],"notes":"Only allows setting of custom metadata.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setMinCpuPlatform":{"id":"compute.instances.setMinCpuPlatform","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos"],"notes":"Allows reconfiguration of the minimum CPU platform (microarchitecture) the instance can use. The machine must be stopped. Could potentially interrupt services that require features from a specific CPU platform (e.g. a specific number of available threads, vCPUs, or instructions).","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setName":{"id":"compute.instances.setName","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra"],"notes":"Can break instance references when instances are referred to by name rather than resource ID.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.setScheduling":{"id":"compute.instances.setScheduling","name":"Compute Engine managed instances","scope":"MEDIUM","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data","destruction:logs"],"notes":"Can lead to data or log destruction when the instance is configured to terminate on host maintenance. May be used to prevent crashed hosts from automatically restarting. Requires the ability to crash the instance to exploit. Can only be applied to a stopped instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/instances/setting-vm-host-options"],"seeAlso":[]},"compute.instances.setServiceAccount":{"id":"compute.instances.setServiceAccount","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","escalation:lateral"],"notes":"Set a service account removes any existing service account access from the machine, preventing any requests to other resources that rely on that account. When the newly attached service account is already compromised, can allow lateral escalation to the instance.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances"],"seeAlso":[]},"compute.instances.setShieldedInstanceIntegrityPolicy":{"id":"compute.instances.setShieldedInstanceIntegrityPolicy","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:defense"],"notes":"Resets the baseline for monitoring instance integrity, allowing an attacker to evade detection. The instance must be running.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/shielded-vm/docs/integrity-monitoring"],"seeAlso":[]},"compute.instances.setShieldedVmIntegrityPolicy":{"id":"compute.instances.setShieldedVmIntegrityPolicy","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:defense"],"notes":"Can be used to disable integrity monitoring on a shielded instance. The instance must be stopped.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/shielded-vm/docs/modifying-shielded-vm"],"seeAlso":[]},"compute.instances.setTags":{"id":"compute.instances.setTags","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:policy","escalation:lateral"],"notes":"Tags are used to control access.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.simulateMaintenanceEvent":{"id":"compute.instances.simulateMaintenanceEvent","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data","destruction:network","impact:dos"],"notes":"Executes maintenance events, which can move instances between hosts, preempt jobs, or stop or restart instances. Inherits the risks of those actions.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/instances/simulating-host-maintenance"],"seeAlso":[]},"compute.instances.start":{"id":"compute.instances.start","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:spend"],"notes":"Can induce spend with arbitrary instances.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.startWithEncryptionKey":{"id":"compute.instances.startWithEncryptionKey","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:spend"],"notes":"The specified disk encryption key must be already known.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.stop":{"id":"compute.instances.stop","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data","impact:dos"],"notes":"Stopping instances with local SSD will delete the disk and result in data loss if the command is issued without the `discard-local-ssd=false`. Instances with persistent storage are not impacted.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances/stop","https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_performance"],"seeAlso":[]},"compute.instances.suspend":{"id":"compute.instances.suspend","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["impact:dos"],"notes":"Ephemeral machine state is saved on suspend.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.update":{"id":"compute.instances.update","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:data","destruction:infra","destruction:network","impact:spend"],"notes":"Certain updates can reset the machine. Most sensitive update methods (e.g. adding disks) require `.use` permissions on any added resources. However, resources (e.g. disks, network interfaces, service accounts) can generally be removed without additional permissions. However, instance scheduling and shielded-instance config can be altered without additional permissions.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances","https://cloud.google.com/compute/docs/instances/update-instance-properties#updatable-properties","https://cloud.google.com/compute/docs/reference/rest/v1/instances/update"],"seeAlso":[]},"compute.instances.updateAccessConfig":{"id":"compute.instances.updateAccessConfig","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:network","escalation:privilege"],"notes":"Allows a public IP address to be assigned to or removed from the instance. Further access depends on the instance's firewall rules.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.updateDisplayDevice":{"id":"compute.instances.updateDisplayDevice","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":[],"notes":"No known risks.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.updateNetworkInterface":{"id":"compute.instances.updateNetworkInterface","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:network","escalation:lateral","escalation:privilege"],"notes":"Allows alteration of the instance's joined network (for example, the instance can be moved to a different VPC), external IP addresses, and DNS records. May allow access to infrastructure on new networks. Further access depends on this and other instance's firewall rules.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.updateSecurity":{"id":"compute.instances.updateSecurity","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":[],"notes":"No known usage of this privilege.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.updateShieldedInstanceConfig":{"id":"compute.instances.updateShieldedInstanceConfig","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","destruction:defense"],"notes":"Can be used to disable secure boot, remove the vTPM from the instance, or disable integrity monitoring. Requires the instance to be stopped.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.updateShieldedVmConfig":{"id":"compute.instances.updateShieldedVmConfig","name":"Compute Engine managed instances","scope":"CRITICAL","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["destruction:infra","destruction:defense"],"notes":"Can be used to disable secure boot, remove the vTPM from the instance, or disable integrity monitoring. Requires the instance to be stopped.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.use":{"id":"compute.instances.use","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:network"],"notes":"Can be used to connect the instance to other components, potentially allowing additional access. For example, adding the instance to an instance group can allow the instance's network to be accessible.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.instances.useReadOnly":{"id":"compute.instances.useReadOnly","name":"Compute Engine managed instances","scope":"HIGH","parent":{"notes":"Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms \"instance\" and \"VM\" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.","description":"Create and alter managed instances."},"risks":["escalation:network"],"notes":"Can be used to connect the instance to other components, potentially allowing additional access. For example, adding the instance to an instance group can allow the instance's network to be accessible.","links":["https://cloud.google.com/compute/docs/instances","https://cloud.google.com/sdk/gcloud/reference/compute/instances","https://cloud.google.com/compute/docs/reference/rest/v1/instances"],"seeAlso":[]},"compute.interconnectLocations.get":{"id":"compute.interconnectLocations.get","name":"Compute Engine interconnect locations","scope":"PUBLIC","parent":{"notes":"Access to public data only.","description":"View and list interconnect colocation facilities."},"risks":[],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/how-to/dedicated/listing-locations"],"seeAlso":[]},"compute.interconnectLocations.list":{"id":"compute.interconnectLocations.list","name":"Compute Engine interconnect locations","scope":"PUBLIC","parent":{"notes":"Access to public data only.","description":"View and list interconnect colocation facilities."},"risks":[],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/how-to/dedicated/listing-locations"],"seeAlso":[]},"compute.interconnectRemoteLocations.get":{"id":"compute.interconnectRemoteLocations.get","name":"Compute Engine interconnect locations","scope":"PUBLIC","parent":{"notes":null,"description":"No known use. The privilege set implies public use analogous to interconnectLocations."},"risks":[],"notes":null,"links":[],"seeAlso":[]},"compute.interconnectRemoteLocations.list":{"id":"compute.interconnectRemoteLocations.list","name":"Compute Engine interconnect locations","scope":"PUBLIC","parent":{"notes":null,"description":"No known use. The privilege set implies public use analogous to interconnectLocations."},"risks":[],"notes":null,"links":[],"seeAlso":[]},"compute.interconnects.create":{"id":"compute.interconnects.create","name":"Compute Engine interconnects","scope":"MEDIUM","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.delete":{"id":"compute.interconnects.delete","name":"Compute Engine interconnects","scope":"MEDIUM","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["destruction:infra"],"notes":"Interconnects can only be deleted when no attachments use them.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.get":{"id":"compute.interconnects.get","name":"Compute Engine interconnects","scope":"MEDIUM","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["discovery:network"],"notes":"Exposes interconnect IP and MAC address.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.list":{"id":"compute.interconnects.list","name":"Compute Engine interconnects","scope":"MEDIUM","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["discovery:network"],"notes":"Per get.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.setLabels":{"id":"compute.interconnects.setLabels","name":"Compute Engine interconnects","scope":"LOW","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.update":{"id":"compute.interconnects.update","name":"Compute Engine interconnects","scope":"HIGH","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["impact:dos","escalation:network"],"notes":"Can be used to enable, disable, or resize attached interconnects. Requires the interconnect to be attached.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnects.use":{"id":"compute.interconnects.use","name":"Compute Engine interconnects","scope":"HIGH","parent":{"notes":"Abuse of interconnect resources generally requires the ability to add interconnects as attachments to an already compromised system. For more information see compute.interconnectsAttachments.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["escalation:network"],"notes":"When combined with the ability to attach the interconnect, allows network escalation. When further combined with the ability to create an interconnect, may allow for arbitrary connection of the compute VPC to any network.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.create":{"id":"compute.interconnectsAttachments.create","name":"Compute Engine interconnect attachments","scope":"MEDIUM","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["escalation:network","impact:spend"],"notes":"Additionally requires the privileges described in this component's notes.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.delete":{"id":"compute.interconnectsAttachments.delete","name":"Compute Engine interconnect attachments","scope":"HIGH","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.get":{"id":"compute.interconnectsAttachments.get","name":"Compute Engine interconnect attachments","scope":"HIGH","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["discovery:network"],"notes":"Exposes router IP addresses and VLAN tags.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.list":{"id":"compute.interconnectsAttachments.list","name":"Compute Engine interconnect attachments","scope":"HIGH","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["discovery:network"],"notes":"Per get.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.setLabels":{"id":"compute.interconnectsAttachments.setLabels","name":"Compute Engine interconnect attachments","scope":"LOW","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.update":{"id":"compute.interconnectsAttachments.update","name":"Compute Engine interconnect attachments","scope":"HIGH","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["impact:dos","escalation:network"],"notes":"Can be used to resize or reroute the interconnect.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.interconnectsAttachments.use":{"id":"compute.interconnectsAttachments.use","name":"Compute Engine interconnect attachments","scope":"MEDIUM","parent":{"notes":"This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.","description":"Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems."},"risks":["escalation:network"],"notes":"May allow an attachment to be used by an already compromised cloud router.","links":["https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/compute/interconnects","https://cloud.google.com/compute/docs/reference/rest/v1/interconnects"],"seeAlso":[]},"compute.networkEndpointGroups.attachNetworkEndpoints":{"id":"compute.networkEndpointGroups.attachNetworkEndpoints","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:lateral"],"notes":"With a NEG on an already accessible network, can be used to connect to sensitive backend services. Can be combined with `create` to broaden attack surface.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.create":{"id":"compute.networkEndpointGroups.create","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:lateral"],"notes":"When combined with attachNetworkEndpoints, can be used to connect to sensitive backend services.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.delete":{"id":"compute.networkEndpointGroups.delete","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.detachNetworkEndpoints":{"id":"compute.networkEndpointGroups.detachNetworkEndpoints","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.get":{"id":"compute.networkEndpointGroups.get","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.getIamPolicy":{"id":"compute.networkEndpointGroups.getIamPolicy","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.list":{"id":"compute.networkEndpointGroups.list","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.setIamPolicy":{"id":"compute.networkEndpointGroups.setIamPolicy","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networkEndpointGroups.use":{"id":"compute.networkEndpointGroups.use","name":"Compute Engine network endpoint groups","scope":"HIGH","parent":{"notes":"Multiple organizational functions may often reside within Compute Engine. However, abuse of network-endpoint rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.","description":"Manage network endpoint groups (NEGs) for Google Cloud load balancers."},"risks":["impact:dos"],"notes":"In combination with the ability to alter health checks, allows creation of health checks based on NEGs. Could lead to DOS if health checks are sufficiently frequent, and the referenced endpoints sufficiently expensive.","links":["https://cloud.google.com/load-balancing/docs/negs","https://cloud.google.com/sdk/gcloud/reference/compute/network-endpoint-groups","https://cloud.google.com/compute/docs/reference/rest/v1/networkEndpointGroups","https://cloud.google.com/compute/docs/reference/rest/v1/regionHealthCheckServices/insert"],"seeAlso":["compute.globalNetworkEndpointGroups"]},"compute.networks.access":{"id":"compute.networks.access","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"The use of this permission within Google Cloud is unknown, although may be related to VPC access connectors (see the `vpcaccess` service).","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.addPeering":{"id":"compute.networks.addPeering","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["escalation:network"],"notes":"Connects two VPCs into one effective network. Allows access to one network when the other is already compromised.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.create":{"id":"compute.networks.create","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"Newly created networks must be connected to resources to be exploitable. A network generally incurs cost only when it serves traffic.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.delete":{"id":"compute.networks.delete","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["destruction:network"],"notes":null,"links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.get":{"id":"compute.networks.get","name":"Compute Engine virtual-private-cloud networks","scope":"MEDIUM","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["discovery:network"],"notes":"Only allows discovery of peered VPC identifiers.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.getEffectiveFirewalls":{"id":"compute.networks.getEffectiveFirewalls","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.getRegionEffectiveFirewalls":{"id":"compute.networks.getRegionEffectiveFirewalls","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["discovery:policy"],"notes":"No documented use, but may reasonably be assumed to yield similar information as the `getEffectiveFirewalls` privilege.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.list":{"id":"compute.networks.list","name":"Compute Engine virtual-private-cloud networks","scope":"MEDIUM","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["discovery:network"],"notes":"See `get`.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.listPeeringRoutes":{"id":"compute.networks.listPeeringRoutes","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.mirror":{"id":"compute.networks.mirror","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["collection:data","impact:spend"],"notes":"Packet mirroring duplicates packets sent over the VPC and forwards them to another instance. If that instance is compromised, can allow direct read access on all network traffic. Since networks are billed by network traffic, can also significantly increase cloud spend. Exploitation requires additional compute.packetMirrorings permissions.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings"],"seeAlso":[]},"compute.networks.removePeering":{"id":"compute.networks.removePeering","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["destruction:network"],"notes":"Disconnects two VPCs from each other. Prevents communication between network resources split between the disconnected VPCs.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.setFirewallPolicy":{"id":"compute.networks.setFirewallPolicy","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["destruction:policy","escalation:network","impact:access","impact:dos"],"notes":"When used to allow additional access, can either allow access to compute network endpoints, or allow outbound exfiltration of data from otherwise compromised instances. When used to remove access, can prevent service operation or account access.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.switchToCustomMode":{"id":"compute.networks.switchToCustomMode","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"Custom mode VPCs are not automatically created with subnets.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.update":{"id":"compute.networks.update","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"Can be used to change firewall application order, modify BGP routing mode, or put the VPC in custom mode.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.updatePeering":{"id":"compute.networks.updatePeering","name":"Compute Engine virtual-private-cloud networks","scope":"MEDIUM","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["impact:access"],"notes":"Can be used to alter how routes are shared between VPCs, or prevent IPv6 traffic between VPCs.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.updatePolicy":{"id":"compute.networks.updatePolicy","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"No documented use.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.use":{"id":"compute.networks.use","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":["escalation:network"],"notes":"Likely necessary to add an instance to a VPC. Can gain access to an instance from a compromised network or vice-versa.","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.networks.useExternalIp":{"id":"compute.networks.useExternalIp","name":"Compute Engine virtual-private-cloud networks","scope":"HIGH","parent":{"notes":"VPCs are generally highly sensitive. Alterations to, or destruction of, the VPC can prevent instances from serving applications, processing data, and the like. Obtaining access to the VPC can allow access to attached instance services. Finally, altering a VPC can allow data to be extracted from an otherwise compromised instance.","description":"Allows management of virtual-private-cloud networks (VPCs). A VPC is a logically isolated network, allowing communication of instances within the network, isolation of instances from entities outside the network, and policy-based network controls between instances within the network, and entities outside of it."},"risks":[],"notes":"No documented use (external IPs are generally attached directly to instances).","links":["https://cloud.google.com/vpc/docs/vpc","https://cloud.google.com/sdk/gcloud/reference/compute/networks","https://cloud.google.com/compute/docs/reference/rest/v1/networks"],"seeAlso":[]},"compute.packetMirrorings.create":{"id":"compute.packetMirrorings.create","name":"Compute Engine packet mirroring","scope":"MEDIUM","parent":{"notes":"Packet mirroring allows inspection of network traffic, allowing access to unencrypted network data.","description":"Packet mirroring allows duplication and forwarding of packets on a virtual private cloud."},"risks":["collection:data","impact:consumption","impact:spend"],"notes":"Consumes mirroring quota and incurs spend proportional to the amount of mirrored network data. When combined with a compromised instance (used as the packet collector), allows collection of network data.","links":["https://cloud.google.com/vpc/docs/packet-mirroring","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings","https://cloud.google.com/compute/docs/reference/rest/v1/packetMirrorings"],"seeAlso":[]},"compute.packetMirrorings.delete":{"id":"compute.packetMirrorings.delete","name":"Compute Engine packet mirroring","scope":"MEDIUM","parent":{"notes":"Packet mirroring allows inspection of network traffic, allowing access to unencrypted network data.","description":"Packet mirroring allows duplication and forwarding of packets on a virtual private cloud."},"risks":["destruction:defense"],"notes":"Primary packet-mirroring use cases include intrusion-detection systems (IDS) and deep-packet inspection (DPI) tools. Disabling packet-mirroring prevents these systems from functioning.","links":["https://cloud.google.com/vpc/docs/packet-mirroring","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings","https://cloud.google.com/compute/docs/reference/rest/v1/packetMirrorings"],"seeAlso":[]},"compute.packetMirrorings.get":{"id":"compute.packetMirrorings.get","name":"Compute Engine packet mirroring","scope":"MEDIUM","parent":{"notes":"Packet mirroring allows inspection of network traffic, allowing access to unencrypted network data.","description":"Packet mirroring allows duplication and forwarding of packets on a virtual private cloud."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/vpc/docs/packet-mirroring","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings","https://cloud.google.com/compute/docs/reference/rest/v1/packetMirrorings"],"seeAlso":[]},"compute.packetMirrorings.list":{"id":"compute.packetMirrorings.list","name":"Compute Engine packet mirroring","scope":"MEDIUM","parent":{"notes":"Packet mirroring allows inspection of network traffic, allowing access to unencrypted network data.","description":"Packet mirroring allows duplication and forwarding of packets on a virtual private cloud."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/vpc/docs/packet-mirroring","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings","https://cloud.google.com/compute/docs/reference/rest/v1/packetMirrorings"],"seeAlso":[]},"compute.packetMirrorings.update":{"id":"compute.packetMirrorings.update","name":"Compute Engine packet mirroring","scope":"MEDIUM","parent":{"notes":"Packet mirroring allows inspection of network traffic, allowing access to unencrypted network data.","description":"Packet mirroring allows duplication and forwarding of packets on a virtual private cloud."},"risks":["collection:data","destruction:defense","impact:consumption","impact:spend"],"notes":"Can be used to modify which network components are mirrored and how they are filtered, leading to either increased network collection or defeated security monitoring.","links":["https://cloud.google.com/vpc/docs/packet-mirroring","https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings","https://cloud.google.com/compute/docs/reference/rest/v1/packetMirrorings"],"seeAlso":[]},"container.apiServices.create":{"id":"container.apiServices.create","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["escalation:network"],"notes":"Together with the ability to deploy a new Kubernetes service in the cluster an attacker can configure an APIService to expose that new service with custom authentication settings which opens a backdoor to the cluster.","links":[],"seeAlso":[]},"container.apiServices.delete":{"id":"container.apiServices.delete","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["destruction:infra"],"notes":"Only API Services that expose custom CRDs can be deleted. API Services automanaged by Kubernetes, such as core v1, apps/v1, batch/v1, extensions/v1beta1 APIs cannot be deleted or modified.","links":[],"seeAlso":[]},"container.apiServices.get":{"id":"container.apiServices.get","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"container.apiServices.getStatus":{"id":"container.apiServices.getStatus","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"container.apiServices.list":{"id":"container.apiServices.list","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"container.apiServices.update":{"id":"container.apiServices.update","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["escalation:network"],"notes":null,"links":[],"seeAlso":[]},"container.apiServices.updateStatus":{"id":"container.apiServices.updateStatus","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":[],"notes":"While this permission is exposed, updating the status of a custom APIService is not allowed. Status is managed by Kubernetes.","links":[],"seeAlso":[]},"container.backendConfigs.create":{"id":"container.backendConfigs.create","name":"BackendConfig custom resource definition for Google Kubernetes Engine","scope":"MEDIUM","parent":{"notes":"Backend Config is a piece of reusable configuration for an Ingress object.  A BackendConfig does not take effect unless it is associated with an Ingress object.","description":"BackendConfig objects are reusable configurations for Kubernetes Service objects. BackendConfigs set the destination Service for incoming requests, thus they pertain to external-to-internal communications.  Other ingress parameters of a BackendConfig include service response timeout, Cloud CDN,  HTTP access logging, Session Affinity."},"risks":["destruction:network"],"notes":"An attacker may manipulate Ingress settings if they are also allowed to associate BackendConfig objects with Ingress objects using container.ingresses.update or container.ingresses.create permissions.","links":[],"seeAlso":[]},"container.backendConfigs.delete":{"id":"container.backendConfigs.delete","name":"BackendConfig custom resource definition for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Backend Config is a piece of reusable configuration for an Ingress object.  A BackendConfig does not take effect unless it is associated with an Ingress object.","description":"BackendConfig objects are reusable configurations for Kubernetes Service objects. BackendConfigs set the destination Service for incoming requests, thus they pertain to external-to-internal communications.  Other ingress parameters of a BackendConfig include service response timeout, Cloud CDN,  HTTP access logging, Session Affinity."},"risks":["destruction:network"],"notes":"BackendConfigs that are associated with a Service can be deleted without first removing the reference to them. Access to a Service can be disrupted by deleting a BackendConfig that is associated with a Service.","links":[],"seeAlso":[]},"container.backendConfigs.get":{"id":"container.backendConfigs.get","name":"BackendConfig custom resource definition for Google Kubernetes Engine","scope":"LOW","parent":{"notes":"Backend Config is a piece of reusable configuration for an Ingress object.  A BackendConfig does not take effect unless it is associated with an Ingress object.","description":"BackendConfig objects are reusable configurations for Kubernetes Service objects. BackendConfigs set the destination Service for incoming requests, thus they pertain to external-to-internal communications.  Other ingress parameters of a BackendConfig include service response timeout, Cloud CDN,  HTTP access logging, Session Affinity."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"container.backendConfigs.list":{"id":"container.backendConfigs.list","name":"BackendConfig custom resource definition for Google Kubernetes Engine","scope":"LOW","parent":{"notes":"Backend Config is a piece of reusable configuration for an Ingress object.  A BackendConfig does not take effect unless it is associated with an Ingress object.","description":"BackendConfig objects are reusable configurations for Kubernetes Service objects. BackendConfigs set the destination Service for incoming requests, thus they pertain to external-to-internal communications.  Other ingress parameters of a BackendConfig include service response timeout, Cloud CDN,  HTTP access logging, Session Affinity."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"container.backendConfigs.update":{"id":"container.backendConfigs.update","name":"BackendConfig custom resource definition for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Backend Config is a piece of reusable configuration for an Ingress object.  A BackendConfig does not take effect unless it is associated with an Ingress object.","description":"BackendConfig objects are reusable configurations for Kubernetes Service objects. BackendConfigs set the destination Service for incoming requests, thus they pertain to external-to-internal communications.  Other ingress parameters of a BackendConfig include service response timeout, Cloud CDN,  HTTP access logging, Session Affinity."},"risks":["destruction:defense","destruction:network"],"notes":"For BackendConfigs that are associated with Service, an update may remove a Cloud Armor Security Policy or route requests to a non-existent or malicious service.","links":[],"seeAlso":[]},"container.clusterRoleBindings.create":{"id":"container.clusterRoleBindings.create","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRoleBinding unless at least one of the following two conditions is met: 1) the caller has the permission it is granting 2) the caller has the `clusterRoles.bind` permission","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"container.clusterRoleBindings.delete":{"id":"container.clusterRoleBindings.delete","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["destruction:policy"],"notes":"Deleting a ClusterRoleBinding removes the permissions of the ClusterRole from a list of principals","links":[],"seeAlso":[]},"container.clusterRoleBindings.get":{"id":"container.clusterRoleBindings.get","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["discovery:policy"],"notes":"Retrieves the list of principals and the role in a specific ClusterRoleBinding","links":[],"seeAlso":[]},"container.clusterRoleBindings.list":{"id":"container.clusterRoleBindings.list","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["discovery:policy"],"notes":"List all ClusterRoleBindings within a namespace","links":[],"seeAlso":[]},"container.clusterRoleBindings.update":{"id":"container.clusterRoleBindings.update","name":"ClusterRoleBindings","scope":"MEDIUM","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRoleBinding unless one of the following two conditions are met: 1) the caller has the permission it is granting 2) the caller has the `clusterRoles.bind` permission","links":[],"seeAlso":[]},"container.clusterRoles.bind":{"id":"container.clusterRoles.bind","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by binding a ClusterRole to them.  Also requires the `clusterRoleBindings.create` or `clusterRoleBindings.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"container.clusterRoles.create":{"id":"container.clusterRoles.create","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":[],"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding. Kubernetes does not allow the creation or update of a ClusterRole unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `clusterRoles.escalate` permission","links":[],"seeAlso":[]},"container.clusterRoles.delete":{"id":"container.clusterRoles.delete","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["destruction:policy"],"notes":"ClusterRoles that are attached to principals via a ClusterRoleBinding can be deleted in Kubernetes.","links":[],"seeAlso":[]},"container.clusterRoles.escalate":{"id":"container.clusterRoles.escalate","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by creating a new ClusterRole or updating an existing ClusterRole. Also requires the `clusterRoles.create` or `clusterRoles.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update"],"seeAlso":[]},"container.clusterRoles.get":{"id":"container.clusterRoles.get","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["discovery:policy"],"notes":"Retrieves the permissions contained in a specific ClusterRole.","links":[],"seeAlso":[]},"container.clusterRoles.list":{"id":"container.clusterRoles.list","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["discovery:policy"],"notes":"List all ClusterRoles","links":[],"seeAlso":[]},"container.clusterRoles.update":{"id":"container.clusterRoles.update","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRole unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `clusterRoles.escalate` permission","links":[],"seeAlso":[]},"container.clusters.create":{"id":"container.clusters.create","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["impact:spend","impact:hijack"],"notes":"Allows creating a new Kubernetes cluster. Also requires access to a Compute Engine service account. By default, GKE uses the Compute Engine default service account, and cluster creation fails unless the user has the `iam.serviceAccounts.actAs` permission to the service account.","links":[],"seeAlso":[]},"container.clusters.createTagBinding":{"id":"container.clusters.createTagBinding","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["impact:access","escalation:privilege"],"notes":"Attach a tag to a cluster as a key-value pair. Tags can conditionally allow or deny policies.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/tags#overview"],"seeAlso":[]},"container.clusters.delete":{"id":"container.clusters.delete","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["destruction:data","destruction:infra","destruction:network"],"notes":"Deletes a cluster and related resources: control plane resources, nodes, pods, firewalls, routes, ephemeral volumes. It will also attempt to delete external and internal load balancers created by the cluster, as well as persistent disk volumes.","links":["https://cloud.google.com/sdk/gcloud/reference/container/clusters/delete"],"seeAlso":[]},"container.clusters.deleteTagBinding":{"id":"container.clusters.deleteTagBinding","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"Tags can conditionally allow or deny IAM policies. Privilege escalation is possible since removing tags may lead to additional IAM bindings matching the principal.","links":[],"seeAlso":[]},"container.clusters.get":{"id":"container.clusters.get","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["discovery:infra"],"notes":"Retrieves cluster information including public and private endpoint IP address, and cluster certificate. The information contained allows configuring Kubernetes API access to the cluster, similar to the `container.clusters.getCredentials` permission.","links":[],"seeAlso":[]},"container.clusters.getCredentials":{"id":"container.clusters.getCredentials","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["discovery:infra"],"notes":"Allows configuring Kubernetes API access to the cluster. To actually execute any API calls, other `container` permissions are also required.","links":[],"seeAlso":[]},"container.clusters.impersonate":{"id":"container.clusters.impersonate","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["escalation:lateral"],"notes":"This permission is used by the Kubernetes Engine Service Agent role (among others) to impersonate a Workload Identity. Thus, it is meant to be used by machine identities, workloads running on the Kubernetes cluster that need to access other Google Cloud services. Access to this permission leads to lateral movement by allowing human principals to  act as Kubernetes workloads.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity"],"seeAlso":[]},"container.clusters.list":{"id":"container.clusters.list","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["discovery:infra","discovery:network"],"notes":"Reveals the master IP, and additional limited metadata about clusters.","links":[],"seeAlso":[]},"container.clusters.listEffectiveTags":{"id":"container.clusters.listEffectiveTags","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["discovery:policy"],"notes":null,"links":[],"seeAlso":[]},"container.clusters.listTagBindings":{"id":"container.clusters.listTagBindings","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["discovery:policy"],"notes":null,"links":[],"seeAlso":[]},"container.clusters.update":{"id":"container.clusters.update","name":"Kubernetes Engine Clusters","scope":"CRITICAL","parent":{"notes":"One independent instance of a Kubernetes cluster, consisting of a node-pool and the Kubernetes objects such as deployments, statefulsets, pods, jobs that represents workloads and configuration running on the cluster, managed by Kubernetes.","description":"Manages Kubernetes clusters on Google Kubernetes Engine"},"risks":["destruction:data","destruction:defense","destruction:infra","destruction:network","impact:spend"],"notes":"Allows modifying various parameters of the cluster that are critical for the healthy functioning and protection of the cluster. In addition, it allows resizing the cluster node pool, and upgrading the Kubernetes version.","links":["https://cloud.google.com/sdk/gcloud/reference/container/clusters/update","https://cloud.google.com/sdk/gcloud/reference/container/clusters/resize","https://cloud.google.com/sdk/gcloud/reference/container/clusters/upgrade"],"seeAlso":[]},"container.daemonSets.create":{"id":"container.daemonSets.create","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network"],"notes":"Creation of DaemonSets allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. The code may execute with service account privileges, leading to new permissions that may allow access to other services.  Secondly, creating DaemonSets drains the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"container.daemonSets.delete":{"id":"container.daemonSets.delete","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a DaemonSets deletes its pods and ephemeral volumes. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"container.daemonSets.get":{"id":"container.daemonSets.get","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the DaemonSet, and Pods and Containers in it, such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"container.daemonSets.getStatus":{"id":"container.daemonSets.getStatus","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `daemonSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}` resource.","links":[],"seeAlso":[]},"container.daemonSets.list":{"id":"container.daemonSets.list","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all ReplicaSets in a namespace.","links":[],"seeAlso":[]},"container.daemonSets.update":{"id":"container.daemonSets.update","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","impact:hijack","impact:spend"],"notes":"An update may let an attacker change the container image that is running inside pods. This may allow arbitrary code execution, if the cluster has access to the public internet. The code may execute with service account privileges, leading to new permissions that may allow access to other services. Since DaemonSet runs a pod on multiple nodes, DaemonSets are especially great for a complete cluster takeover. Secondly, DaemonSet pods drain the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"container.daemonSets.updateStatus":{"id":"container.daemonSets.updateStatus","name":"DaemonSets","scope":"LOW","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":[],"notes":"This subresource has no effect on the actual DaemonSets.","links":[],"seeAlso":[]},"container.deployments.create":{"id":"container.deployments.create","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Deployments tie up compute resources in Kubernetes that cannot be allocated to another Kubernetes workload while the deployment is present. Deployments run a user-specified container image, which may allow an attacker to escalate their privileges by running arbitrary code inside the Kubernetes workload. Secondly, creating Deployments drains the limited resources available to other Kubernetes workloads.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.delete":{"id":"container.deployments.delete","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a Deployment deletes its pods and ephemeral volumes. Persistent Volumes attached to the Deployment are left intact. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.get":{"id":"container.deployments.get","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Deployment, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.getScale":{"id":"container.deployments.getScale","name":"Deployments","scope":"LOW","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale` subresource which returns the number of desired replicas in the Deployment. The `deployments.get` permission already includes the ability to read this subresource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/","https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"],"seeAlso":[]},"container.deployments.getStatus":{"id":"container.deployments.getStatus","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `deployments.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}` resource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.list":{"id":"container.deployments.list","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all Deployments in a namespace.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.rollback":{"id":"container.deployments.rollback","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra"],"notes":"Allows reverting to a previous version of the Deployment spec from the rollout history.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/","https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#checking-rollout-history-of-a-deployment"],"seeAlso":[]},"container.deployments.update":{"id":"container.deployments.update","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in Deployments drains the limited resources available to  other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.updateScale":{"id":"container.deployments.updateScale","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"Allows updating the replica count, including setting replicas to 0. If properties other than replicas are updated in the PATCH request, those are quietly ignored. Secondly, increasing the replica count in Deployments drains the limited resources available to  other Kubernetes workloads.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.deployments.updateStatus":{"id":"container.deployments.updateStatus","name":"Deployments","scope":"LOW","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":[],"notes":"Allows updating the status object of the Deployment with different \"replicas\", \"updatedReplicas\", \"readyReplicas\", and \"availableReplicas\" counts than the actual counts in the Deployment's current ReplicaSet. However, these values don't take effect, despite a successful API call.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"container.endpointSlices.create":{"id":"container.endpointSlices.create","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["escalation:network"],"notes":"Creating an endpoint may open up access to Pods from the public Internet.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"container.endpointSlices.delete":{"id":"container.endpointSlices.delete","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network"],"notes":"Deleting an endpoint may partially or completely disrupt public access to Kubernetes Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"container.endpointSlices.get":{"id":"container.endpointSlices.get","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve metadata about a specific endpoint: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"container.endpointSlices.list":{"id":"container.endpointSlices.list","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve  about all endpoints: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"container.endpointSlices.update":{"id":"container.endpointSlices.update","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network","escalation:network"],"notes":"An endpoint update allows remapping IP addresses and ports to different Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"container.endpoints.create":{"id":"container.endpoints.create","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["escalation:network"],"notes":"Creating an endpoint slice may open up access to Pods from the public Internet.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"container.endpoints.delete":{"id":"container.endpoints.delete","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network"],"notes":"Deleting an endpoint slice may partially or completely disrupt public access to Kubernetes Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"container.endpoints.get":{"id":"container.endpoints.get","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve metadata about a specific endpoint slice: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"container.endpoints.list":{"id":"container.endpoints.list","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve  about all endpoint slices: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"container.endpoints.update":{"id":"container.endpoints.update","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network","escalation:network"],"notes":"An endpoint update allows remapping IP addresses and ports to different Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"container.frontendConfigs.create":{"id":"container.frontendConfigs.create","name":"Frontend config custom resource definition for Google Kubernetes Engine","scope":"HIGH","parent":{"notes":"FrontendConfig is a piece of reusable configuration for an Ingress object.  A FrontendConfig does not take effect unless it is associated with an Ingress object via annotations.","description":"FrontendConfig objects configure two ingress features on Kubernetes Engine: 1) SSL proxy 2) HTTPS-to-HTTP redirect"},"risks":["destruction:network"],"notes":"An attacker may manipulate Ingress settings if they are also allowed to associate BackendConfig objects with Ingress objects using container.ingresses.update or container.ingresses.create permissions.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#associating_frontendconfig_with_your_ingress"],"seeAlso":[]},"container.frontendConfigs.delete":{"id":"container.frontendConfigs.delete","name":"Frontend config custom resource definition for Google Kubernetes Engine","scope":"HIGH","parent":{"notes":"FrontendConfig is a piece of reusable configuration for an Ingress object.  A FrontendConfig does not take effect unless it is associated with an Ingress object via annotations.","description":"FrontendConfig objects configure two ingress features on Kubernetes Engine: 1) SSL proxy 2) HTTPS-to-HTTP redirect"},"risks":["destruction:network"],"notes":"FrontendConfigs that are associated with an Ingress can be deleted without first removing the reference to them. Access to a Service can be disrupted by deleting a BackendConfig that is associated with an Ingress.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#associating_frontendconfig_with_your_ingress"],"seeAlso":[]},"container.frontendConfigs.get":{"id":"container.frontendConfigs.get","name":"Frontend config custom resource definition for Google Kubernetes Engine","scope":"HIGH","parent":{"notes":"FrontendConfig is a piece of reusable configuration for an Ingress object.  A FrontendConfig does not take effect unless it is associated with an Ingress object via annotations.","description":"FrontendConfig objects configure two ingress features on Kubernetes Engine: 1) SSL proxy 2) HTTPS-to-HTTP redirect"},"risks":[],"notes":"Retrieve metadata about a specific FrontendConfig.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#associating_frontendconfig_with_your_ingress"],"seeAlso":[]},"container.frontendConfigs.list":{"id":"container.frontendConfigs.list","name":"Frontend config custom resource definition for Google Kubernetes Engine","scope":"HIGH","parent":{"notes":"FrontendConfig is a piece of reusable configuration for an Ingress object.  A FrontendConfig does not take effect unless it is associated with an Ingress object via annotations.","description":"FrontendConfig objects configure two ingress features on Kubernetes Engine: 1) SSL proxy 2) HTTPS-to-HTTP redirect"},"risks":[],"notes":"Retrieve metadata about all FrontendConfigs.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#associating_frontendconfig_with_your_ingress"],"seeAlso":[]},"container.frontendConfigs.update":{"id":"container.frontendConfigs.update","name":"Frontend config custom resource definition for Google Kubernetes Engine","scope":"HIGH","parent":{"notes":"FrontendConfig is a piece of reusable configuration for an Ingress object.  A FrontendConfig does not take effect unless it is associated with an Ingress object via annotations.","description":"FrontendConfig objects configure two ingress features on Kubernetes Engine: 1) SSL proxy 2) HTTPS-to-HTTP redirect"},"risks":["destruction:network"],"notes":"For FrontendConfigs that are associated with an Ingress, an update may remove SSL proxy or HTTPS redirect configuration.","links":["https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#associating_frontendconfig_with_your_ingress"],"seeAlso":[]},"container.ingresses.create":{"id":"container.ingresses.create","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["escalation:network"],"notes":"Ingress configures public access to a Kubernetes backend service.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.delete":{"id":"container.ingresses.delete","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["destruction:network"],"notes":"Deleting an Ingress removes public access to potentially business-critical Kubernetes services.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.get":{"id":"container.ingresses.get","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["discovery:network"],"notes":"Retrieve metadata about Ingress configuration, such as references to FrontendConfig, BackendConfig, and routing rules.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.getStatus":{"id":"container.ingresses.getStatus","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["discovery:network"],"notes":"Retrieve metadata about Ingress configuration, such as references to FrontendConfig, BackendConfig, and routing rules. This endpoint returns the same data as `","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.list":{"id":"container.ingresses.list","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["discovery:network"],"notes":"Retrieve metadata about Ingress configuration, such as references to FrontendConfig, BackendConfig, and routing rules.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.update":{"id":"container.ingresses.update","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":["destruction:network","escalation:network"],"notes":"Ingress updates may take down public internet connection to Kubernetes services, or establish new connections, potentially opening up services for further exploitation by an attacker.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.ingresses.updateStatus":{"id":"container.ingresses.updateStatus","name":"Ingress for Google Kubernetes Engine","scope":"CRITICAL","parent":{"notes":"Creating an Ingress does not automatically expose Services. It also needs an Ingress Controller. Kubernetes Engine ships with a Google-hosted Ingress Controller. However, you can also choose to deploy another Ingress Controller, such as Nginx. Configuring other controllers requires manual setup of other Google Cloud components, like NAT gateway, Firewall rules, and VPC network.","description":"Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource."},"risks":[],"notes":"While this permission is exposed, updating the status of an Ingress does not take effect. Status is managed by Kubernetes.","links":["https://kubernetes.io/docs/concepts/services-networking/ingress","https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration","https://cloud.google.com/community/tutorials/nginx-ingress-gke"],"seeAlso":[]},"container.jobs.create":{"id":"container.jobs.create","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Jobs tie up compute resources in Kubernetes that cannot be allocated to another Kubernetes workload while the Job is present. Jobs run a user-specified container image, which may allow an attacker to escalate their privileges by running arbitrary code inside the Kubernetes workload with service account privileges. Persistent Volumes may be  attached to jobs, meaning data can be exposed to the Kubernetes workload.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.delete":{"id":"container.jobs.delete","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a Job deletes its pods and ephemeral volumes. Persistent Volumes attached to the Job are left intact. Logs of the deleted pods disappear permanently when the job completes and the pods shut down, unless they are exported to an external system for persistence.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.get":{"id":"container.jobs.get","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Job, Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.getStatus":{"id":"container.jobs.getStatus","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `jobs.get`. Allows reading the `/apis/batch/v1/namespaces/{namespace}/deployments/{name}/status` subresource which returns the same payload as the `/apis/batch/v1/namespaces/{namespace}/deployments/{name}` resource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.list":{"id":"container.jobs.list","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all Jobs in a namespace.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.update":{"id":"container.jobs.update","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["destruction:infra","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may suspend the job which prevents the controller from creating Pods, effectively disabling the Job.  An update may also let an attacker change the container image that is running inside pods, potentially leading to a arbitrary code execution. Secondly, increasing the parallelism in Jobs or the amount of resources dedicated to Pods drains the  limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods,  which may provide access to sensitive data.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.jobs.updateStatus":{"id":"container.jobs.updateStatus","name":"Jobs","scope":"LOW","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":[],"notes":"Allows updating the status object of the Jobs with different \"active\", \"failed\", \"ready\", and \"succeeded\" counts. However, these values don't take effect, despite a successful API call. The status is managed by Kubernetes.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"container.namespaces.create":{"id":"container.namespaces.create","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":[],"notes":"Namespace is a logical resource, and creating one does not carry risks by itself.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.delete":{"id":"container.namespaces.delete","name":"Namespaces","scope":"CRITICAL","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:data","destruction:infra","destruction:logs","destruction:network","destruction:policy"],"notes":"Deleting a namespace also deletes all other Kubernetes resources inside it.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.finalize":{"id":"container.namespaces.finalize","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:defense"],"notes":"Allows updating the list of finalizers. Finalizers check if a certain condition is met before deleting a  namespace. They may either implement garbage-collection, and are responsible for cleaning up all resources inside  a namespace when that namespace is deleted. Or, they may implement a protective measure and prevent the deletion of a namespace, for instance the `kubernetes.io/pvc-protection` finalizer prevents accidental deletion of data. As such, the edit and removal of finalizers may remove protection measures.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/"],"seeAlso":[]},"container.namespaces.get":{"id":"container.namespaces.get","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Retrieve metadata about a namespace.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.getStatus":{"id":"container.namespaces.getStatus","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Allows see the same namespace metadata as `namespaces.get`.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.list":{"id":"container.namespaces.list","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Allows listing namespaces.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.update":{"id":"container.namespaces.update","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:defense"],"notes":"Allows editing the finalizers array. See `namespaces.finalize` permission.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.namespaces.updateStatus":{"id":"container.namespaces.updateStatus","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":[],"notes":"Status is managed by the Kubernetes control plane, updating it does not take effect.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"container.nodes.create":{"id":"container.nodes.create","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":[],"notes":"There are two ways to create a node: self-registration from the kubelet running on the node using a kubeconfig file or by manually registering the node via the Kubernetes API. The `node.create`  permission allows the latter. Creating a node object manually only creates an internal node representation. The control plane then ensures that a node object described is valid: is available and healthy. Only then does it become eligible to run a Pod. This permission alone is not enough to add a new Node to a cluster.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/concepts/architecture/nodes/#management","https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/"],"seeAlso":[]},"container.nodes.delete":{"id":"container.nodes.delete","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["destruction:infra","destruction:data","destruction:logs"],"notes":"Deleting a node immediately destroys all workloads running on it. This is an unsafe action and is likely to disrupt normal operations. Instead, a node can be cordoned to prevent new pods from being scheduled on it. Cordoning requires the `nodes.update` permission. To safely move workloads to other nodes, the node must be drained. The `kubectl drain` command uses listing commands (list pods, replicasets, daemonsets, etc.), and the `pods.evict` permission.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/concepts/architecture/nodes/#manual-node-administration","https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/"],"seeAlso":[]},"container.nodes.get":{"id":"container.nodes.get","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"The response payload contains container image IDs stored on the nodes, as well as IP addresses, Pod CIDR ranges, health check statuses, and other metadata.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"container.nodes.getStatus":{"id":"container.nodes.getStatus","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"Allows access to the same information as `nodes.get`.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"container.nodes.list":{"id":"container.nodes.list","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"List all nodes.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"container.nodes.proxy":{"id":"container.nodes.proxy","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["escalation:privilege","escalation:lateral"],"notes":"This permission allows calling the `api/v1/nodes/{node}/proxy/{path?}` endpoint with any HTTP method, which executes the request directly against the kubelet API on the kubelet running on the node, without further authorization checks. It is theoretically possible to call other endpoints of the kubelet API, such as `/exec` `/portForward`, that allow reading the node service account token to act as the service account, or executing code on the node.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://www.deepnetwork.com/blog/2020/01/13/kubelet-api.html","https://blog.aquasec.com/privilege-escalation-kubernetes-rbac"],"seeAlso":[]},"container.nodes.update":{"id":"container.nodes.update","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["impact:manipulation","destruction:metadata"],"notes":"The things that you can typically update are the metadata labels and annotations, and fields in the `spec` section of the node manifest: taints, which prevent certain pods to be scheduled on the node, and the  `unschedulable` property, which effectively cordons the node.  With enough nodes cordoned or tainted the  cluster may become \"paralyzed\" because workloads cannot be scheduled efficiently or not at all.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#nodespec-v1-core"],"seeAlso":[]},"container.nodes.updateStatus":{"id":"container.nodes.updateStatus","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":[],"notes":"Allows updating only the status component of a node. Does not have any real effect since status is managed by Kubernetes.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"container.pods.attach":{"id":"container.pods.attach","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["destruction:infra","impact:access"],"notes":"Allows attaching to a process that is already running inside an existing container. An attacker accesses the stdout output, and is able to send stdin input to the running process, for instance ctrl+c to stop the process.","links":[],"seeAlso":[]},"container.pods.create":{"id":"container.pods.create","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"It is possible to create standalone pods not managed by a Deployment or other controller in Kubernetes. This action bears the risk of pulling in an arbitrary image (if the cluster is open to the internet) to hijack resources, or to move laterally by assuming the privileges of the pod's or node's service account. It also drains the cluster's limited resource pool.","links":[],"seeAlso":[]},"container.pods.delete":{"id":"container.pods.delete","name":"Pods","scope":"MEDIUM","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a pod deletes its pods and ephemeral volumes. PersistentVolumes attached to the pod are left intact. Logs of the deleted pod disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"container.pods.evict":{"id":"container.pods.evict","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["impact:consumption"],"notes":"Eviction moves the pod to another node. An attacker may disrupt normal operations with many evictions, draining cluster resources.","links":[],"seeAlso":[]},"container.pods.exec":{"id":"container.pods.exec","name":"Pods","scope":"CRITICAL","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:privilege","escalation:lateral"],"notes":"The exec operation is similar to the `attach` operation, but instead of attaching to an existing process inside the container, it allows launching a new process from a command and attaching to it. Most often this command is opening the shell, dropping an attacker in a terminal inside the container. The risks arising are container and  application-specific. However, process run inside the container are authenticated as the service account, leading to privilege escalation, and potentially lateral movement into other cloud services.","links":[],"seeAlso":[]},"container.pods.get":{"id":"container.pods.get","name":"Pods","scope":"MEDIUM","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Deployment, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"container.pods.getLogs":{"id":"container.pods.getLogs","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"Logs of the application running on any of the pod's containers can be read with the `getLogs` permission.","links":[],"seeAlso":[]},"container.pods.getStatus":{"id":"container.pods.getStatus","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"Allows reading the same Pod metadata as `pods.get`.","links":[],"seeAlso":[]},"container.pods.initialize":{"id":"container.pods.initialize","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"Documentation is lacking on this permission. It may be related to init-containers, or the initialization process of a Pod.","links":[],"seeAlso":[]},"container.pods.list":{"id":"container.pods.list","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"List metadata about all pods.","links":[],"seeAlso":[]},"container.pods.portForward":{"id":"container.pods.portForward","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:network","impact:access"],"notes":"Forwards a local port to a port on the Pod. This allows interaction with the application, if the application listens on any ports. An attacker may exploit application risks with the ability to port-forward.","links":[],"seeAlso":[]},"container.pods.proxy":{"id":"container.pods.proxy","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:network","impact:access"],"notes":"The proxy action forwards the HTTP request to a specific port and request path inside the container. If a process is listening on that port and path, this is similar in effect to port forwarding, and may allow an attacker to exploit application-level risks.","links":[],"seeAlso":[]},"container.pods.update":{"id":"container.pods.update","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"An update is limited to a few fields in the Pod spec: may not change fields other than  spec.containers[*].image, spec.initContainers[*].image, spec.activeDeadlineSeconds, spec.tolerations (only additions to existing tolerations) or `spec.terminationGracePeriodSeconds` (allow it to be set to 1 if it was previously negative).  In practice even the image update is not possible since pods are typically run via a controller. In those cases an update to the `image` field has no effect.","links":["https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#pod-v1-core"],"seeAlso":[]},"container.pods.updateStatus":{"id":"container.pods.updateStatus","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"Has no effect on the actual status, as it is managed by Kubernetes.","links":[],"seeAlso":[]},"container.replicaSets.create":{"id":"container.replicaSets.create","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Creation of standalone ReplicaSet allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. Secondly, creating ReplicaSets drains the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"container.replicaSets.delete":{"id":"container.replicaSets.delete","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a ReplicaSet deletes its pods and ephemeral volumes. PersistentVolumes attached to the ReplicaSet are left intact. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"container.replicaSets.get":{"id":"container.replicaSets.get","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the ReplicaSet, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"container.replicaSets.getScale":{"id":"container.replicaSets.getScale","name":"ReplicaSets","scope":"LOW","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/scale` subresource which returns the number of desired replicas in the ReplicaSet. The `replicaSets.get` permission already includes the ability to read this subresource.","links":[],"seeAlso":[]},"container.replicaSets.getStatus":{"id":"container.replicaSets.getStatus","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `replicaSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}` resource.","links":[],"seeAlso":[]},"container.replicaSets.list":{"id":"container.replicaSets.list","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all ReplicaSets in a namespace.","links":[],"seeAlso":[]},"container.replicaSets.update":{"id":"container.replicaSets.update","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"Only ReplicaSets without a Deployment may be updated. Updates to ReplicaSets owned by a Deployment will succeed but have no effect on the ReplicaSet. An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in ReplicaSets drains the limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"container.replicaSets.updateScale":{"id":"container.replicaSets.updateScale","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"Only ReplicaSets without a Deployment may be updated. Updates to ReplicaSets owned by a Deployment will succeed but have no effect on the ReplicaSet. Allows updating the replica count, including setting replicas to 0. If properties other than replicas are updated in the PATCH request, those are quietly ignored. Secondly, increasing the replica count in ReplicaSets drains the limited resources available to  other Kubernetes workloads.","links":[],"seeAlso":[]},"container.replicaSets.updateStatus":{"id":"container.replicaSets.updateStatus","name":"ReplicaSets","scope":"LOW","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":[],"notes":"Allows updating the status object of the ReplicaSet with different \"replicas\", \"updatedReplicas\", \"readyReplicas\", and \"availableReplicas\" counts than the actual counts in the Replicasets's current ReplicaSet. However, these values don't take effect, despite a successful API call.","links":[],"seeAlso":[]},"container.roleBindings.create":{"id":"container.roleBindings.create","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a RoleBinding unless at least one of the following two conditions is met: 1) the caller has the permission it is granting 2) the caller has the `roles.bind` permission","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"container.roleBindings.delete":{"id":"container.roleBindings.delete","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["destruction:policy"],"notes":"Deleting a RoleBinding removes the permissions of the Role from a list of principals","links":[],"seeAlso":[]},"container.roleBindings.get":{"id":"container.roleBindings.get","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"Retrieves the list of principals and the role in a specific RoleBinding","links":[],"seeAlso":[]},"container.roleBindings.list":{"id":"container.roleBindings.list","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"List all RoleBindings within a namespace","links":[],"seeAlso":[]},"container.roleBindings.update":{"id":"container.roleBindings.update","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a RoleBinding unless one of the following two conditions are met: 1) the caller has the permission it is granting 2) the caller has the `roles.bind` permission","links":[],"seeAlso":[]},"container.roles.bind":{"id":"container.roles.bind","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by binding a Role to them.  Also requires the `roleBindings.create` or `roleBindings.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"container.roles.create":{"id":"container.roles.create","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding. Kubernetes does not allow the creation or update of a Role unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `roles.escalate` permission","links":[],"seeAlso":[]},"container.roles.delete":{"id":"container.roles.delete","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["destruction:policy"],"notes":"Roles that are attached to principals via a RoleBinding can be deleted in Kubernetes.","links":[],"seeAlso":[]},"container.roles.escalate":{"id":"container.roles.escalate","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by creating a new Role or updating an existing Role. Also requires the `roles.create` or `roles.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update"],"seeAlso":[]},"container.roles.get":{"id":"container.roles.get","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"Retrieves the permissions contained in a specific role.","links":[],"seeAlso":[]},"container.roles.list":{"id":"container.roles.list","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"List all roles within a namespace","links":[],"seeAlso":[]},"container.roles.update":{"id":"container.roles.update","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a Role unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `roles.escalate` permission","links":[],"seeAlso":[]},"container.secrets.create":{"id":"container.secrets.create","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":[],"notes":"Creating a secret does not represent a security risk by itself.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"container.secrets.delete":{"id":"container.secrets.delete","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["destruction:infra"],"notes":"Deleting a secret may disrupt communication of workloads with the Kubernetes API server, or other services.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"container.secrets.get":{"id":"container.secrets.get","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["discovery:data","discovery:infra","exfiltration:crypto","exfiltration:data"],"notes":"By default, secrets are stored unencrypted in Kubernetes, and anyone who can read the secret has access to its contents.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"container.secrets.list":{"id":"container.secrets.list","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["discovery:data","discovery:infra","exfiltration:crypto","exfiltration:data"],"notes":"List all secrets in a specific namespace. Listing also allows reading the data field of each secret.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"container.secrets.update":{"id":"container.secrets.update","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["destruction:infra"],"notes":"Allows updating the contents of the secret (the `data` field) unless `immutable` property was set to true.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"container.serviceAccounts.create":{"id":"container.serviceAccounts.create","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":[],"notes":"Creating a service account by itself does not represent a security risk. Service accounts need to be granted permissions via Roles.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"container.serviceAccounts.createToken":{"id":"container.serviceAccounts.createToken","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["escalation:lateral"],"notes":"Allows sending a TokenRequest to the API server. This request issues a new token and binds the token to a service account. The token is also returned to the caller, allowing it to act as  the service account bound to that token.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#tokenrequestspec-v1-authentication-k8s-io","https://securitylabs.datadoghq.com/articles/kubernetes-tokenrequest-api/"],"seeAlso":[]},"container.serviceAccounts.delete":{"id":"container.serviceAccounts.delete","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["destruction:infra"],"notes":"Deleting a service account may disrupt communication of workloads with the Kubernetes API server.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"container.serviceAccounts.get":{"id":"container.serviceAccounts.get","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["discovery:infra"],"notes":"Read which secrets are associated with a specific service account. The secret contents cannot be read with this permission.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"container.serviceAccounts.list":{"id":"container.serviceAccounts.list","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["discovery:infra"],"notes":"Read all service accounts in a namespace.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"container.serviceAccounts.update":{"id":"container.serviceAccounts.update","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["destruction:infra"],"notes":"An update may remove or add more secrets. In particular, a removal may remove the imagePullSecret of service account or the Kubernetes API secret.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"container.services.create":{"id":"container.services.create","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["escalation:network"],"notes":"Services open up communication to your pods from other Kubernetes workloads. Depending on other settings in the Kubernetes cluster and the presence of ingress controllers, it may allow public exposure as well.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.services.delete":{"id":"container.services.delete","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["destruction:network"],"notes":"Deleting a service may disrupt communication to Pods, taking down an application completely.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.services.get":{"id":"container.services.get","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"Retrieve status information such as Pod selector, IP (virtual), port. Additionally, load-balancer information is returned, if any: public IP, port, host name.","links":["https://kubernetes.io/docs/concepts/services-networking/service","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#loadbalancerstatus-v1-core"],"seeAlso":[]},"container.services.getStatus":{"id":"container.services.getStatus","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"While this is a different permission from `services.get`, calling the `GET api/v1/namespaces/default/services/{{service-name}}/status` endpoint retrieves the same information as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.services.list":{"id":"container.services.list","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"List all services and their description to the same detail as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.services.proxy":{"id":"container.services.proxy","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["escalation:lateral","escalation:network","exfiltration:data","impact:manipulation"],"notes":"Allows an attacker to interact with your application as if they were inside the Kubernetes cluster. Creates a proxy server or between localhost and a specified service running on Kubernetes. This service can be a kube-system service started by Kubernetes and retrieved by the `kubectl cluster-info` command or a user-defined Service object. The resulting proxy allows sending payloads to the targeted Service which otherwise would be unreachable. This is different from the `kubectl proxy` command which creates a proxy for  the Kubernetes API server - this endpoint acts like a bastion and exposes the user-defined application endpoints  of a Service.","links":["https://kubernetes.io/docs/concepts/services-networking/service","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#create-connect-proxy-service-v1-core","https://kubernetes.io/docs/concepts/cluster-administration/proxies/"],"seeAlso":[]},"container.services.update":{"id":"container.services.update","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["destruction:network","escalation:network"],"notes":"Modifying a Service may render Pods unreachable to other Kubernetes workloads or establish new connections to Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.services.updateStatus":{"id":"container.services.updateStatus","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"Updating the status metadata has no effect on the actual status of the Service. Services are managed by controllers. However, the response returns the entire Service object, with the same information as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint, allowing discovery of Service parameters.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"container.statefulSets.create":{"id":"container.statefulSets.create","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Creation of StatefulSets allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. Secondly, creating StatefulSets drains the limited  resources available to other Kubernetes workloads. Persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"container.statefulSets.delete":{"id":"container.statefulSets.delete","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a DaemonSets deletes its pods and ephemeral volumes. Persistent Volumes are retained. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"container.statefulSets.get":{"id":"container.statefulSets.get","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the StatefulSet, and Pods and Containers in it, such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"container.statefulSets.getScale":{"id":"container.statefulSets.getScale","name":"StatefulSets","scope":"LOW","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/scale` subresource which returns the number of desired replicas in the StatefulSet. The `statefulSets.get` permission already includes the ability to read this subresource.","links":[],"seeAlso":[]},"container.statefulSets.getStatus":{"id":"container.statefulSets.getStatus","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `statefulSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}` resource.","links":[],"seeAlso":[]},"container.statefulSets.list":{"id":"container.statefulSets.list","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all StatefulSets in a namespace.","links":[],"seeAlso":[]},"container.statefulSets.update":{"id":"container.statefulSets.update","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in StatefulSets may cause disruption to stateful services, depending on the behavior of the stateful service in a scaling event. Scaling may drain the limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"container.statefulSets.updateScale":{"id":"container.statefulSets.updateScale","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"If properties other than replicas are updated in the PATCH request, those are quietly ignored.  Secondly, increasing the replica count in StatefulSets may disrupt stateful service and/or drain the limited resources  available to other Kubernetes workloads.","links":[],"seeAlso":[]},"container.statefulSets.updateStatus":{"id":"container.statefulSets.updateStatus","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":[],"notes":"This subresource has no effect on the actual StatefulSets.","links":[],"seeAlso":[]},"dataproc.clusters.create":{"id":"dataproc.clusters.create","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["impact:spend"],"notes":"Creating a Dataproc cluster provides access to the cluster's short-lived service account token. `serviceAccount.actAs` permission is necessary to create a cluster with this account.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters","https://www.youtube.com/watch?v=kyqeBGNSEIc","https://www.blackhat.com/us-20/briefings/schedule/#lateral-movement-and-privilege-escalation-in-gcp-compromise-any-organization-without-dropping-an-implant-19435"],"seeAlso":[]},"dataproc.clusters.delete":{"id":"dataproc.clusters.delete","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.get":{"id":"dataproc.clusters.get","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":[],"notes":"Allows retrieval of the cluster's configuration and status only.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.getIamPolicy":{"id":"dataproc.clusters.getIamPolicy","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.list":{"id":"dataproc.clusters.list","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["discovery:infra"],"notes":"See `get`.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.setIamPolicy":{"id":"dataproc.clusters.setIamPolicy","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["destruction:policy","escalation:privilege","impact:access"],"notes":null,"links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.start":{"id":"dataproc.clusters.start","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.stop":{"id":"dataproc.clusters.stop","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":[],"notes":"Job state will be lost, but in general jobs will be idempotent.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.update":{"id":"dataproc.clusters.update","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["impact:spend"],"notes":"Allows the caller to update the number of instances the job uses.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters"],"seeAlso":[]},"dataproc.clusters.use":{"id":"dataproc.clusters.use","name":"Dataproc clusters","scope":"MEDIUM","parent":{"notes":"Allows access to machine-learning pipelines. Creating a cluster allows exfiltration of the default service account tokens.","description":"Create and manage Dataproc clusters. Dataproc clusters provide a platform for running Apache Hadoop, Hive, Pig, and Spark jobs."},"risks":["impact:spend"],"notes":"Allows the caller to submit a job to the cluster. Jobs may gain access to the cluster's short-lived service-account credentials.","links":["https://cloud.google.com/dataproc/docs/concepts/overview","https://cloud.google.com/sdk/gcloud/reference/dataproc/clusters","https://cloud.google.com/dataproc/docs/reference/rest/v1/projects.regions.clusters","https://www.youtube.com/watch?v=kyqeBGNSEIc","https://www.blackhat.com/us-20/briefings/schedule/#lateral-movement-and-privilege-escalation-in-gcp-compromise-any-organization-without-dropping-an-implant-19435"],"seeAlso":[]},"datastore.entities.allocateIds":{"id":"datastore.entities.allocateIds","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":[],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.entities.create":{"id":"datastore.entities.create","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":["impact:consumption","impact:spend"],"notes":"Creating an entity also uses storage quota, which is billed per gigabyte per month along with write to the datastore.","links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.entities.delete":{"id":"datastore.entities.delete","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":["destruction:data","impact:spend"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.entities.get":{"id":"datastore.entities.get","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":["discovery:data","collection:data","exfiltration:data","impact:spend"],"notes":"Getting an entity also uses read quota from the datastore.","links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.entities.list":{"id":"datastore.entities.list","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":["discovery:data","impact:spend"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.entities.update":{"id":"datastore.entities.update","name":"Entities","scope":"HIGH","parent":{"notes":"Permissions to create, edit and delete entities can result in spend towards write, read and storage quotas. Access to Entities storing sensitive information can result in data exfiltration.","description":"Data objects in Firestore in Datastore mode are known as entities. An entity has one or more named properties,  each of which can have one or more values. Properties can store data of various types, including strings, numbers,  dates, and binary data. An entity is limited to 1 megabyte when stored. Entities operations are billed per operation  and per gigabyte per month."},"risks":["destruction:data","impact:spend"],"notes":"Entity fields can be deleted by updating the document without fields. this will delete all fields in the entity.","links":["https://cloud.google.com/datastore/docs/concepts/entities","https://cloud.google.com/datastore/pricing"],"seeAlso":[]},"datastore.indexes.list":{"id":"datastore.indexes.list","name":"indexes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud Datastore indices enable fast and optimized data queries in Firestore in Datastore mode.  However, altering indices can lead to increased costs, longer index build times, operation limitations,  and temporary performance impacts. By default, all entity properties are automatically indexed,  but creating custom indices incurs storage and operation costs. Deleting indices can negatively  impact query performance, and functionality, and require index rebuilding, potentially resulting  in slower queries and incomplete results, along with increased costs for index rebuilding."},"risks":["discovery:infra","discovery:data"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/indexes#index_limits","https://cloud.google.com/datastore/docs/concepts/indexes#datastore-indexes-and-index-configuration-files","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.indexes"],"seeAlso":[]},"datastore.indexes.create":{"id":"datastore.indexes.create","name":"indexes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud Datastore indices enable fast and optimized data queries in Firestore in Datastore mode.  However, altering indices can lead to increased costs, longer index build times, operation limitations,  and temporary performance impacts. By default, all entity properties are automatically indexed,  but creating custom indices incurs storage and operation costs. Deleting indices can negatively  impact query performance, and functionality, and require index rebuilding, potentially resulting  in slower queries and incomplete results, along with increased costs for index rebuilding."},"risks":["impact:consumption","impact:spend"],"notes":"An attacker can create too many indexes and hit the index limits.","links":["https://cloud.google.com/datastore/docs/concepts/indexes#index_limits","https://cloud.google.com/datastore/docs/concepts/indexes#datastore-indexes-and-index-configuration-files","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.indexes"],"seeAlso":[]},"datastore.indexes.delete":{"id":"datastore.indexes.delete","name":"indexes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud Datastore indices enable fast and optimized data queries in Firestore in Datastore mode.  However, altering indices can lead to increased costs, longer index build times, operation limitations,  and temporary performance impacts. By default, all entity properties are automatically indexed,  but creating custom indices incurs storage and operation costs. Deleting indices can negatively  impact query performance, and functionality, and require index rebuilding, potentially resulting  in slower queries and incomplete results, along with increased costs for index rebuilding."},"risks":["impact:dos","destruction:infra"],"notes":"An attacker can delete indexes and cause queries to execute slowly or to fail.","links":["https://cloud.google.com/datastore/docs/concepts/indexes#index_limits","https://cloud.google.com/datastore/docs/concepts/indexes#datastore-indexes-and-index-configuration-files","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.indexes"],"seeAlso":[]},"datastore.indexes.get":{"id":"datastore.indexes.get","name":"indexes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud Datastore indices enable fast and optimized data queries in Firestore in Datastore mode.  However, altering indices can lead to increased costs, longer index build times, operation limitations,  and temporary performance impacts. By default, all entity properties are automatically indexed,  but creating custom indices incurs storage and operation costs. Deleting indices can negatively  impact query performance, and functionality, and require index rebuilding, potentially resulting  in slower queries and incomplete results, along with increased costs for index rebuilding."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/indexes#index_limits","https://cloud.google.com/datastore/docs/concepts/indexes#datastore-indexes-and-index-configuration-files","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.indexes"],"seeAlso":[]},"datastore.indexes.update":{"id":"datastore.indexes.update","name":"indexes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud Datastore indices enable fast and optimized data queries in Firestore in Datastore mode.  However, altering indices can lead to increased costs, longer index build times, operation limitations,  and temporary performance impacts. By default, all entity properties are automatically indexed,  but creating custom indices incurs storage and operation costs. Deleting indices can negatively  impact query performance, and functionality, and require index rebuilding, potentially resulting  in slower queries and incomplete results, along with increased costs for index rebuilding."},"risks":["impact:dos","impact:spend"],"notes":"An attacker can update indexes, which can consume time, or cause queries to execute slowly or to fail. Indexes also incur spend.","links":["https://cloud.google.com/datastore/docs/concepts/indexes#index_limits","https://cloud.google.com/datastore/docs/concepts/indexes#datastore-indexes-and-index-configuration-files","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.indexes"],"seeAlso":[]},"datastore.namespaces.get":{"id":"datastore.namespaces.get","name":"namespaces","scope":"LOW","parent":{"notes":"Information of namespaces has minimal impact without access to the data in the namespace,  although in a misconfigured system using client names as namespaces leads to client enumeration.","description":"Datastore mode enables multi-tenancy using namespaces. Namespaces are only for organizing data and are not security boundaries."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/multitenancy"],"seeAlso":[]},"datastore.namespaces.list":{"id":"datastore.namespaces.list","name":"namespaces","scope":"LOW","parent":{"notes":"Information of namespaces has minimal impact without access to the data in the namespace,  although in a misconfigured system using client names as namespaces leads to client enumeration.","description":"Datastore mode enables multi-tenancy using namespaces. Namespaces are only for organizing data and are not security boundaries."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/multitenancy"],"seeAlso":[]},"datastore.operations.cancel":{"id":"datastore.operations.cancel","name":"Operations","scope":"MEDIUM","parent":{"notes":"Long running operations incur costs and infrastructure, having cancel privileges results in spend.","description":"Manages Cloud Datastore admin operations that include importing and exporting large amounts of data, running complex queries analyze data and generate reports."},"risks":["impact:spend"],"notes":"Cancel a currently-running Cloud Datastore admin operation. Cancelling a long running operation might result in the operation being re-run thereby incurring spend.","links":["https://cloud.google.com/datastore/docs/export-import-entities#listing_all_long-running_operations","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.operations"],"seeAlso":[]},"datastore.operations.delete":{"id":"datastore.operations.delete","name":"Operations","scope":"MEDIUM","parent":{"notes":"Long running operations incur costs and infrastructure, having cancel privileges results in spend.","description":"Manages Cloud Datastore admin operations that include importing and exporting large amounts of data, running complex queries analyze data and generate reports."},"risks":["destruction:logs"],"notes":"Deletes a completed Cloud Datastore admin operation. This results in loss of history of operations that are performed in the system.","links":["https://cloud.google.com/datastore/docs/export-import-entities#listing_all_long-running_operations","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.operations"],"seeAlso":[]},"datastore.operations.get":{"id":"datastore.operations.get","name":"Operations","scope":"MEDIUM","parent":{"notes":"Long running operations incur costs and infrastructure, having cancel privileges results in spend.","description":"Manages Cloud Datastore admin operations that include importing and exporting large amounts of data, running complex queries analyze data and generate reports."},"risks":["discovery:metadata"],"notes":"Gets the latest state of a long-running operation.","links":["https://cloud.google.com/datastore/docs/export-import-entities#listing_all_long-running_operations","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.operations"],"seeAlso":[]},"datastore.operations.list":{"id":"datastore.operations.list","name":"Operations","scope":"MEDIUM","parent":{"notes":"Long running operations incur costs and infrastructure, having cancel privileges results in spend.","description":"Manages Cloud Datastore admin operations that include importing and exporting large amounts of data, running complex queries analyze data and generate reports."},"risks":[],"notes":"\tLists operations that match the specified filter in the request.","links":["https://cloud.google.com/datastore/docs/export-import-entities#listing_all_long-running_operations","https://cloud.google.com/datastore/docs/reference/admin/rest/v1/projects.operations"],"seeAlso":[]},"datastore.statistics.get":{"id":"datastore.statistics.get","name":"Statistics","scope":"LOW","parent":{"notes":null,"description":"Firestore in Datastore mode maintains statistics about the data stored in an application.  An attacker could use the statistics to gain information about the application's data,  such as the number of entities in each kind, the total size of the data, and  the most recent time the data was updated."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/stats","https://cloud.google.com/datastore/docs/console/datastore-statistics"],"seeAlso":[]},"datastore.statistics.list":{"id":"datastore.statistics.list","name":"Statistics","scope":"LOW","parent":{"notes":null,"description":"Firestore in Datastore mode maintains statistics about the data stored in an application.  An attacker could use the statistics to gain information about the application's data,  such as the number of entities in each kind, the total size of the data, and  the most recent time the data was updated."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/datastore/docs/concepts/stats","https://cloud.google.com/datastore/docs/console/datastore-statistics"],"seeAlso":[]},"dns.changes.create":{"id":"dns.changes.create","name":"Cloud DNS Changes","scope":"LOW","parent":{"notes":null,"description":"A Cloud DNS Change contains a set of additions and deletions atomically applied to a record managed by Cloud DNS."},"risks":[],"notes":"In order to actually update or delete DNS records, you need permissions on the appropriate ResourceRecordSet, so changes.create on its own has no risks.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/changes#resource","https://cloud.google.com/dns/docs/records"],"seeAlso":[]},"dns.changes.get":{"id":"dns.changes.get","name":"Cloud DNS Changes","scope":"LOW","parent":{"notes":null,"description":"A Cloud DNS Change contains a set of additions and deletions atomically applied to a record managed by Cloud DNS."},"risks":["discovery:network"],"notes":"Allows viewing DNS record changelogs. This includes private DNS records.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/changes#resource","https://cloud.google.com/dns/docs/records"],"seeAlso":[]},"dns.changes.list":{"id":"dns.changes.list","name":"Cloud DNS Changes","scope":"LOW","parent":{"notes":null,"description":"A Cloud DNS Change contains a set of additions and deletions atomically applied to a record managed by Cloud DNS."},"risks":["discovery:network"],"notes":"Allows viewing DNS record changelogs. This includes private DNS records.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/changes#resource","https://cloud.google.com/dns/docs/records"],"seeAlso":[]},"dns.dnsKeys.get":{"id":"dns.dnsKeys.get","name":"DNS Keys","scope":"PUBLIC","parent":{"notes":"Private keys are automatically managed by Google. Only public keys and metadata are viewable.","description":"Automatically managed DNS keys for Cloud DNS records."},"risks":[],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/dnskeys","https://cloud.google.com/dns/docs/reference/v1/dnsKeys"],"seeAlso":[]},"dns.dnsKeys.list":{"id":"dns.dnsKeys.list","name":"DNS Keys","scope":"PUBLIC","parent":{"notes":"Private keys are automatically managed by Google. Only public keys and metadata are viewable.","description":"Automatically managed DNS keys for Cloud DNS records."},"risks":[],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/dnskeys","https://cloud.google.com/dns/docs/reference/v1/dnsKeys"],"seeAlso":[]},"dns.gkeClusters.bindDNSResponsePolicy":{"id":"dns.gkeClusters.bindDNSResponsePolicy","name":"Cloud DNS GKE Clusters","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind a private DNS zone or a DNS response policy with a GKE cluster."},"risks":["impact:dos","takeover:domain"],"notes":"If the cluster is in a private DNS zone, an attacker can change DNS  resolution behavior by binding a response policy. This can create a DOS. If the attacker additionally has permissions to create or update response policy rules, allows domain takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/configure-scopes"],"seeAlso":[]},"dns.gkeClusters.bindPrivateDNSZone":{"id":"dns.gkeClusters.bindPrivateDNSZone","name":"Cloud DNS GKE Clusters","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind a private DNS zone or a DNS response policy with a GKE cluster."},"risks":["impact:dos"],"notes":"If Cloud DNS is enabled on the cluster already,  binding a new private DNS zone can change DNS resolution behavior, potentially creating a DOS. If the attacker additionally has permissions to create or update records in any zone, allows domain takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/configure-scopes"],"seeAlso":[]},"dns.managedZoneOperations.get":{"id":"dns.managedZoneOperations.get","name":"Cloud DNS Managed Zone Operations","scope":"LOW","parent":{"notes":null,"description":"An operation represents a successful mutation performed on a Cloud DNS resource."},"risks":["discovery:network"],"notes":"May expose information about private Cloud DNS zones.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZoneOperations"],"seeAlso":[]},"dns.managedZoneOperations.list":{"id":"dns.managedZoneOperations.list","name":"Cloud DNS Managed Zone Operations","scope":"LOW","parent":{"notes":null,"description":"An operation represents a successful mutation performed on a Cloud DNS resource."},"risks":["discovery:network"],"notes":"May expose information about private Cloud DNS zones.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZoneOperations"],"seeAlso":[]},"dns.managedZones.create":{"id":"dns.managedZones.create","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.managedZones.delete":{"id":"dns.managedZones.delete","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["impact:dos","destruction:network","takeover:domain"],"notes":"Deleting the managed zone without deleting the records inside it leave those domains  open for takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource","https://xebia.com/blog/how-to-take-over-a-subdomain-in-google-cloud-dns/"],"seeAlso":[]},"dns.managedZones.get":{"id":"dns.managedZones.get","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["discovery:network"],"notes":"Can expose information about private DNS zones.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.managedZones.getIamPolicy":{"id":"dns.managedZones.getIamPolicy","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.managedZones.list":{"id":"dns.managedZones.list","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["discovery:network"],"notes":"Can expose information about private DNS zones.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.managedZones.setIamPolicy":{"id":"dns.managedZones.setIamPolicy","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.managedZones.update":{"id":"dns.managedZones.update","name":"Cloud DNS Managed Zone","scope":"MEDIUM","parent":{"notes":"Cloud DNS supports a variety of different public and private zones, including forwarding zones and peering zones.","description":"A DNS zone hosted and managed by the Cloud DNS service."},"risks":["impact:dos","discovery:network","destruction:defense","destruction:metadata"],"notes":"Can change the forwarding config, peering config, or visibility in order to create a DOS.  Can change the visibility of the zone to public. Can update metadata.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/managedZones#resource"],"seeAlso":[]},"dns.networks.bindDNSResponsePolicy":{"id":"dns.networks.bindDNSResponsePolicy","name":"Cloud DNS Networks","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind DNS zones or policies with VPC networks."},"risks":["impact:dos","takeover:domain"],"notes":"If the network is in a private DNS zone, an attacker can change DNS  resolution behavior by binding a response policy. This can create a DOS. If the attacker additionally has permissions to create or update response policy rules, allows domain takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/policies-overview"],"seeAlso":[]},"dns.networks.bindPrivateDNSZone":{"id":"dns.networks.bindPrivateDNSZone","name":"Cloud DNS Networks","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind DNS zones or policies with VPC networks."},"risks":["impact:dos","takeover:domain"],"notes":"Binding a new private DNS zone can change DNS resolution behavior, potentially creating a DOS. If the attacker additionally has permissions to create or update records in any zone, allows domain takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/policies-overview"],"seeAlso":[]},"dns.networks.bindPrivateDNSPolicy":{"id":"dns.networks.bindPrivateDNSPolicy","name":"Cloud DNS Networks","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind DNS zones or policies with VPC networks."},"risks":["impact:dos"],"notes":"Allows binding a server policy to a VPC network. This can create a DOS because it can disable  resolution with any name servers other than the ones specified in the policy.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/policies-overview"],"seeAlso":[]},"dns.networks.targetWithPeeringZone":{"id":"dns.networks.targetWithPeeringZone","name":"Cloud DNS Networks","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind DNS zones or policies with VPC networks."},"risks":["impact:dos","takeover:domain"],"notes":"This permission allows you to configure a network with DNS peering, so that DNS requests in the network \"forwarded\" to the peer network. This can change DNS resolution behavior, which can potentially create a DOS. If the attacker additionally has permissions to create or update records in any zone, allows domain takeover.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/policies-overview"],"seeAlso":[]},"dns.networks.useHealthSignals":{"id":"dns.networks.useHealthSignals","name":"Cloud DNS Networks","scope":"MEDIUM","parent":{"notes":null,"description":"Resources used by Cloud DNS to bind DNS zones or policies with VPC networks."},"risks":[],"notes":"Allows using Cloud DNS health checking on the network.  This is used to create routing policies that will automatically failover to healthy endpoints in the case of health check failures.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/policies-overview"],"seeAlso":[]},"dns.policies.create":{"id":"dns.policies.create","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":[],"notes":"Creation does nothing without permission to bind the policy to a network.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.delete":{"id":"dns.policies.delete","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["impact:dos","destruction:policy"],"notes":"Removing the correct DNS forwarding rules may cause a DOS.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.get":{"id":"dns.policies.get","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.getIamPolicy":{"id":"dns.policies.getIamPolicy","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.list":{"id":"dns.policies.list","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.setIamPolicy":{"id":"dns.policies.setIamPolicy","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.policies.update":{"id":"dns.policies.update","name":"Cloud DNS Server Policies","scope":"MEDIUM","parent":{"notes":null,"description":"Specifies inbound and DNS forwarding for a VPC network. Each VPC network can have up to one server policy configured."},"risks":["impact:dos"],"notes":"Update allows enabling or disabling both inbound or outbound forwarding, which can impact proper name resolution.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/server-policies-overview","https://cloud.google.com/dns/docs/reference/v1beta2/policies"],"seeAlso":[]},"dns.projects.get":{"id":"dns.projects.get","name":"Cloud DNS Projects","scope":"LOW","parent":{"notes":null,"description":"A DNS project is the top-level resource that contains all Cloud DNS resources within the Google project."},"risks":["discovery:network"],"notes":"Allows viewing statistics about the total number of DNS records, zones, policies of each type in the project.","links":["https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/reference/v1/projects"],"seeAlso":[]},"dns.resourceRecordSets.create":{"id":"dns.resourceRecordSets.create","name":"Resource Record Set","scope":"CRITICAL","parent":{"notes":null,"description":"A resource record set either contains a DNS record managed by Cloud DNS or a routing policy.  This includes both public and private DNS records."},"risks":["takeover:domain"],"notes":"By creating DNS records in an active managed zone, an attacker can cause some of the traffic to your  domains to be directed to them.","links":["https://cloud.google.com/dns/docs/reference/v1/resourceRecordSets","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/records","https://cloud.google.com/dns/docs/zones/manage-routing-policies"],"seeAlso":[]},"dns.resourceRecordSets.delete":{"id":"dns.resourceRecordSets.delete","name":"Resource Record Set","scope":"MEDIUM","parent":{"notes":null,"description":"A resource record set either contains a DNS record managed by Cloud DNS or a routing policy.  This includes both public and private DNS records."},"risks":["impact:dos","destruction:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/resourceRecordSets","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/records","https://cloud.google.com/dns/docs/zones/manage-routing-policies"],"seeAlso":[]},"dns.resourceRecordSets.get":{"id":"dns.resourceRecordSets.get","name":"Resource Record Set","scope":"MEDIUM","parent":{"notes":null,"description":"A resource record set either contains a DNS record managed by Cloud DNS or a routing policy.  This includes both public and private DNS records."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/resourceRecordSets","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/records","https://cloud.google.com/dns/docs/zones/manage-routing-policies"],"seeAlso":[]},"dns.resourceRecordSets.list":{"id":"dns.resourceRecordSets.list","name":"Resource Record Set","scope":"MEDIUM","parent":{"notes":null,"description":"A resource record set either contains a DNS record managed by Cloud DNS or a routing policy.  This includes both public and private DNS records."},"risks":["discovery:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/resourceRecordSets","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/records","https://cloud.google.com/dns/docs/zones/manage-routing-policies"],"seeAlso":[]},"dns.resourceRecordSets.update":{"id":"dns.resourceRecordSets.update","name":"Resource Record Set","scope":"CRITICAL","parent":{"notes":null,"description":"A resource record set either contains a DNS record managed by Cloud DNS or a routing policy.  This includes both public and private DNS records."},"risks":["impact:dos","takeover:domain"],"notes":"Edit access to DNS records.","links":["https://cloud.google.com/dns/docs/reference/v1/resourceRecordSets","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/records","https://cloud.google.com/dns/docs/zones/manage-routing-policies"],"seeAlso":[]},"dns.responsePolicies.create":{"id":"dns.responsePolicies.create","name":"Cloud DNS Response Policies","scope":"MEDIUM","parent":{"notes":null,"description":"A Response Policy is a collection of rules attached to a VPC network that will be used for DNS lookups."},"risks":[],"notes":"A created response policy cannot be used on a VPC networks without permissions on the network. Creating a response policy just attaches it to the network, adding any rules requires separate permissions on rules.","links":["https://cloud.google.com/dns/docs/reference/v1/responsePolicies","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicies.delete":{"id":"dns.responsePolicies.delete","name":"Cloud DNS Response Policies","scope":"MEDIUM","parent":{"notes":null,"description":"A Response Policy is a collection of rules attached to a VPC network that will be used for DNS lookups."},"risks":["impact:dos","destruction:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/responsePolicies","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicies.get":{"id":"dns.responsePolicies.get","name":"Cloud DNS Response Policies","scope":"MEDIUM","parent":{"notes":null,"description":"A Response Policy is a collection of rules attached to a VPC network that will be used for DNS lookups."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/responsePolicies","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicies.list":{"id":"dns.responsePolicies.list","name":"Cloud DNS Response Policies","scope":"MEDIUM","parent":{"notes":null,"description":"A Response Policy is a collection of rules attached to a VPC network that will be used for DNS lookups."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1/responsePolicies","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicies.update":{"id":"dns.responsePolicies.update","name":"Cloud DNS Response Policies","scope":"MEDIUM","parent":{"notes":null,"description":"A Response Policy is a collection of rules attached to a VPC network that will be used for DNS lookups."},"risks":["impact:dos"],"notes":"Updating an existing response policy can create a DOS by removing it from the attached network. Updating any rules requires permissions on rules.","links":["https://cloud.google.com/dns/docs/reference/v1/responsePolicies","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicyRules.create":{"id":"dns.responsePolicyRules.create","name":"Response Policy Rule","scope":"HIGH","parent":{"notes":null,"description":"A response policy rule contains a selector and optionally DNS records or  configured behavior for answering DNS queries that match the selector."},"risks":["impact:dos","takeover:domain"],"notes":"A response policy rule can effectively be used by an attacker to redirect traffic on a domain  within the VPC network the policy is attached to.","links":["https://cloud.google.com/dns/docs/reference/v1beta2/responsePolicyRules","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicyRules.delete":{"id":"dns.responsePolicyRules.delete","name":"Response Policy Rule","scope":"MEDIUM","parent":{"notes":null,"description":"A response policy rule contains a selector and optionally DNS records or  configured behavior for answering DNS queries that match the selector."},"risks":["impact:dos","destruction:network"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1beta2/responsePolicyRules","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicyRules.get":{"id":"dns.responsePolicyRules.get","name":"Response Policy Rule","scope":"MEDIUM","parent":{"notes":null,"description":"A response policy rule contains a selector and optionally DNS records or  configured behavior for answering DNS queries that match the selector."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1beta2/responsePolicyRules","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicyRules.list":{"id":"dns.responsePolicyRules.list","name":"Response Policy Rule","scope":"MEDIUM","parent":{"notes":null,"description":"A response policy rule contains a selector and optionally DNS records or  configured behavior for answering DNS queries that match the selector."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/dns/docs/reference/v1beta2/responsePolicyRules","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"dns.responsePolicyRules.update":{"id":"dns.responsePolicyRules.update","name":"Response Policy Rule","scope":"HIGH","parent":{"notes":null,"description":"A response policy rule contains a selector and optionally DNS records or  configured behavior for answering DNS queries that match the selector."},"risks":["impact:dos","takeover:domain"],"notes":"A response policy rule can effectively be used by an attacker to redirect traffic on a domain  within the VPC network the policy is attached to.","links":["https://cloud.google.com/dns/docs/reference/v1beta2/responsePolicyRules","https://cloud.google.com/dns/docs/access-control","https://cloud.google.com/dns/docs/zones/manage-response-policies"],"seeAlso":[]},"domains.locations.list":{"id":"domains.locations.list","name":"Cloud Domains Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud Domains.","description":"Infrastructure regions available for Google Cloud Domains."},"risks":[],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control"],"seeAlso":[]},"domains.operations.get":{"id":"domains.operations.get","name":"Cloud domains operations","scope":"PUBLIC","parent":{"notes":"Domain registrations are public, so though operations expose registration info, it is not sensitive.","description":"Operations represent long-running cloud domain API calls.  They are used for create, delete, update, and configuration operations on domain registrations."},"risks":[],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.operations"],"seeAlso":[]},"domains.operations.list":{"id":"domains.operations.list","name":"Cloud domains operations","scope":"PUBLIC","parent":{"notes":"Domain registrations are public, so though operations expose registration info, it is not sensitive.","description":"Operations represent long-running cloud domain API calls.  They are used for create, delete, update, and configuration operations on domain registrations."},"risks":[],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.operations"],"seeAlso":[]},"domains.operations.cancel":{"id":"domains.operations.cancel","name":"Cloud domains operations","scope":"MEDIUM","parent":{"notes":"Domain registrations are public, so though operations expose registration info, it is not sensitive.","description":"Operations represent long-running cloud domain API calls.  They are used for create, delete, update, and configuration operations on domain registrations."},"risks":["impact:dos"],"notes":"Can cancel running operations on registrations, such as configuration changes.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.operations"],"seeAlso":[]},"domains.registrations.configureContact":{"id":"domains.registrations.configureContact","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":[],"notes":"Only allows updating a registration's contact settings.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.configureDns":{"id":"domains.registrations.configureDns","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["impact:dos","takeover:domain"],"notes":"Allows updating DNS settings, including specifying custom name servers.  Allows an attacker to route traffic on the domain.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.configureManagement":{"id":"domains.registrations.configureManagement","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["destruction:infra","takeover:domain"],"notes":"Allows updating domain settings, such as  renewal settings and whether the domain is locked from being transferred to another registrar. Also allows exporting the domain so that it is no longer managed by Cloud Domains (it is still accessible through Google Domains). Additionally allows retrieving the authorization code for transferring the domain to another registrar. These permissions combined can allow an attacker to gain control over the domain by transferring it  to another registrar.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.create":{"id":"domains.registrations.create","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.createTagBinding":{"id":"domains.registrations.createTagBinding","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.delete":{"id":"domains.registrations.delete","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["destruction:infra"],"notes":"If an active domain registration is deleted, the domain can still be managed through Google Domains until its expiry. This just deletes the domain's managed registration in Cloud Domains.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview","https://cloud.google.com/domains/docs/delete-domain"],"seeAlso":[]},"domains.registrations.deleteTagBinding":{"id":"domains.registrations.deleteTagBinding","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.get":{"id":"domains.registrations.get","name":"Cloud domains registration","scope":"PUBLIC","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":[],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.getIamPolicy":{"id":"domains.registrations.getIamPolicy","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["discovery:account","discovery:policy"],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.list":{"id":"domains.registrations.list","name":"Cloud domains registration","scope":"PUBLIC","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":[],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.listEffectiveTags":{"id":"domains.registrations.listEffectiveTags","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.listTagBindings":{"id":"domains.registrations.listTagBindings","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.setIamPolicy":{"id":"domains.registrations.setIamPolicy","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"domains.registrations.update":{"id":"domains.registrations.update","name":"Cloud domains registration","scope":"HIGH","parent":{"notes":"Though the contents of domain registrations are public, this resource contains many permissions to update and configure domain registrations which are highly sensitive.","description":"A registration is a resource representing a domain registration managed by Cloud Domains.  It facilitates managing and configuring domain name registrations"},"risks":["destruction:metadata"],"notes":"Only allows updating labels on the registration.","links":["https://cloud.google.com/domains/docs/access-control","https://cloud.google.com/domains/docs/reference/rest/v1beta1/projects.locations.registrations","https://cloud.google.com/domains/docs/overview"],"seeAlso":[]},"firebase.projects.create":{"id":"firebase.projects.create","name":"Firebase project admin","scope":"HIGH","parent":{"notes":null,"description":"Manage Firebase projects programmatically: metadata, create, and delete."},"risks":["impact:consumption"],"notes":"Firebase has a soft limit on number of projects per Google Cloud account, and an attacker could theoretically exhaust this limit.","links":[],"seeAlso":[]},"firebase.projects.delete":{"id":"firebase.projects.delete","name":"Firebase project admin","scope":"CRITICAL","parent":{"notes":null,"description":"Manage Firebase projects programmatically: metadata, create, and delete."},"risks":["destruction:data","destruction:infra"],"notes":null,"links":[],"seeAlso":[]},"firebase.projects.update":{"id":"firebase.projects.update","name":"Firebase project admin","scope":"CRITICAL","parent":{"notes":null,"description":"Manage Firebase projects programmatically: metadata, create, and delete."},"risks":[],"notes":null,"links":[],"seeAlso":[]},"firebaserules.releases.create":{"id":"firebaserules.releases.create","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":[],"notes":"You can technically create new releases for additional services that use security rules, but if one didn't already exist for that service, that means that the service is not in use and therefore does not represent a risk.","links":["https://firebase.google.com/docs/rules"],"seeAlso":[]},"firebaserules.releases.delete":{"id":"firebaserules.releases.delete","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":["destruction:policy","impact:access"],"notes":"If an attacker deletes a project's firestore security rules, it will reset the rules to a default which denies all requests, therefore making the app unusable.","links":["https://firebase.google.com/docs/rules"],"seeAlso":[]},"firebaserules.releases.get":{"id":"firebaserules.releases.get","name":"Firebase security rules publishing","scope":"LOW","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":[],"notes":"Allows reading metadata about the release and a pointer to the ruleset, but not the rules themselves","links":["https://firebase.google.com/docs/rules","https://firebase.google.com/docs/reference/rules/rest/v1/projects.releases#Release"],"seeAlso":[]},"firebaserules.releases.getExecutable":{"id":"firebaserules.releases.getExecutable","name":"Firebase security rules publishing","scope":"LOW","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":[],"notes":"Gets an encoded executable string, not useful for an attacker.","links":["https://firebase.google.com/docs/rules"],"seeAlso":[]},"firebaserules.releases.list":{"id":"firebaserules.releases.list","name":"Firebase security rules publishing","scope":"LOW","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":[],"notes":null,"links":["https://firebase.google.com/docs/rules"],"seeAlso":[]},"firebaserules.releases.update":{"id":"firebaserules.releases.update","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules releases, which define which security rules are live and used by security rules-enabled services."},"risks":["destruction:policy","escalation:data","impact:access"],"notes":"When combined with the ability to create arbitrary ruleset context, can allow data escalation. Used alone, an attacker could revert your environment to a known old, insecure ruleset.","links":["https://firebase.google.com/docs/rules"],"seeAlso":[]},"firebaserules.rulesets.create":{"id":"firebaserules.rulesets.create","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules sources. By themselves, these don't do anything, but when they are referenced by the current release, they are the active rules."},"risks":["destruction:policy","escalation:data","impact:access"],"notes":"While creating a ruleset by itself doesn't do anything, when combined with access to update security rules releases, an attacker can hijack your security rules.","links":[],"seeAlso":[]},"firebaserules.rulesets.delete":{"id":"firebaserules.rulesets.delete","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules sources. By themselves, these don't do anything, but when they are referenced by the current release, they are the active rules."},"risks":["destruction:logs"],"notes":"While an attacker cannot delete the currently used ruleset, they can delete older rulesets which may cause a loss of historical rules information.","links":[],"seeAlso":[]},"firebaserules.rulesets.get":{"id":"firebaserules.rulesets.get","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules sources. By themselves, these don't do anything, but when they are referenced by the current release, they are the active rules."},"risks":["discovery:policy"],"notes":null,"links":[],"seeAlso":[]},"firebaserules.rulesets.list":{"id":"firebaserules.rulesets.list","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules sources. By themselves, these don't do anything, but when they are referenced by the current release, they are the active rules."},"risks":[],"notes":"Lists metadata only.","links":[],"seeAlso":[]},"firebaserules.rulesets.test":{"id":"firebaserules.rulesets.test","name":"Firebase security rules publishing","scope":"HIGH","parent":{"notes":null,"description":"Manage security rules sources. By themselves, these don't do anything, but when they are referenced by the current release, they are the active rules."},"risks":[],"notes":"Test validity of security rules source code (basically syntax/error checking).","links":[],"seeAlso":[]},"iam.roles.create":{"id":"iam.roles.create","name":"IAM Roles","scope":"LOW","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["persistence:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.roles.undelete":{"id":"iam.roles.undelete","name":"IAM Roles","scope":"CRITICAL","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["persistence:account"],"notes":"Undeleting a custom role will restore any bindings the role was part of at the time of deletion.","links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.roles.delete":{"id":"iam.roles.delete","name":"IAM Roles","scope":"CRITICAL","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["impact:access","destruction:policy"],"notes":"Deleting a custom role is possible even when it's present in bindings. The bindings remain, but are ineffectual.","links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.roles.update":{"id":"iam.roles.update","name":"IAM Roles","scope":"CRITICAL","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["escalation:privilege","impact:access"],"notes":"Only custom roles can be updated. An update automatically grants additional access for principals to resources  that the role is bound to. An attacker is able to grant additional permissions to a role they already have. Note that permissions are inherited by child resources. For example, updating role bound to a project can grant permissions on new services and new resources.","links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.roles.get":{"id":"iam.roles.get","name":"IAM Roles","scope":"CRITICAL","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.roles.list":{"id":"iam.roles.list","name":"IAM Roles","scope":"CRITICAL","parent":{"notes":"This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.","description":"IAM custom roles created for use in IAM policies."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/iam/docs/creating-custom-roles","https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete"],"seeAlso":[]},"iam.serviceAccountKeys.create":{"id":"iam.serviceAccountKeys.create","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":["takeover:account","persistence:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccountKeys.delete":{"id":"iam.serviceAccountKeys.delete","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":["impact:dos","impact:access","destruction:crypto"],"notes":"This leads to a DOS in any application that is using the service account key for authentication.","links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccountKeys.disable":{"id":"iam.serviceAccountKeys.disable","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":["impact:dos","impact:access"],"notes":"This leads to a DOS in any application that is using the service account key for authentication.","links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccountKeys.enable":{"id":"iam.serviceAccountKeys.enable","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":["escalation:lateral","persistence:account"],"notes":"This can allow a privilege escalation if the attacker is able to gain access to a disabled service account key.","links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccountKeys.get":{"id":"iam.serviceAccountKeys.get","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":[],"notes":"This only shows public keys.","links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccountKeys.list":{"id":"iam.serviceAccountKeys.list","name":"Service Account Keys","scope":"CRITICAL","parent":{"notes":"Service account keys are extremely sensitive since they allow users to authenticate as the service account.","description":"Service account keys are the credentials that service accounts use for authentication.  Service accounts are Google accounts used by applications or workloads for authentication, and as result may have  access to many Google services."},"risks":[],"notes":"This only shows public keys.","links":["https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys","https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys"],"seeAlso":[]},"iam.serviceAccounts.actAs":{"id":"iam.serviceAccounts.actAs","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.create":{"id":"iam.serviceAccounts.create","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["impact:spend","persistence:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.delete":{"id":"iam.serviceAccounts.delete","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["impact:dos","destruction:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.disable":{"id":"iam.serviceAccounts.disable","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.enable":{"id":"iam.serviceAccounts.enable","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["impact:spend","persistence:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.get":{"id":"iam.serviceAccounts.get","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.getAccessToken":{"id":"iam.serviceAccounts.getAccessToken","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral"],"notes":"By default, the generated access token only persists for an hour. Longer access times (up to 12 hours) can be configured via the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy.","links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.getIamPolicy":{"id":"iam.serviceAccounts.getIamPolicy","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.getOpenIdToken":{"id":"iam.serviceAccounts.getOpenIdToken","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.implicitDelegation":{"id":"iam.serviceAccounts.implicitDelegation","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral"],"notes":"Implicit delegation allows you to chain service account access token requests. This permission on a service account gives the user access to creating access tokens on any service accounts that service account has access to.","links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.setIamPolicy":{"id":"iam.serviceAccounts.setIamPolicy","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.signBlob":{"id":"iam.serviceAccounts.signBlob","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral","impact:manipulation"],"notes":"Allows for signing of arbitrarily payloads. Can be used for escalation by signing an access token request.","links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.signJwt":{"id":"iam.serviceAccounts.signJwt","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["escalation:lateral"],"notes":"Can be used for escalation by signing an access token request.","links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.list":{"id":"iam.serviceAccounts.list","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.undelete":{"id":"iam.serviceAccounts.undelete","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":["impact:spend","persistence:account"],"notes":null,"links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iam.serviceAccounts.update":{"id":"iam.serviceAccounts.update","name":"Service Accounts","scope":"CRITICAL","parent":{"notes":"Many of these permissions are extremely sensitive, because service accounts are frequently overprovisioned. A user with access to a service account effectively has access to all permissions the service account has, so broad access to service accounts can allow users to gain unintended access.","description":"Service accounts are Google accounts intended for use by applications or workloads for authentication. They can be either managed by Google or user-managed."},"risks":[],"notes":"Only allows updating description and display name.","links":["https://cloud.google.com/iam/docs/service-account-overview","https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1"],"seeAlso":[]},"iap.projects.getSettings":{"id":"iap.projects.getSettings","name":"Identity Aware Proxy project.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured resources in the project."},"risks":["discovery:network"],"notes":"Allows an attacker to read IAP related settings for this resource.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.projects.updateSettings":{"id":"iap.projects.updateSettings","name":"Identity Aware Proxy project.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured resources in the project."},"risks":["impact:dos","impact:defacement","impact:hijack","destruction:network"],"notes":"Allows an attacker to update settings related to IAP.  There is a risk of dos if an attacker removes any settings that are essential for authentication such as which domains are allowed access the app.   There is another setting that allows for creation of a custom Access Denied page.  This creates a risk of hijack or defacement where an attacker could put up a page of their own.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/reference/rest/v1/IapSettings","https://cloud.google.com/iap/docs/configuring-reauth"],"seeAlso":[]},"iap.tunnel.getIamPolicy":{"id":"iap.tunnel.getIamPolicy","name":"Identity Aware Proxy tunnel resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to every IAP secured VM in the project."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnel.setIamPolicy":{"id":"iap.tunnel.setIamPolicy","name":"Identity Aware Proxy tunnel resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to every IAP secured VM in the project."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.accessViaIAP":{"id":"iap.tunnelDestGroups.accessViaIAP","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":[],"notes":"Gives a principal access to a particular IAP secured destination group.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/managing-access"],"seeAlso":[]},"iap.tunnelDestGroups.create":{"id":"iap.tunnelDestGroups.create","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":[],"notes":"Creates a new destination group.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.delete":{"id":"iap.tunnelDestGroups.delete","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["impact:dos","destruction:network"],"notes":"Deletes an existing tunnel destination group.  This could create a dos if the deleted item is used by other services since they would no longer have access.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.get":{"id":"iap.tunnelDestGroups.get","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["discovery:network","discovery:infra"],"notes":"Retrieves an existing tunnel destination group.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.getIamPolicy":{"id":"iap.tunnelDestGroups.getIamPolicy","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.list":{"id":"iap.tunnelDestGroups.list","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["discovery:network","discovery:infra"],"notes":"Lists the existing tunnel destination groups.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.remediate":{"id":"iap.tunnelDestGroups.remediate","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":[],"notes":"If granted this permission, a principal will be allowed to remediate a failed authentication attempt.  The steps to remediate can be customized per resource and consist of steps like asking users to update their operating system or to use the application from a  company run network.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","-","h","t","t","p","s",":","/","/","c","l","o","u","d",".","g","o","o","g","l","e",".","c","o","m","/","b","e","y","o","n","d","c","o","r","p","-","e","n","t","e","r","p","r","i","s","e","/","d","o","c","s","/","p","o","l","i","c","y","-","r","e","m","e","d","i","a","t","o","r"],"seeAlso":[]},"iap.tunnelDestGroups.setIamPolicy":{"id":"iap.tunnelDestGroups.setIamPolicy","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelDestGroups.update":{"id":"iap.tunnelDestGroups.update","name":"Identity Aware Proxy tunnel destination groups resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular group of VMs in you project.  VMs are collected in a list of either CIDRs or FQDNs."},"risks":["impact:dos","destruction:network","escalation:network"],"notes":"Updates an existing tunnel destination group.  This could create a dos if an attacker deletes items from the group.   It could also allow an attacker to gain access to machines by adding them to a group they have permission for.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelInstances.accessViaIAP":{"id":"iap.tunnelInstances.accessViaIAP","name":"Identity Aware Proxy tunnel instances resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular VM instance"},"risks":[],"notes":"Gives a principal access to a particular IAP secured VM.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelInstances.getIamPolicy":{"id":"iap.tunnelInstances.getIamPolicy","name":"Identity Aware Proxy tunnel instances resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular VM instance"},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelInstances.setIamPolicy":{"id":"iap.tunnelInstances.setIamPolicy","name":"Identity Aware Proxy tunnel instances resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular VM instance"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelLocations.getIamPolicy":{"id":"iap.tunnelLocations.getIamPolicy","name":"Identity Aware Proxy tunnel locations resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured VMs in a particular region"},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelLocations.setIamPolicy":{"id":"iap.tunnelLocations.setIamPolicy","name":"Identity Aware Proxy tunnel locations resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured VMs in a particular region"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelZones.getIamPolicy":{"id":"iap.tunnelZones.getIamPolicy","name":"Identity Aware Proxy tunnel zones resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured VMs in a particular zone"},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.tunnelZones.setIamPolicy":{"id":"iap.tunnelZones.setIamPolicy","name":"Identity Aware Proxy tunnel zones resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured VMs in a particular zone"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.web.getIamPolicy":{"id":"iap.web.getIamPolicy","name":"Identity Aware Proxy web resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to every IAP secured web app in your project."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.web.getSettings":{"id":"iap.web.getSettings","name":"Identity Aware Proxy web resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to every IAP secured web app in your project."},"risks":["discovery:network"],"notes":"Allows an attacker to read IAP related settings for this resource.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServiceVersions.accessViaIAP":{"id":"iap.webServiceVersions.accessViaIAP","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":[],"notes":"Grants access to App Engine and Compute Engine resources secured by IAP.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/managing-access"],"seeAlso":[]},"iap.webServiceVersions.getIamPolicy":{"id":"iap.webServiceVersions.getIamPolicy","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServiceVersions.getSettings":{"id":"iap.webServiceVersions.getSettings","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":["discovery:network"],"notes":"Allows an attacker to read IAP related settings for this resource.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServiceVersions.remediate":{"id":"iap.webServiceVersions.remediate","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":[],"notes":"If granted this permission, a principal will be allowed to remediate a failed authentication attempt.  The steps to remediate can be customized per resource and consist of steps like asking users to update their operating system or to use the application from a  company run network.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","-","h","t","t","p","s",":","/","/","c","l","o","u","d",".","g","o","o","g","l","e",".","c","o","m","/","b","e","y","o","n","d","c","o","r","p","-","e","n","t","e","r","p","r","i","s","e","/","d","o","c","s","/","p","o","l","i","c","y","-","r","e","m","e","d","i","a","t","o","r"],"seeAlso":[]},"iap.webServiceVersions.setIamPolicy":{"id":"iap.webServiceVersions.setIamPolicy","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServiceVersions.updateSettings":{"id":"iap.webServiceVersions.updateSettings","name":"Identity Aware Proxy web service versions resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular version of an App Engine or Compute Engine service"},"risks":["impact:dos","impact:defacement","impact:hijack","destruction:network"],"notes":"Allows an attacker to update settings related to IAP.  There is a risk of dos if an attacker removes any settings that are essential for authentication such as which domains are allowed access the app.   There is another setting that allows for creation of a custom Access Denied page.  This creates a risk of hijack or defacement where an attacker could put up a page of their own.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/reference/rest/v1/IapSettings","https://cloud.google.com/iap/docs/configuring-reauth"],"seeAlso":[]},"iap.webServices.getIamPolicy":{"id":"iap.webServices.getIamPolicy","name":"Identity Aware Proxy web services resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular IAP secured web service."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServices.getSettings":{"id":"iap.webServices.getSettings","name":"Identity Aware Proxy web services resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular IAP secured web service."},"risks":["discovery:network"],"notes":"Allows an attacker to read IAP related settings for this resource.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServices.setIamPolicy":{"id":"iap.webServices.setIamPolicy","name":"Identity Aware Proxy web services resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular IAP secured web service."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webServices.updateSettings":{"id":"iap.webServices.updateSettings","name":"Identity Aware Proxy web services resource type.","scope":"HIGH","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to a particular IAP secured web service."},"risks":["impact:dos","impact:defacement","impact:hijack","destruction:network"],"notes":"Allows an attacker to update settings related to IAP.  There is a risk of dos if an attacker removes any settings that are essential for authentication such as which domains are allowed access the app.   There is another setting that allows for creation of a custom Access Denied page.  This creates a risk of hijack or defacement where an attacker could put up a page of their own.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/reference/rest/v1/IapSettings","https://cloud.google.com/iap/docs/configuring-reauth"],"seeAlso":[]},"iap.webTypes.getIamPolicy":{"id":"iap.webTypes.getIamPolicy","name":"Identity Aware Proxy web types resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured web apps in the project of a particular type.   The specified type can either be App Engine or Compute engine."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webTypes.getSettings":{"id":"iap.webTypes.getSettings","name":"Identity Aware Proxy web types resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured web apps in the project of a particular type.   The specified type can either be App Engine or Compute engine."},"risks":["discovery:network"],"notes":"Allows an attacker to read IAP related settings for this resource.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webTypes.setIamPolicy":{"id":"iap.webTypes.setIamPolicy","name":"Identity Aware Proxy web types resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured web apps in the project of a particular type.   The specified type can either be App Engine or Compute engine."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest"],"seeAlso":[]},"iap.webTypes.updateSettings":{"id":"iap.webTypes.updateSettings","name":"Identity Aware Proxy web types resource type.","scope":"CRITICAL","parent":{"notes":"IAP is used to control access to cloud services.  Changes to IAP related settings could remove access from mission-critical applications or  grant an attacker access to sensitive resources.","description":"Refers to all IAP secured web apps in the project of a particular type.   The specified type can either be App Engine or Compute engine."},"risks":["impact:dos","impact:defacement","impact:hijack","destruction:network"],"notes":"Allows an attacker to update settings related to IAP.  There is a risk of dos if an attacker removes any settings that are essential for authentication such as which domains are allowed access the app.   There is another setting that allows for creation of a custom Access Denied page.  This creates a risk of hijack or defacement where an attacker could put up a page of their own.","links":["https://cloud.google.com/iap/docs/customizing","https://cloud.google.com/iap/docs/reference/rest","https://cloud.google.com/iap/docs/reference/rest/v1/IapSettings","https://cloud.google.com/iap/docs/configuring-reauth"],"seeAlso":[]},"logging.buckets.copyLogEntries":{"id":"logging.buckets.copyLogEntries","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.create":{"id":"logging.buckets.create","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.delete":{"id":"logging.buckets.delete","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["destruction:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.undelete":{"id":"logging.buckets.undelete","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.update":{"id":"logging.buckets.update","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["impact:encryption"],"notes":"Allows updating or adding a customer-managed encryption key  used to encrypt the bucket.","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.write":{"id":"logging.buckets.write","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["impact:spend"],"notes":"Allows routing logs to the bucket","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.get":{"id":"logging.buckets.get","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["discovery:infra"],"notes":"Does not allow viewing logs in the bucket.","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.buckets.list":{"id":"logging.buckets.list","name":"Cloud Logging Buckets","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud logging bucket is a container used by Cloud Logging to store and organize logs data."},"risks":["discovery:infra"],"notes":"Does not allow viewing logs in the bucket.","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/buckets","https://cloud.google.com/logging/docs/routing/overview"],"seeAlso":[]},"logging.exclusions.create":{"id":"logging.exclusions.create","name":"Cloud Logging Exclusion","scope":"MEDIUM","parent":{"notes":"Exclusion operations apply to the _Default logging sink. An attacker may manipulate exclusions to hide their activity in order to evade detection.","description":"A Cloud Logging Exclusion specifies a set of log entries that are filtered out by a sink."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions"],"seeAlso":[]},"logging.exclusions.get":{"id":"logging.exclusions.get","name":"Cloud Logging Exclusion","scope":"MEDIUM","parent":{"notes":"Exclusion operations apply to the _Default logging sink. An attacker may manipulate exclusions to hide their activity in order to evade detection.","description":"A Cloud Logging Exclusion specifies a set of log entries that are filtered out by a sink."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions"],"seeAlso":[]},"logging.exclusions.delete":{"id":"logging.exclusions.delete","name":"Cloud Logging Exclusion","scope":"MEDIUM","parent":{"notes":"Exclusion operations apply to the _Default logging sink. An attacker may manipulate exclusions to hide their activity in order to evade detection.","description":"A Cloud Logging Exclusion specifies a set of log entries that are filtered out by a sink."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions"],"seeAlso":[]},"logging.exclusions.list":{"id":"logging.exclusions.list","name":"Cloud Logging Exclusion","scope":"MEDIUM","parent":{"notes":"Exclusion operations apply to the _Default logging sink. An attacker may manipulate exclusions to hide their activity in order to evade detection.","description":"A Cloud Logging Exclusion specifies a set of log entries that are filtered out by a sink."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions"],"seeAlso":[]},"logging.exclusions.update":{"id":"logging.exclusions.update","name":"Cloud Logging Exclusion","scope":"MEDIUM","parent":{"notes":"Exclusion operations apply to the _Default logging sink. An attacker may manipulate exclusions to hide their activity in order to evade detection.","description":"A Cloud Logging Exclusion specifies a set of log entries that are filtered out by a sink."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.exclusions"],"seeAlso":[]},"logging.fields.access":{"id":"logging.fields.access","name":"Cloud Logging Fields","scope":"MEDIUM","parent":{"notes":"Cloud logging supports field-level access control. This resource is used to restrict access to sensitive fields.","description":"Individual fields in Cloud Logging entries"},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/field-level-acl"],"seeAlso":[]},"logging.links.create":{"id":"logging.links.create","name":"Cloud Logging Links","scope":null,"parent":{"notes":null,"description":"A Cloud Logging link is a link between a logs bucket and a BigQuery dataset  so that logs can be read from BigQuery."},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/folders.locations.buckets.links"],"seeAlso":[]},"logging.links.delete":{"id":"logging.links.delete","name":"Cloud Logging Links","scope":null,"parent":{"notes":null,"description":"A Cloud Logging link is a link between a logs bucket and a BigQuery dataset  so that logs can be read from BigQuery."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/folders.locations.buckets.links"],"seeAlso":[]},"logging.links.get":{"id":"logging.links.get","name":"Cloud Logging Links","scope":null,"parent":{"notes":null,"description":"A Cloud Logging link is a link between a logs bucket and a BigQuery dataset  so that logs can be read from BigQuery."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/folders.locations.buckets.links"],"seeAlso":[]},"logging.links.list":{"id":"logging.links.list","name":"Cloud Logging Links","scope":null,"parent":{"notes":null,"description":"A Cloud Logging link is a link between a logs bucket and a BigQuery dataset  so that logs can be read from BigQuery."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/folders.locations.buckets.links"],"seeAlso":[]},"logging.locations.list":{"id":"logging.locations.list","name":"Cloud Logging Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud logging.","description":"Infrastructure regions available for Google Cloud logging."},"risks":[],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control"],"seeAlso":[]},"logging.locations.get":{"id":"logging.locations.get","name":"Cloud Logging Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud logging.","description":"Infrastructure regions available for Google Cloud logging."},"risks":[],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control"],"seeAlso":[]},"logging.logEntries.create":{"id":"logging.logEntries.create","name":"Cloud Logging Entries","scope":"MEDIUM","parent":{"notes":null,"description":"Log entries ingested and stored by Cloud Logging"},"risks":["impact:spend"],"notes":"Create and route together allow writing log entries via the Logging API","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/list"],"seeAlso":[]},"logging.logEntries.download":{"id":"logging.logEntries.download","name":"Cloud Logging Entries","scope":"MEDIUM","parent":{"notes":null,"description":"Log entries ingested and stored by Cloud Logging"},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/list"],"seeAlso":[]},"logging.logEntries.list":{"id":"logging.logEntries.list","name":"Cloud Logging Entries","scope":"MEDIUM","parent":{"notes":null,"description":"Log entries ingested and stored by Cloud Logging"},"risks":["exfiltration:logs"],"notes":"This provides access to log entries.","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/list"],"seeAlso":[]},"logging.logEntries.route":{"id":"logging.logEntries.route","name":"Cloud Logging Entries","scope":"MEDIUM","parent":{"notes":null,"description":"Log entries ingested and stored by Cloud Logging"},"risks":["impact:spend"],"notes":"Create and route together allow writing log entries via the Logging API","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/list"],"seeAlso":[]},"logging.logMetrics.create":{"id":"logging.logMetrics.create","name":"Cloud Log Metrics","scope":"LOW","parent":{"notes":null,"description":"Log metrics allow viewing statistics about the number of log entries that match filters."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics"],"seeAlso":[]},"logging.logMetrics.delete":{"id":"logging.logMetrics.delete","name":"Cloud Log Metrics","scope":"LOW","parent":{"notes":null,"description":"Log metrics allow viewing statistics about the number of log entries that match filters."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics"],"seeAlso":[]},"logging.logMetrics.get":{"id":"logging.logMetrics.get","name":"Cloud Log Metrics","scope":"LOW","parent":{"notes":null,"description":"Log metrics allow viewing statistics about the number of log entries that match filters."},"risks":["discovery:infra","exfiltration:metadata"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics"],"seeAlso":[]},"logging.logMetrics.list":{"id":"logging.logMetrics.list","name":"Cloud Log Metrics","scope":"LOW","parent":{"notes":null,"description":"Log metrics allow viewing statistics about the number of log entries that match filters."},"risks":["discovery:infra","exfiltration:metadata"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics"],"seeAlso":[]},"logging.logMetrics.update":{"id":"logging.logMetrics.update","name":"Cloud Log Metrics","scope":"LOW","parent":{"notes":null,"description":"Log metrics allow viewing statistics about the number of log entries that match filters."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/projects.metrics"],"seeAlso":[]},"logging.logs.delete":{"id":"logging.logs.delete","name":"Cloud Logging Logs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud Logging log contains log entries."},"risks":["destruction:logs"],"notes":"Destroys all log entries.","links":["https://cloud.google.com/logging/docs/reference/v2/rest/v2/organizations.logs","https://cloud.google.com/logging/docs/access-control"],"seeAlso":[]},"logging.logs.list":{"id":"logging.logs.list","name":"Cloud Logging Logs","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud Logging log contains log entries."},"risks":[],"notes":"Does not allow viewing log entries.","links":["https://cloud.google.com/logging/docs/reference/v2/rest/v2/organizations.logs","https://cloud.google.com/logging/docs/access-control"],"seeAlso":[]},"logging.notificationRules.create":{"id":"logging.notificationRules.create","name":"Cloud Logging Notification Rules","scope":"MEDIUM","parent":{"notes":"By changing notification rules, an attacker can evade detection by preventing any alerts  that may be triggered by their activity.","description":"Notification rules allow configuring automated alerts based on logs."},"risks":[],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/alerting/log-based-alerts"],"seeAlso":[]},"logging.notificationRules.delete":{"id":"logging.notificationRules.delete","name":"Cloud Logging Notification Rules","scope":"MEDIUM","parent":{"notes":"By changing notification rules, an attacker can evade detection by preventing any alerts  that may be triggered by their activity.","description":"Notification rules allow configuring automated alerts based on logs."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/alerting/log-based-alerts"],"seeAlso":[]},"logging.notificationRules.get":{"id":"logging.notificationRules.get","name":"Cloud Logging Notification Rules","scope":"MEDIUM","parent":{"notes":"By changing notification rules, an attacker can evade detection by preventing any alerts  that may be triggered by their activity.","description":"Notification rules allow configuring automated alerts based on logs."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/alerting/log-based-alerts"],"seeAlso":[]},"logging.notificationRules.list":{"id":"logging.notificationRules.list","name":"Cloud Logging Notification Rules","scope":"MEDIUM","parent":{"notes":"By changing notification rules, an attacker can evade detection by preventing any alerts  that may be triggered by their activity.","description":"Notification rules allow configuring automated alerts based on logs."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/alerting/log-based-alerts"],"seeAlso":[]},"logging.notificationRules.update":{"id":"logging.notificationRules.update","name":"Cloud Logging Notification Rules","scope":"MEDIUM","parent":{"notes":"By changing notification rules, an attacker can evade detection by preventing any alerts  that may be triggered by their activity.","description":"Notification rules allow configuring automated alerts based on logs."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/alerting/log-based-alerts"],"seeAlso":[]},"logging.privateLogEntries.list":{"id":"logging.privateLogEntries.list","name":"Cloud Logging Private Log Entries","scope":"MEDIUM","parent":{"notes":null,"description":"Private log entries contain Google's Data Access Audit logs."},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control"],"seeAlso":[]},"logging.queries.create":{"id":"logging.queries.create","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.list":{"id":"logging.queries.list","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.get":{"id":"logging.queries.get","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.share":{"id":"logging.queries.share","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":[],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.listShared":{"id":"logging.queries.listShared","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.update":{"id":"logging.queries.update","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.updateShared":{"id":"logging.queries.updateShared","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.queries.delete":{"id":"logging.queries.delete","name":"Cloud Logging Queries","scope":"LOW","parent":{"notes":"Permissions on queries is not sufficient in order to read log entries. To actually read log entries/view the result of queries, you additionally need permissions on the logs or log entries.","description":"Logging queries allow you to retrieve a specific set of logs."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/view/building-queries"],"seeAlso":[]},"logging.settings.get":{"id":"logging.settings.get","name":"Cloud Logging Settings","scope":"MEDIUM","parent":{"notes":null,"description":"Settings for cloud logging, including locations for log storage, disabled _Default sinks,  and encryption keys."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/default-settings"],"seeAlso":[]},"logging.settings.update":{"id":"logging.settings.update","name":"Cloud Logging Settings","scope":"MEDIUM","parent":{"notes":null,"description":"Settings for cloud logging, including locations for log storage, disabled _Default sinks,  and encryption keys."},"risks":["destruction:logs","impact:encryption"],"notes":"Disabling the _Default log sink can cause loss of log entry data.","links":["https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/default-settings"],"seeAlso":[]},"logging.sinks.create":{"id":"logging.sinks.create","name":"Cloud Logging Sinks","scope":"MEDIUM","parent":{"notes":null,"description":"Logging sinks control how logs are routed. They can be used to export logs to Cloud Storage, BigQuery, a Cloud Logging bucket, or a Pub/Sub topic."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/logging/docs/routing/overview#sinks","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/sinks"],"seeAlso":[]},"logging.sinks.delete":{"id":"logging.sinks.delete","name":"Cloud Logging Sinks","scope":"MEDIUM","parent":{"notes":null,"description":"Logging sinks control how logs are routed. They can be used to export logs to Cloud Storage, BigQuery, a Cloud Logging bucket, or a Pub/Sub topic."},"risks":["destruction:infra"],"notes":null,"links":["https://cloud.google.com/logging/docs/routing/overview#sinks","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/sinks"],"seeAlso":[]},"logging.sinks.get":{"id":"logging.sinks.get","name":"Cloud Logging Sinks","scope":"MEDIUM","parent":{"notes":null,"description":"Logging sinks control how logs are routed. They can be used to export logs to Cloud Storage, BigQuery, a Cloud Logging bucket, or a Pub/Sub topic."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/routing/overview#sinks","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/sinks"],"seeAlso":[]},"logging.sinks.list":{"id":"logging.sinks.list","name":"Cloud Logging Sinks","scope":"MEDIUM","parent":{"notes":null,"description":"Logging sinks control how logs are routed. They can be used to export logs to Cloud Storage, BigQuery, a Cloud Logging bucket, or a Pub/Sub topic."},"risks":["discovery:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/routing/overview#sinks","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/sinks"],"seeAlso":[]},"logging.sinks.update":{"id":"logging.sinks.update","name":"Cloud Logging Sinks","scope":"MEDIUM","parent":{"notes":null,"description":"Logging sinks control how logs are routed. They can be used to export logs to Cloud Storage, BigQuery, a Cloud Logging bucket, or a Pub/Sub topic."},"risks":["destruction:defense"],"notes":"Updating a log sink can update the filter used to exclude logs from being routed by the sink. This can impair defenses by allowing an attacker to filter  out their activity in the system.","links":["https://cloud.google.com/logging/docs/routing/overview#sinks","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/reference/v2/rest/v2/sinks"],"seeAlso":[]},"logging.views.access":{"id":"logging.views.access","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.create":{"id":"logging.views.create","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["impact:spend","impact:consumption"],"notes":"You can only have 30 log views on a bucket.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.delete":{"id":"logging.views.delete","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["destruction:infra","impact:access"],"notes":"Does not delete the log entries..  Because the primary use case of a view is to provide limited access to logs, deleting a view can result in users losing access to logs.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.get":{"id":"logging.views.get","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["discovery:logs"],"notes":"Does not provide access to log entries.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.list":{"id":"logging.views.list","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["discovery:logs"],"notes":"Does not provide access to log entries.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.listLogs":{"id":"logging.views.listLogs","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["exfiltration:logs"],"notes":null,"links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.listResourceKeys":{"id":"logging.views.listResourceKeys","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.listResourceValues":{"id":"logging.views.listResourceValues","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":[],"notes":"The specific use of this permission is unknown.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"logging.views.update":{"id":"logging.views.update","name":"Cloud Logging Views","scope":"MEDIUM","parent":{"notes":null,"description":"A log view is a filtered view of log entries in a bucket. This provides more granular access control over logs."},"risks":["exfiltration:logs"],"notes":"Allows updating the log filter on a view. If combined with listLogs access on any view, can allow arbitrary logs access.","links":["https://cloud.google.com/logging/docs/routing/overview#log-views","https://cloud.google.com/logging/docs/access-control","https://cloud.google.com/logging/docs/logs-views"],"seeAlso":[]},"pubsub.schemas.attach":{"id":"pubsub.schemas.attach","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["impact:dos"],"notes":"Can cause service interruptions by attaching an invalid schema.","links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.commit":{"id":"pubsub.schemas.commit","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["impact:dos"],"notes":"Can cause service interruptions by updating an existing schema to be invalid.","links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.create":{"id":"pubsub.schemas.create","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":[],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.delete":{"id":"pubsub.schemas.delete","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["destruction:infra","impact:dos"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.get":{"id":"pubsub.schemas.get","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["discovery:data","discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.getIamPolicy":{"id":"pubsub.schemas.getIamPolicy","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.list":{"id":"pubsub.schemas.list","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.listRevisions":{"id":"pubsub.schemas.listRevisions","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.rollback":{"id":"pubsub.schemas.rollback","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["impact:dos"],"notes":"Can cause service interruptions by rolling back to an incompatible schema.","links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.setIamPolicy":{"id":"pubsub.schemas.setIamPolicy","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.schemas.validate":{"id":"pubsub.schemas.validate","name":"Pub/Sub schemas","scope":"MEDIUM","parent":{"notes":null,"description":"A Pub/Sub schema specifies the data format for a Pub/Sub message. Schemas are enforced by the Pub/Sub service."},"risks":[],"notes":"Validating lets you validate messages against a schema.","links":["https://cloud.google.com/pubsub/docs/schemas"],"seeAlso":[]},"pubsub.snapshots.create":{"id":"pubsub.snapshots.create","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.delete":{"id":"pubsub.snapshots.delete","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["impact:dos","destruction:data"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.get":{"id":"pubsub.snapshots.get","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.getIamPolicy":{"id":"pubsub.snapshots.getIamPolicy","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.list":{"id":"pubsub.snapshots.list","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.seek":{"id":"pubsub.snapshots.seek","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["exfiltration:data"],"notes":"The seek functionality allows for replay/redelivery of the messages in the snapshot. This can allow an attacker to read Pub/Sub messages, which may be sensitive.","links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.setIamPolicy":{"id":"pubsub.snapshots.setIamPolicy","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.snapshots.update":{"id":"pubsub.snapshots.update","name":"Pub/Sub snapshot","scope":"HIGH","parent":{"notes":null,"description":"A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created."},"risks":["impact:dos","destruction:data"],"notes":"This allows updating snapshot metadata. Potential DOS and data destruction risks if the expiration time is updated.","links":["https://cloud.google.com/pubsub/docs/replay-overview#seek_to_a_snapshot","https://cloud.google.com/sdk/gcloud/reference/pubsub/snapshots/create"],"seeAlso":[]},"pubsub.subscriptions.consume":{"id":"pubsub.subscriptions.consume","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.create":{"id":"pubsub.subscriptions.create","name":"Pub/Sub subscription","scope":"LOW","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["impact:spend"],"notes":"Creating a subscription does not provide access to Pub/Sub data on its own, since you cannot consume messages or attach the subscription to a topic.","links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.delete":{"id":"pubsub.subscriptions.delete","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.get":{"id":"pubsub.subscriptions.get","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.getIamPolicy":{"id":"pubsub.subscriptions.getIamPolicy","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.list":{"id":"pubsub.subscriptions.list","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.setIamPolicy":{"id":"pubsub.subscriptions.setIamPolicy","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.subscriptions.update":{"id":"pubsub.subscriptions.update","name":"Pub/Sub subscription","scope":"HIGH","parent":{"notes":"Subscriptions can allow an attacker to read Pub/Sub messages, which may contain sensitive information.","description":"A Pub/Sub subscription receives messages published to a Pub/Sub topic."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/subscriber","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.attachSubscription":{"id":"pubsub.topics.attachSubscription","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["exfiltration:data"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.create":{"id":"pubsub.topics.create","name":"Pub/Sub topic","scope":"LOW","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.delete":{"id":"pubsub.topics.delete","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["impact:dos","destruction:data"],"notes":"This will delete any messages retained in the Pub/Sub topic. Depending on the configuration, this could be  up to 31 days of messages.","links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.detachSubscription":{"id":"pubsub.topics.detachSubscription","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.get":{"id":"pubsub.topics.get","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.getIamPolicy":{"id":"pubsub.topics.getIamPolicy","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.list":{"id":"pubsub.topics.list","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.publish":{"id":"pubsub.topics.publish","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["impact:dos","impact:manipulation"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.setIamPolicy":{"id":"pubsub.topics.setIamPolicy","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.update":{"id":"pubsub.topics.update","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"pubsub.topics.updateTag":{"id":"pubsub.topics.updateTag","name":"Pub/Sub topic","scope":"HIGH","parent":{"notes":"Pub/Sub messages may contain sensitive information.","description":"A Pub/Sub topic is a feed of messages that can be arbitrarily subscribed to."},"risks":[],"notes":"This IAM permission doesn't have a corresponding API method. It's unclear what this permission is for.","links":["https://cloud.google.com/pubsub/docs/create-topic","https://cloud.google.com/pubsub/docs/access-control"],"seeAlso":[]},"recommender.cloudAssetInsights.get":{"id":"recommender.cloudAssetInsights.get","name":"Cloud Asset Insights","scope":"HIGH","parent":{"notes":"These insights include sensitive information about your Google Cloud resources and their IAM policies, as well as exposing information about users, groups, and service accounts.","description":"Cloud Asset Insights include changes to the IAM policies of your resources suggested by Google in order to improve your security posture"},"risks":["discovery:policy","discovery:account","discovery:infra"],"notes":null,"links":["https://cloud.google.com/asset-inventory/docs/using-asset-insights"],"seeAlso":[]},"recommender.cloudAssetInsights.list":{"id":"recommender.cloudAssetInsights.list","name":"Cloud Asset Insights","scope":"HIGH","parent":{"notes":"These insights include sensitive information about your Google Cloud resources and their IAM policies, as well as exposing information about users, groups, and service accounts.","description":"Cloud Asset Insights include changes to the IAM policies of your resources suggested by Google in order to improve your security posture"},"risks":["discovery:policy","discovery:account","discovery:infra"],"notes":null,"links":["https://cloud.google.com/asset-inventory/docs/using-asset-insights"],"seeAlso":[]},"recommender.iamPolicyInsights.get":{"id":"recommender.iamPolicyInsights.get","name":"IAM Policy Insights","scope":"HIGH","parent":{"notes":"These insights include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM policy insights include information on exercised permissions from project-level IAM policy bindings."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/policy-intelligence/docs/role-recommendations-overview"],"seeAlso":[]},"recommender.iamPolicyInsights.list":{"id":"recommender.iamPolicyInsights.list","name":"IAM Policy Insights","scope":"HIGH","parent":{"notes":"These insights include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM policy insights include information on exercised permissions from project-level IAM policy bindings."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/policy-intelligence/docs/role-recommendations-overview"],"seeAlso":[]},"recommender.iamPolicyInsights.update":{"id":"recommender.iamPolicyInsights.update","name":"IAM Policy Insights","scope":"LOW","parent":{"notes":"These insights include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM policy insights include information on exercised permissions from project-level IAM policy bindings."},"risks":[],"notes":"Updating an insight is extremely low impact since it only updates the insight metadata, for purposes such as marking the insight as accepted.","links":["https://cloud.google.com/policy-intelligence/docs/role-recommendations-overview"],"seeAlso":[]},"recommender.iamPolicyRecommendations.get":{"id":"recommender.iamPolicyRecommendations.get","name":"IAM Policy Recommendations","scope":"HIGH","parent":{"notes":"These recommendations include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM Policy Recommendations include changes to the IAM policies of your projects suggested by Google in order to improve your security posture."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/policy-intelligence/docs/review-apply-role-recommendations"],"seeAlso":[]},"recommender.iamPolicyRecommendations.list":{"id":"recommender.iamPolicyRecommendations.list","name":"IAM Policy Recommendations","scope":"HIGH","parent":{"notes":"These recommendations include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM Policy Recommendations include changes to the IAM policies of your projects suggested by Google in order to improve your security posture."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/policy-intelligence/docs/review-apply-role-recommendations"],"seeAlso":[]},"recommender.iamPolicyRecommendations.update":{"id":"recommender.iamPolicyRecommendations.update","name":"IAM Policy Recommendations","scope":"LOW","parent":{"notes":"These recommendations include sensitive information about your project-level IAM policies, as well as exposing information about users, groups, and service accounts.","description":"IAM Policy Recommendations include changes to the IAM policies of your projects suggested by Google in order to improve your security posture."},"risks":[],"notes":"Updating a recommendation is only updates the recommendation metadata, for purposes such as marking the recommendation as accepted.","links":["https://cloud.google.com/policy-intelligence/docs/review-apply-role-recommendations"],"seeAlso":[]},"resourcemanager.projects.create":{"id":"resourcemanager.projects.create","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["impact:spend","impact:consumption"],"notes":"Each organization has a limited quota of active projects they can create.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.createBillingAssignment":{"id":"resourcemanager.projects.createBillingAssignment","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["impact:dos"],"notes":"Allows updating the billing assignment to remove the billing account.  This can cause an interruption of services.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.delete":{"id":"resourcemanager.projects.delete","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["destruction:infra","destruction:crypto","destruction:data","destruction:logs","destruction:metadata","destruction:policy"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.deleteBillingAssignment":{"id":"resourcemanager.projects.deleteBillingAssignment","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["impact:dos"],"notes":"Removing a billing assignment can cause an interruption of services.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.get":{"id":"resourcemanager.projects.get","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.getIamPolicy":{"id":"resourcemanager.projects.getIamPolicy","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.list":{"id":"resourcemanager.projects.list","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.move":{"id":"resourcemanager.projects.move","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["impact:dos","impact:access","destruction:defense"],"notes":"Moving a project can impact both user and system access that was inherited from the old parent. This can cause a DOS if service account accesses are impaired. Moving a project also removes any  security policies that were inherited from the parent.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.setIamPolicy":{"id":"resourcemanager.projects.setIamPolicy","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.undelete":{"id":"resourcemanager.projects.undelete","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.update":{"id":"resourcemanager.projects.update","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["destruction:metadata"],"notes":"Can only update project display name and labels.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.projects.updateLiens":{"id":"resourcemanager.projects.updateLiens","name":"Google Cloud Projects","scope":"CRITICAL","parent":{"notes":"This is a critical resource because impacting the project can impact any organizational functionality using the project. This can include all services running in the project and all data stored within it.","description":"A project is the base-level resource through which you interact with Google Cloud services."},"risks":["destruction:defense"],"notes":"Liens are used to prevention deletion of projects. This permission allows removing a lien from a project.","links":["https://cloud.google.com/resource-manager/docs/access-control-proj","https://cloud.google.com/billing/docs/reference/rest/v1/projects/updateBillingInfo"],"seeAlso":[]},"resourcemanager.tagholds.create":{"id":"resourcemanager.tagholds.create","name":"Google Cloud Tag Holds","scope":"LOW","parent":{"notes":null,"description":"A tag hold prevents the deletion of a tag value."},"risks":[],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagholds.delete":{"id":"resourcemanager.tagholds.delete","name":"Google Cloud Tag Holds","scope":"LOW","parent":{"notes":null,"description":"A tag hold prevents the deletion of a tag value."},"risks":["destruction:defense"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagholds.list":{"id":"resourcemanager.tagholds.list","name":"Google Cloud Tag Holds","scope":"LOW","parent":{"notes":null,"description":"A tag hold prevents the deletion of a tag value."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.create":{"id":"resourcemanager.tagkeys.create","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.delete":{"id":"resourcemanager.tagkeys.delete","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":[],"notes":"Tag keys in use by any tag bindings cannot be deleted.","links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.get":{"id":"resourcemanager.tagkeys.get","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.getIamPolicy":{"id":"resourcemanager.tagkeys.getIamPolicy","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.list":{"id":"resourcemanager.tagkeys.list","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.setIamPolicy":{"id":"resourcemanager.tagkeys.setIamPolicy","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagkeys.update":{"id":"resourcemanager.tagkeys.update","name":"Google Cloud Tag Keys","scope":"MEDIUM","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":[],"notes":"Only allows updating the tag description.\n","links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.create":{"id":"resourcemanager.tagvalues.create","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["impact:consumption"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.delete":{"id":"resourcemanager.tagvalues.delete","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":[],"notes":"Tag values in use by any tag bindings cannot be deleted.","links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.get":{"id":"resourcemanager.tagvalues.get","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.getIamPolicy":{"id":"resourcemanager.tagvalues.getIamPolicy","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.list":{"id":"resourcemanager.tagvalues.list","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["discovery:metadata"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.setIamPolicy":{"id":"resourcemanager.tagvalues.setIamPolicy","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"resourcemanager.tagvalues.update":{"id":"resourcemanager.tagvalues.update","name":"Google Cloud Tag Values","scope":"LOW","parent":{"notes":null,"description":"Tags are metadata attached to resources in the form of key-value pairs, and are frequently used with conditional IAM policies."},"risks":[],"notes":"Only allows updating the tag description.\n","links":["https://cloud.google.com/resource-manager/docs/tags/tags-overview"],"seeAlso":[]},"run.configurations.get":{"id":"run.configurations.get","name":"Cloud Run Configurations","scope":"MEDIUM","parent":{"notes":null,"description":"A cloud run configuration contains basic metadata and  information about the latest revision for a service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.configurations","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions"],"seeAlso":[]},"run.configurations.list":{"id":"run.configurations.list","name":"Cloud Run Configurations","scope":"MEDIUM","parent":{"notes":null,"description":"A cloud run configuration contains basic metadata and  information about the latest revision for a service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.configurations","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions"],"seeAlso":[]},"run.executions.delete":{"id":"run.executions.delete","name":"Cloud Run Executions","scope":"HIGH","parent":{"notes":"Cloud Run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run execution is a resource created when a cloud run job is executed in order to track the execution."},"risks":["impact:dos"],"notes":"A currently running execution can be deleted. This will halt execution of the job.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.executions","https://cloud.google.com/run/docs/managing/job-executions"],"seeAlso":[]},"run.executions.get":{"id":"run.executions.get","name":"Cloud Run Executions","scope":"HIGH","parent":{"notes":"Cloud Run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run execution is a resource created when a cloud run job is executed in order to track the execution."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.executions","https://cloud.google.com/run/docs/managing/job-executions"],"seeAlso":[]},"run.executions.list":{"id":"run.executions.list","name":"Cloud Run Executions","scope":"HIGH","parent":{"notes":"Cloud Run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run execution is a resource created when a cloud run job is executed in order to track the execution."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.executions","https://cloud.google.com/run/docs/managing/job-executions"],"seeAlso":[]},"run.jobs.create":{"id":"run.jobs.create","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":[],"notes":"Executing a job requires the run permission, so create on its own does not allow execution of the newly created job. Cloud Run billing is based on execution of jobs and services, so creation does not incur spend.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.createTagBinding":{"id":"run.jobs.createTagBinding","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.delete":{"id":"run.jobs.delete","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["impact:dos","destruction:infra"],"notes":"You can only delete a job if there are no executions in progress. However, certain services may rely on a job that runs on a schedule, so  deleting a job can create a DOS even if at deletion time there are no executions in progress.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.deleteTagBinding":{"id":"run.jobs.deleteTagBinding","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.get":{"id":"run.jobs.get","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.getIamPolicy":{"id":"run.jobs.getIamPolicy","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.list":{"id":"run.jobs.list","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.listEffectiveTags":{"id":"run.jobs.listEffectiveTags","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.listTagBindings":{"id":"run.jobs.listTagBindings","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.run":{"id":"run.jobs.run","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["impact:spend","impact:hijack","escalation:lateral"],"notes":"If combined with create permission and iam.serviceAccounts.actAs on the Cloud Run service account, includes a resource hijacking risk. Additionally, the environment variables may be abused to allow a reverse shell and dump the contents of the container, including the service account credentials.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs","https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.html#runjobsrun-runjobsrunwithoverrides-runjobsget"],"seeAlso":[]},"run.jobs.runWithOverrides":{"id":"run.jobs.runWithOverrides","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["impact:spend","impact:hijack","impact:manipulation","exfiltration:data","escalation:lateral"],"notes":"Allows an attacker to run a job with overrides for the environment variables and arguments. Depending on the job and the contents of environment variables and arguments, this may  allow the attacker to hijack the job for their own purposes, manipulate organizational data,  or store output data in a location accessible to the attacker. Also includes a resource hijacking risk if combined with the create permission and iam.serviceAccounts.actAs on the Cloud Run service account.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs","https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.html#runjobsrun-runjobsrunwithoverrides-runjobsget"],"seeAlso":[]},"run.jobs.setIamPolicy":{"id":"run.jobs.setIamPolicy","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.jobs.update":{"id":"run.jobs.update","name":"Cloud Run Jobs","scope":"HIGH","parent":{"notes":"Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.","description":"A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow."},"risks":["impact:spend","impact:dos","impact:hijack","impact:manipulation","exfiltration:data"],"notes":"Allows an attacker to update settings for a job, including CPU/memory limits, timeouts, retries,  the values of environment variables, and the container entrypoint command and arguments. Depending on the job and the contents of environment variables and arguments, this may  allow the attacker to hijack the job for their own purposes, manipulate organizational data,  or store output data in a location accessible to the attacker. Changing CPU/memory limits or increasing retries can incur spend, and changing timeouts, reducing  retries, or manipulating arguments/environment variables can create a DOS.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/managing/jobs","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.jobs","https://cloud.google.com/run/docs/create-jobs"],"seeAlso":[]},"run.locations.list":{"id":"run.locations.list","name":"Cloud Run Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud Run","description":"Infrastructure regions available for Cloud Run resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"run.locations.get":{"id":"run.locations.get","name":"Cloud Run Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Cloud Run","description":"Infrastructure regions available for Cloud Run resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/projects.locations"],"seeAlso":[]},"run.revisions.delete":{"id":"run.revisions.delete","name":"Cloud Run Revisions","scope":"MEDIUM","parent":{"notes":null,"description":"A revision is a deployment to a Cloud Run service.  It consists of a container image along with environment settings. Revisions are immutable."},"risks":["destruction:infra"],"notes":"Revisions that can receive traffic, are the only revision of the service, or are the latest revision of the service cannot be deleted.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions","https://cloud.google.com/run/docs/managing/revisions"],"seeAlso":[]},"run.revisions.get":{"id":"run.revisions.get","name":"Cloud Run Revisions","scope":"MEDIUM","parent":{"notes":null,"description":"A revision is a deployment to a Cloud Run service.  It consists of a container image along with environment settings. Revisions are immutable."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions","https://cloud.google.com/run/docs/managing/revisions"],"seeAlso":[]},"run.revisions.list":{"id":"run.revisions.list","name":"Cloud Run Revisions","scope":"MEDIUM","parent":{"notes":null,"description":"A revision is a deployment to a Cloud Run service.  It consists of a container image along with environment settings. Revisions are immutable."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions","https://cloud.google.com/run/docs/managing/revisions"],"seeAlso":[]},"run.routes.get":{"id":"run.routes.get","name":"Cloud run routes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud run routes contain rules for routing ingress traffic to specific revisions of a service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/namespaces.routes","https://cloud.google.com/run/docs/authenticating/developers"],"seeAlso":[]},"run.routes.invoke":{"id":"run.routes.invoke","name":"Cloud run routes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud run routes contain rules for routing ingress traffic to specific revisions of a service."},"risks":["escalation:network"],"notes":"Allows a user to make curl requests to the service that the route is associated with.","links":["https://cloud.google.com/run/docs/reference/rest/v1/namespaces.routes","https://cloud.google.com/run/docs/authenticating/developers"],"seeAlso":[]},"run.routes.list":{"id":"run.routes.list","name":"Cloud run routes","scope":"MEDIUM","parent":{"notes":null,"description":"Cloud run routes contain rules for routing ingress traffic to specific revisions of a service."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/namespaces.routes","https://cloud.google.com/run/docs/authenticating/developers"],"seeAlso":[]},"run.services.create":{"id":"run.services.create","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["impact:spend","impact:hijack"],"notes":"Allows creating and deploying a new service on Cloud Run. Also requires iam.serviceAccounts.actAs on the Cloud Run service account","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.createTagBinding":{"id":"run.services.createTagBinding","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.delete":{"id":"run.services.delete","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["impact:dos","destruction:infra"],"notes":"Deleting a service is permanent: it cannot be undone or restored.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.deleteTagBinding":{"id":"run.services.deleteTagBinding","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The risks apply if the tag is used in any policies.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.get":{"id":"run.services.get","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["discovery:infra","discovery:policy"],"notes":"Includes ingress and egress network policies for the service.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.getIamPolicy":{"id":"run.services.getIamPolicy","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.list":{"id":"run.services.list","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["discovery:infra","discovery:policy"],"notes":"Includes ingress and egress network policies for the service.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.listEffectiveTags":{"id":"run.services.listEffectiveTags","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.listTagBindings":{"id":"run.services.listTagBindings","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.setIamPolicy":{"id":"run.services.setIamPolicy","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.services.update":{"id":"run.services.update","name":"Cloud Run Services","scope":"HIGH","parent":{"notes":"Cloud Run services may be used to run core organizational infrastructure,  such as web applications or REST APIs.","description":"A Cloud Run service continuously runs code that responds to web requests or events. It will automatically scale the number of instances to match incoming requests."},"risks":["impact:spend","impact:dos","impact:hijack","impact:manipulation","exfiltration:data","escalation:network","destruction:defense"],"notes":"Allows an attacker to update settings for a service, including CPU/memory limits, autoscaling settings,  the values of environment variables, the container entrypoint command and arguments, and egress/ingress network policy settings. Depending on the job and the contents of environment variables and arguments, this may  allow the attacker to hijack the job for their own purposes, manipulate organizational data,  or store output data in a location accessible to the attacker. Changing ingress/egress network policies can allow an attacker to make private services public or vice versa. Changing CPU/memory limits or autoscaling settings can incur spend,  and changing autoscaling settings, network settings, or manipulating arguments/environment variables can create a DOS.","links":["https://cloud.google.com/run/docs/resource-model","https://cloud.google.com/run/docs/deploying","https://cloud.google.com/run/docs/managing/services","https://cloud.google.com/run/docs/reference/rest/v1/namespaces.services"],"seeAlso":[]},"run.tasks.list":{"id":"run.tasks.list","name":"Cloud Run tasks","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud Run task represents a single run of a container to completion.  A Cloud Run job contains some number of tasks."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/namespaces.tasks","https://cloud.google.com/run/docs/resource-model"],"seeAlso":[]},"run.tasks.get":{"id":"run.tasks.get","name":"Cloud Run tasks","scope":"MEDIUM","parent":{"notes":null,"description":"A Cloud Run task represents a single run of a container to completion.  A Cloud Run job contains some number of tasks."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/run/docs/reference/rest/v1/namespaces.tasks","https://cloud.google.com/run/docs/resource-model"],"seeAlso":[]},"secretmanager.locations.list":{"id":"secretmanager.locations.list","name":"Secret Manager Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Secret Manager","description":"Infrastructure regions available for Secret Manager resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"secretmanager.locations.get":{"id":"secretmanager.locations.get","name":"Secret Manager Locations","scope":"PUBLIC","parent":{"notes":"This resource contains public information about Google's location offerings for Secret Manager","description":"Infrastructure regions available for Secret Manager resources"},"risks":[],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/locations"],"seeAlso":[]},"secretmanager.secrets.create":{"id":"secretmanager.secrets.create","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":[],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.delete":{"id":"secretmanager.secrets.delete","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["impact:dos","destruction:crypto"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.get":{"id":"secretmanager.secrets.get","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["discovery:infra","discovery:account"],"notes":"This includes account discovery because the names of secrets may expose accounts that the secrets are associated with. Does not give access to secrets.","links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.getIamPolicy":{"id":"secretmanager.secrets.getIamPolicy","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.list":{"id":"secretmanager.secrets.list","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["discovery:infra","discovery:account"],"notes":"See get.","links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.setIamPolicy":{"id":"secretmanager.secrets.setIamPolicy","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.secrets.update":{"id":"secretmanager.secrets.update","name":"Secret Manager Secrets","scope":"HIGH","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A secret contains one or more versions along with metadata. The actual contents of the secret are stored in the version."},"risks":["impact:dos","destruction:data","impact:encryption"],"notes":"Can destroy the secret by updating it to expire. Can also add/change a customer-managed encryption key.","links":["https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets","https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/patch"],"seeAlso":[]},"secretmanager.versions.access":{"id":"secretmanager.versions.access","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["exfiltration:crypto","exfiltration:data"],"notes":"Gives direct read access to secrets data (which often include keys and tokens).","links":[],"seeAlso":[]},"secretmanager.versions.add":{"id":"secretmanager.versions.add","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["impact:dos"],"notes":"Adding a new version of a secret can break services that rely on reading the latest version of the secret.","links":[],"seeAlso":[]},"secretmanager.versions.destroy":{"id":"secretmanager.versions.destroy","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["impact:dos","destruction:crypto"],"notes":null,"links":[],"seeAlso":[]},"secretmanager.versions.disable":{"id":"secretmanager.versions.disable","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["impact:dos"],"notes":null,"links":[],"seeAlso":[]},"secretmanager.versions.enable":{"id":"secretmanager.versions.enable","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["impact:dos"],"notes":"This can be used for a DOS by enabling a out-of-date or otherwise incorrect version of the secret.","links":[],"seeAlso":[]},"secretmanager.versions.get":{"id":"secretmanager.versions.get","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["discovery:infra","discovery:account"],"notes":"This includes account discovery because the names of secrets may expose accounts that the secrets are associated with.","links":[],"seeAlso":[]},"secretmanager.versions.list":{"id":"secretmanager.versions.list","name":"Secret Manager Versions","scope":"CRITICAL","parent":{"notes":"Secret manager is a highly sensitive service. Secrets may include API keys, encryption secret keys, login credentials, and other extremely sensitive data.","description":"A version in Secret Manager contains the contents of a secret along with metadata about the version."},"risks":["discovery:infra","discovery:account"],"notes":null,"links":[],"seeAlso":[]},"serviceusage.quotas.get":{"id":"serviceusage.quotas.get","name":"Service Usage Quotas","scope":"LOW","parent":{"notes":null,"description":"Includes quota limitations for service usage for all Google Services."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.quotas.update":{"id":"serviceusage.quotas.update","name":"Service Usage Quotas","scope":"LOW","parent":{"notes":null,"description":"Includes quota limitations for service usage for all Google Services."},"risks":["impact:dos","impact:spend"],"notes":null,"links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.services.disable":{"id":"serviceusage.services.disable","name":"Google Cloud Service","scope":"CRITICAL","parent":{"notes":null,"description":"Includes all services and APIs offered as part of Google Cloud Platform."},"risks":["impact:dos"],"notes":"Depends on the service: disabling a service the organization relies on is a critical impact.","links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.services.enable":{"id":"serviceusage.services.enable","name":"Google Cloud Service","scope":"CRITICAL","parent":{"notes":null,"description":"Includes all services and APIs offered as part of Google Cloud Platform."},"risks":["escalation:lateral"],"notes":"Depends on the service. The attacker could enable a service that contains risks (such as an overprovisioned default service account) that allows themselves to escalate permissions.","links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.services.get":{"id":"serviceusage.services.get","name":"Google Cloud Service","scope":"LOW","parent":{"notes":null,"description":"Includes all services and APIs offered as part of Google Cloud Platform."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.services.list":{"id":"serviceusage.services.list","name":"Google Cloud Service","scope":"LOW","parent":{"notes":null,"description":"Includes all services and APIs offered as part of Google Cloud Platform."},"risks":["discovery:infra"],"notes":null,"links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"serviceusage.services.use":{"id":"serviceusage.services.use","name":"Google Cloud Service","scope":"LOW","parent":{"notes":null,"description":"Includes all services and APIs offered as part of Google Cloud Platform."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/service-usage/docs/access-control"],"seeAlso":[]},"storage.buckets.create":{"id":"storage.buckets.create","name":"Cloud Storage buckets","scope":"LOW","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.createTagBinding":{"id":"storage.buckets.createTagBinding","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["impact:access","escalation:privilege"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. If the user has any policies that use tag bindings to enforce conditions, creating a tag on a resource allows them to escalate their access to that resource. Also requires getIamPolicy or knowledge of the IAM policy from some other means.","links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.delete":{"id":"storage.buckets.delete","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["impact:dos","destruction:data","destruction:infra"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.deleteTagBinding":{"id":"storage.buckets.deleteTagBinding","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["escalation:privilege","destruction:policy","impact:access"],"notes":"A common use case of tag bindings is for use in IAM policy conditions. The \"destruction:policy\" and \"impact:access\" risks apply if the tag is used in any policies.","links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.get":{"id":"storage.buckets.get","name":"Cloud Storage buckets","scope":"LOW","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.list":{"id":"storage.buckets.list","name":"Cloud Storage buckets","scope":"MEDIUM","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.getIamPolicy":{"id":"storage.buckets.getIamPolicy","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.listEffectiveTags":{"id":"storage.buckets.listEffectiveTags","name":"Cloud Storage buckets","scope":"LOW","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.listTagBindings":{"id":"storage.buckets.listTagBindings","name":"Cloud Storage buckets","scope":"LOW","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:policy"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.setIamPolicy":{"id":"storage.buckets.setIamPolicy","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.update":{"id":"storage.buckets.update","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["impact:encryption","destruction:metadata"],"notes":"Even though certain access-related controls are part of the bucket metadata (ACLs, public access settings), those cannot be updated without setIamPolicy. However, the encryption key can be updated with just this permission. An attacker could use their own key (in their own project) to encrypt the data, then disable or delete it, rendering the data unusable until the user can recover the key.","links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.buckets.getObjectInsights":{"id":"storage.buckets.getObjectInsights","name":"Cloud Storage buckets","scope":"CRITICAL","parent":{"notes":"Buckets may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Buckets are the basic unit of data storage within Cloud Storage. All data must be contained in a bucket."},"risks":["discovery:data"],"notes":"This includes access to object metadata, but not objects themselves.","links":["https://cloud.google.com/storage/docs/access-control/iam-permissions","https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing","https://cloud.google.com/storage/docs/bucket-metadata","https://cloud.google.com/storage/docs/json_api/v1/buckets/update"],"seeAlso":[]},"storage.hmacKeys.create":{"id":"storage.hmacKeys.create","name":"Cloud Storage HMAC Keys","scope":"CRITICAL","parent":{"notes":null,"description":"A HMAC key is a type of credential that can be used to authenticate requests to Cloud Storage."},"risks":["escalation:data"],"notes":"Allows you to sign requests to cloud storage as a service account, allowing for escalation.","links":["https://cloud.google.com/storage/docs/authentication/managing-hmackeys","https://cloud.google.com/storage/docs/authentication/hmackeys","https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/"],"seeAlso":[]},"storage.hmacKeys.delete":{"id":"storage.hmacKeys.delete","name":"Cloud Storage HMAC Keys","scope":"CRITICAL","parent":{"notes":null,"description":"A HMAC key is a type of credential that can be used to authenticate requests to Cloud Storage."},"risks":["impact:dos","destruction:crypto"],"notes":null,"links":["https://cloud.google.com/storage/docs/authentication/managing-hmackeys","https://cloud.google.com/storage/docs/authentication/hmackeys"],"seeAlso":[]},"storage.hmacKeys.get":{"id":"storage.hmacKeys.get","name":"Cloud Storage HMAC Keys","scope":"CRITICAL","parent":{"notes":null,"description":"A HMAC key is a type of credential that can be used to authenticate requests to Cloud Storage."},"risks":["discovery:infra"],"notes":"This does not include the secret.","links":["https://cloud.google.com/storage/docs/authentication/managing-hmackeys","https://cloud.google.com/storage/docs/authentication/hmackeys"],"seeAlso":[]},"storage.hmacKeys.list":{"id":"storage.hmacKeys.list","name":"Cloud Storage HMAC Keys","scope":"CRITICAL","parent":{"notes":null,"description":"A HMAC key is a type of credential that can be used to authenticate requests to Cloud Storage."},"risks":["discovery:infra"],"notes":"This does not include the secret.","links":["https://cloud.google.com/storage/docs/authentication/managing-hmackeys","https://cloud.google.com/storage/docs/authentication/hmackeys"],"seeAlso":[]},"storage.hmacKeys.update":{"id":"storage.hmacKeys.update","name":"Cloud Storage HMAC Keys","scope":"CRITICAL","parent":{"notes":null,"description":"A HMAC key is a type of credential that can be used to authenticate requests to Cloud Storage."},"risks":["impact:dos"],"notes":"Allows updating the key to be inactive.","links":["https://cloud.google.com/storage/docs/authentication/managing-hmackeys","https://cloud.google.com/storage/docs/authentication/hmackeys"],"seeAlso":[]},"storage.multipartUploads.create":{"id":"storage.multipartUploads.create","name":"Cloud Storage Multi-part uploads","scope":"LOW","parent":{"notes":null,"description":"Allows users to upload an object to a Cloud Storage bucket in multiple parts."},"risks":["impact:spend"],"notes":"Also requires storage.objects.create permission.","links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.multipartUploads.abort":{"id":"storage.multipartUploads.abort","name":"Cloud Storage Multi-part uploads","scope":"LOW","parent":{"notes":null,"description":"Allows users to upload an object to a Cloud Storage bucket in multiple parts."},"risks":["impact:dos"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.multipartUploads.list":{"id":"storage.multipartUploads.list","name":"Cloud Storage Multi-part uploads","scope":"LOW","parent":{"notes":null,"description":"Allows users to upload an object to a Cloud Storage bucket in multiple parts."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.multipartUploads.listParts":{"id":"storage.multipartUploads.listParts","name":"Cloud Storage Multi-part uploads","scope":"LOW","parent":{"notes":null,"description":"Allows users to upload an object to a Cloud Storage bucket in multiple parts."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.create":{"id":"storage.objects.create","name":"Cloud Storage Objects","scope":"LOW","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["impact:spend"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.delete":{"id":"storage.objects.delete","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["impact:dos","destruction:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.get":{"id":"storage.objects.get","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["exfiltration:data","discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.list":{"id":"storage.objects.list","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["discovery:data"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.getIamPolicy":{"id":"storage.objects.getIamPolicy","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["discovery:policy","discovery:account"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.setIamPolicy":{"id":"storage.objects.setIamPolicy","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["escalation:privilege","impact:access","destruction:policy"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]},"storage.objects.update":{"id":"storage.objects.update","name":"Cloud Storage Objects","scope":"CRITICAL","parent":{"notes":"Cloud Storage objects may be used to store data of various sensitivities, from publicly available data to very sensitive confidential data.","description":"Objects are files and folders inside Google Cloud storage buckets."},"risks":["destruction:metadata"],"notes":null,"links":["https://cloud.google.com/storage/docs/access-control/iam-permissions"],"seeAlso":[]}},"k8s":{"apiregistration.k8s.io/apiservices.create":{"id":"apiregistration.k8s.io/apiservices.create","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["escalation:network"],"notes":"Together with the ability to deploy a new Kubernetes service in the cluster an attacker can configure an APIService to expose that new service with custom authentication settings which opens a backdoor to the cluster.","links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.delete":{"id":"apiregistration.k8s.io/apiservices.delete","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["destruction:infra"],"notes":"Only API Services that expose custom CRDs can be deleted. API Services automanaged by Kubernetes, such as core v1, apps/v1, batch/v1, extensions/v1beta1 APIs cannot be deleted or modified.","links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.get":{"id":"apiregistration.k8s.io/apiservices.get","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.getStatus":{"id":"apiregistration.k8s.io/apiservices.getStatus","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.list":{"id":"apiregistration.k8s.io/apiservices.list","name":"APIServices","scope":"LOW","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["discovery:infra"],"notes":null,"links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.update":{"id":"apiregistration.k8s.io/apiservices.update","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":["escalation:network"],"notes":null,"links":[],"seeAlso":[]},"apiregistration.k8s.io/apiservices.updateStatus":{"id":"apiregistration.k8s.io/apiservices.updateStatus","name":"APIServices","scope":"MEDIUM","parent":{"notes":"API Services can be used to track the availability and health of API servers and extensions  in the cluster. For custom resources can set the insecureSkipTLSVerify to true which allows unauthenticated communication with the custom resource's endpoints.","description":"API Services provide a way to advertise a Kubernetes API that is implemented across  multiple versions of Kubernetes. It is used to register and expose APIs for Kubernetes  extensions and custom resources. It also provides a way to specify the resource schema  for a custom resource, which enables client-side validation and discovery of resources."},"risks":[],"notes":"While this permission is exposed, updating the status of a custom APIService is not allowed. Status is managed by Kubernetes.","links":[],"seeAlso":[]},"apps/daemonsets.create":{"id":"apps/daemonsets.create","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network"],"notes":"Creation of DaemonSets allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. The code may execute with service account privileges, leading to new permissions that may allow access to other services.  Secondly, creating DaemonSets drains the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"apps/daemonsets.delete":{"id":"apps/daemonsets.delete","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a DaemonSets deletes its pods and ephemeral volumes. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"apps/daemonsets.get":{"id":"apps/daemonsets.get","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the DaemonSet, and Pods and Containers in it, such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"apps/daemonsets.getStatus":{"id":"apps/daemonsets.getStatus","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `daemonSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}` resource.","links":[],"seeAlso":[]},"apps/daemonsets.list":{"id":"apps/daemonsets.list","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all ReplicaSets in a namespace.","links":[],"seeAlso":[]},"apps/daemonsets.update":{"id":"apps/daemonsets.update","name":"DaemonSets","scope":"CRITICAL","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","impact:hijack","impact:spend"],"notes":"An update may let an attacker change the container image that is running inside pods. This may allow arbitrary code execution, if the cluster has access to the public internet. The code may execute with service account privileges, leading to new permissions that may allow access to other services. Since DaemonSet runs a pod on multiple nodes, DaemonSets are especially great for a complete cluster takeover. Secondly, DaemonSet pods drain the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"apps/daemonsets.updateStatus":{"id":"apps/daemonsets.updateStatus","name":"DaemonSets","scope":"LOW","parent":{"notes":"DaemonSets manage pods, similar to ReplicaSets and StatefulSets. A DaemonSet ensures there is the desired number of pods running on each node. If DaemonSets are allowed to connect to the public internet, it may open up the door for arbitrary code execution for an attacker. See notes on `container/deployments` for mitigations.","description":"Control Kubernetes DaemonSets objects."},"risks":[],"notes":"This subresource has no effect on the actual DaemonSets.","links":[],"seeAlso":[]},"apps/deployments.create":{"id":"apps/deployments.create","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Deployments tie up compute resources in Kubernetes that cannot be allocated to another Kubernetes workload while the deployment is present. Deployments run a user-specified container image, which may allow an attacker to escalate their privileges by running arbitrary code inside the Kubernetes workload. Secondly, creating Deployments drains the limited resources available to other Kubernetes workloads.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.delete":{"id":"apps/deployments.delete","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a Deployment deletes its pods and ephemeral volumes. Persistent Volumes attached to the Deployment are left intact. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.get":{"id":"apps/deployments.get","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Deployment, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.getScale":{"id":"apps/deployments.getScale","name":"Deployments","scope":"LOW","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale` subresource which returns the number of desired replicas in the Deployment. The `deployments.get` permission already includes the ability to read this subresource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/","https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"],"seeAlso":[]},"apps/deployments.getStatus":{"id":"apps/deployments.getStatus","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `deployments.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/deployments/{name}` resource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.list":{"id":"apps/deployments.list","name":"Deployments","scope":"MEDIUM","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all Deployments in a namespace.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.rollback":{"id":"apps/deployments.rollback","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra"],"notes":"Allows reverting to a previous version of the Deployment spec from the rollout history.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/","https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#checking-rollout-history-of-a-deployment"],"seeAlso":[]},"apps/deployments.update":{"id":"apps/deployments.update","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in Deployments drains the limited resources available to  other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.updateScale":{"id":"apps/deployments.updateScale","name":"Deployments","scope":"CRITICAL","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"Allows updating the replica count, including setting replicas to 0. If properties other than replicas are updated in the PATCH request, those are quietly ignored. Secondly, increasing the replica count in Deployments drains the limited resources available to  other Kubernetes workloads.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/deployments.updateStatus":{"id":"apps/deployments.updateStatus","name":"Deployments","scope":"LOW","parent":{"notes":"Deployments are declarative updates to Kubernetes Pods and ReplicaSets. They provide an abstraction layer that allows services to discover and connect to pods  running within a Deployment. Applications can scale, load balance, and seamlessly handle changes  in the underlying pod instances. Access to Deployments is sensitive because they are a primary interface for controlling applications running on Kubernetes. A Deployment specifies the container image to run, and may lead to arbitrary code execution in the cluster. A good mitigation strategy is to make Kubernetes clusters private, which effectively disables pulling images over the internet. Secondly, creating or updating the replica count of Deployments drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes Deployment objects."},"risks":[],"notes":"Allows updating the status object of the Deployment with different \"replicas\", \"updatedReplicas\", \"readyReplicas\", and \"availableReplicas\" counts than the actual counts in the Deployment's current ReplicaSet. However, these values don't take effect, despite a successful API call.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"],"seeAlso":[]},"apps/replicasets.create":{"id":"apps/replicasets.create","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Creation of standalone ReplicaSet allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. Secondly, creating ReplicaSets drains the limited resources available to other Kubernetes workloads.","links":[],"seeAlso":[]},"apps/replicasets.delete":{"id":"apps/replicasets.delete","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a ReplicaSet deletes its pods and ephemeral volumes. PersistentVolumes attached to the ReplicaSet are left intact. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"apps/replicasets.get":{"id":"apps/replicasets.get","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the ReplicaSet, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"apps/replicasets.getScale":{"id":"apps/replicasets.getScale","name":"ReplicaSets","scope":"LOW","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/scale` subresource which returns the number of desired replicas in the ReplicaSet. The `replicaSets.get` permission already includes the ability to read this subresource.","links":[],"seeAlso":[]},"apps/replicasets.getStatus":{"id":"apps/replicasets.getStatus","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `replicaSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/replicasets/{name}` resource.","links":[],"seeAlso":[]},"apps/replicasets.list":{"id":"apps/replicasets.list","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all ReplicaSets in a namespace.","links":[],"seeAlso":[]},"apps/replicasets.update":{"id":"apps/replicasets.update","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"Only ReplicaSets without a Deployment may be updated. Updates to ReplicaSets owned by a Deployment will succeed but have no effect on the ReplicaSet. An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in ReplicaSets drains the limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"apps/replicasets.updateScale":{"id":"apps/replicasets.updateScale","name":"ReplicaSets","scope":"MEDIUM","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"Only ReplicaSets without a Deployment may be updated. Updates to ReplicaSets owned by a Deployment will succeed but have no effect on the ReplicaSet. Allows updating the replica count, including setting replicas to 0. If properties other than replicas are updated in the PATCH request, those are quietly ignored. Secondly, increasing the replica count in ReplicaSets drains the limited resources available to  other Kubernetes workloads.","links":[],"seeAlso":[]},"apps/replicasets.updateStatus":{"id":"apps/replicasets.updateStatus","name":"ReplicaSets","scope":"LOW","parent":{"notes":"ReplicaSets allow maintaining a desired number of replicas and handle situations like pod failures or manual scaling. Typically, ReplicaSets are not created directly but are managed by a Deployment. When that is the case, the ReplicaSet cannot be updated directly using the `update` endpoints. ReplicaSets expose very similar risks to Deployments, the key privilege being the ability to specify a container image to run in the Pods managed by the ReplicaSet. If coupled with a cluster that can connect to the internet, this opens up arbitrary code execution by fetching and running potentially malicious images. Secondly, creating or updating the replica count of ReplicaSets drains the limited resources available to other Kubernetes workloads.","description":"Control Kubernetes ReplicaSet objects."},"risks":[],"notes":"Allows updating the status object of the ReplicaSet with different \"replicas\", \"updatedReplicas\", \"readyReplicas\", and \"availableReplicas\" counts than the actual counts in the Replicasets's current ReplicaSet. However, these values don't take effect, despite a successful API call.","links":[],"seeAlso":[]},"apps/statefulsets.create":{"id":"apps/statefulsets.create","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Creation of StatefulSets allows running an image inside the Kubernetes cluster. This may allow arbitrary code execution, if the cluster has access to the public internet. Secondly, creating StatefulSets drains the limited  resources available to other Kubernetes workloads. Persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"apps/statefulsets.delete":{"id":"apps/statefulsets.delete","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a DaemonSets deletes its pods and ephemeral volumes. Persistent Volumes are retained. Logs of the deleted pods disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"apps/statefulsets.get":{"id":"apps/statefulsets.get","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the StatefulSet, and Pods and Containers in it, such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"apps/statefulsets.getScale":{"id":"apps/statefulsets.getScale","name":"StatefulSets","scope":"LOW","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra"],"notes":"Allows reading the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/scale` subresource which returns the number of desired replicas in the StatefulSet. The `statefulSets.get` permission already includes the ability to read this subresource.","links":[],"seeAlso":[]},"apps/statefulsets.getStatus":{"id":"apps/statefulsets.getStatus","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `statefulSets.get`. Allows reading the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/status` subresource which returns the same payload as the `/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}` resource.","links":[],"seeAlso":[]},"apps/statefulsets.list":{"id":"apps/statefulsets.list","name":"StatefulSets","scope":"MEDIUM","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all StatefulSets in a namespace.","links":[],"seeAlso":[]},"apps/statefulsets.update":{"id":"apps/statefulsets.update","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","destruction:network","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may set the replica count to 0 which effectively deletes the application. An update may also let an attacker change the container image that is running inside pods, potentially leading to a complete takeover of the Kubernetes cluster. Secondly, increasing the replica count in StatefulSets may cause disruption to stateful services, depending on the behavior of the stateful service in a scaling event. Scaling may drain the limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods, which may provide access to sensitive data.","links":[],"seeAlso":[]},"apps/statefulsets.updateScale":{"id":"apps/statefulsets.updateScale","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":["destruction:infra","impact:hijack","impact:spend"],"notes":"If properties other than replicas are updated in the PATCH request, those are quietly ignored.  Secondly, increasing the replica count in StatefulSets may disrupt stateful service and/or drain the limited resources  available to other Kubernetes workloads.","links":[],"seeAlso":[]},"apps/statefulsets.updateStatus":{"id":"apps/statefulsets.updateStatus","name":"StatefulSets","scope":"CRITICAL","parent":{"notes":"StatefulSets manage Pods, with different guarantees but similar to Deployments, ReplicaSets, and DaemonSets. As such, the primary security concerns are the container images that are running on these Pods, and the resources the Pods consume from the Kubernetes cluster.","description":"Control Kubernetes StatefulSets objects."},"risks":[],"notes":"This subresource has no effect on the actual StatefulSets.","links":[],"seeAlso":[]},"batch/jobs.create":{"id":"batch/jobs.create","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"Jobs tie up compute resources in Kubernetes that cannot be allocated to another Kubernetes workload while the Job is present. Jobs run a user-specified container image, which may allow an attacker to escalate their privileges by running arbitrary code inside the Kubernetes workload with service account privileges. Persistent Volumes may be  attached to jobs, meaning data can be exposed to the Kubernetes workload.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.delete":{"id":"batch/jobs.delete","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a Job deletes its pods and ephemeral volumes. Persistent Volumes attached to the Job are left intact. Logs of the deleted pods disappear permanently when the job completes and the pods shut down, unless they are exported to an external system for persistence.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.get":{"id":"batch/jobs.get","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Job, Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.getStatus":{"id":"batch/jobs.getStatus","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Equivalent to `jobs.get`. Allows reading the `/apis/batch/v1/namespaces/{namespace}/deployments/{name}/status` subresource which returns the same payload as the `/apis/batch/v1/namespaces/{namespace}/deployments/{name}` resource.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.list":{"id":"batch/jobs.list","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["discovery:infra","discovery:network"],"notes":"Allows listing all Jobs in a namespace.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.update":{"id":"batch/jobs.update","name":"Jobs","scope":"CRITICAL","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":["destruction:infra","escalation:lateral","escalation:network","exfiltration:data","impact:hijack","impact:spend"],"notes":"An update may suspend the job which prevents the controller from creating Pods, effectively disabling the Job.  An update may also let an attacker change the container image that is running inside pods, potentially leading to a arbitrary code execution. Secondly, increasing the parallelism in Jobs or the amount of resources dedicated to Pods drains the  limited resources available to other Kubernetes workloads. Also, persistent volumes may be attached to the Pods,  which may provide access to sensitive data.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"batch/jobs.updateStatus":{"id":"batch/jobs.updateStatus","name":"Jobs","scope":"LOW","parent":{"notes":"The security implications of Jobs are similar to other controllers, like Deployments. Jobs ultimately lead to running a container image, and may allow arbitrary code execution in the cluster. That code runs with the service-account privileges that the Pod runs with, thus may lead to privilege escalation. Creating Jobs drains the  limited resources available to other Kubernetes workloads. Attaching Persistent Volumes to a Job may expose  the data on that volume to attackers.","description":"A Kubernetes Job is a type of controller that runs one or more Pods until they successfully complete,  by retrying (restarting) the Pods if necessary. The Pod and its resources are released when the Job completes.  Jobs are typically used for batch processes, report generation or maintenance tasks."},"risks":[],"notes":"Allows updating the status object of the Jobs with different \"active\", \"failed\", \"ready\", and \"succeeded\" counts. However, these values don't take effect, despite a successful API call. The status is managed by Kubernetes.","links":["https://kubernetes.io/docs/concepts/workloads/controllers/job"],"seeAlso":[]},"core/endpoints.create":{"id":"core/endpoints.create","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["escalation:network"],"notes":"Creating an endpoint slice may open up access to Pods from the public Internet.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"core/endpoints.delete":{"id":"core/endpoints.delete","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network"],"notes":"Deleting an endpoint slice may partially or completely disrupt public access to Kubernetes Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"core/endpoints.get":{"id":"core/endpoints.get","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve metadata about a specific endpoint slice: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"core/endpoints.list":{"id":"core/endpoints.list","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve  about all endpoint slices: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"core/endpoints.update":{"id":"core/endpoints.update","name":"Endpoints","scope":"MEDIUM","parent":{"notes":"Typically endpoints are not managed directly. Endpoints are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint is a mapping of an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network","escalation:network"],"notes":"An endpoint update allows remapping IP addresses and ports to different Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/","https://kubernetes.io/blog/2020/09/02/scaling-kubernetes-networking-with-endpointslices/"],"seeAlso":[]},"core/namespaces.create":{"id":"core/namespaces.create","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":[],"notes":"Namespace is a logical resource, and creating one does not carry risks by itself.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.delete":{"id":"core/namespaces.delete","name":"Namespaces","scope":"CRITICAL","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:data","destruction:infra","destruction:logs","destruction:network","destruction:policy"],"notes":"Deleting a namespace also deletes all other Kubernetes resources inside it.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.finalize":{"id":"core/namespaces.finalize","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:defense"],"notes":"Allows updating the list of finalizers. Finalizers check if a certain condition is met before deleting a  namespace. They may either implement garbage-collection, and are responsible for cleaning up all resources inside  a namespace when that namespace is deleted. Or, they may implement a protective measure and prevent the deletion of a namespace, for instance the `kubernetes.io/pvc-protection` finalizer prevents accidental deletion of data. As such, the edit and removal of finalizers may remove protection measures.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/"],"seeAlso":[]},"core/namespaces.get":{"id":"core/namespaces.get","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Retrieve metadata about a namespace.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.getStatus":{"id":"core/namespaces.getStatus","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Allows see the same namespace metadata as `namespaces.get`.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.list":{"id":"core/namespaces.list","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["discovery:infra"],"notes":"Allows listing namespaces.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.update":{"id":"core/namespaces.update","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":["destruction:defense"],"notes":"Allows editing the finalizers array. See `namespaces.finalize` permission.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/namespaces.updateStatus":{"id":"core/namespaces.updateStatus","name":"Namespaces","scope":"LOW","parent":{"notes":"","description":"Namespaces isolate resources within a Kubernetes cluster. This is a logical isolation, that allows you to group and segregate resources like Pods, Services, Deployments. Kubernetes role-based access control (RBAC) defines Roles and ClusterRoles. The former is scoped to a specific namespaces, meaning Roles only grant permissions within the scope of one namespace."},"risks":[],"notes":"Status is managed by the Kubernetes control plane, updating it does not take effect.","links":["https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"],"seeAlso":[]},"core/nodes.create":{"id":"core/nodes.create","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":[],"notes":"There are two ways to create a node: self-registration from the kubelet running on the node using a kubeconfig file or by manually registering the node via the Kubernetes API. The `node.create`  permission allows the latter. Creating a node object manually only creates an internal node representation. The control plane then ensures that a node object described is valid: is available and healthy. Only then does it become eligible to run a Pod. This permission alone is not enough to add a new Node to a cluster.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/concepts/architecture/nodes/#management","https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/"],"seeAlso":[]},"core/nodes.delete":{"id":"core/nodes.delete","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["destruction:infra","destruction:data","destruction:logs"],"notes":"Deleting a node immediately destroys all workloads running on it. This is an unsafe action and is likely to disrupt normal operations. Instead, a node can be cordoned to prevent new pods from being scheduled on it. Cordoning requires the `nodes.update` permission. To safely move workloads to other nodes, the node must be drained. The `kubectl drain` command uses listing commands (list pods, replicasets, daemonsets, etc.), and the `pods.evict` permission.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/concepts/architecture/nodes/#manual-node-administration","https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/"],"seeAlso":[]},"core/nodes.get":{"id":"core/nodes.get","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"The response payload contains container image IDs stored on the nodes, as well as IP addresses, Pod CIDR ranges, health check statuses, and other metadata.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"core/nodes.getStatus":{"id":"core/nodes.getStatus","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"Allows access to the same information as `nodes.get`.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"core/nodes.list":{"id":"core/nodes.list","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["discovery:infra","discovery:network"],"notes":"List all nodes.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"core/nodes.proxy":{"id":"core/nodes.proxy","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["escalation:privilege","escalation:lateral"],"notes":"This permission allows calling the `api/v1/nodes/{node}/proxy/{path?}` endpoint with any HTTP method, which executes the request directly against the kubelet API on the kubelet running on the node, without further authorization checks. It is theoretically possible to call other endpoints of the kubelet API, such as `/exec` `/portForward`, that allow reading the node service account token to act as the service account, or executing code on the node.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://www.deepnetwork.com/blog/2020/01/13/kubelet-api.html","https://blog.aquasec.com/privilege-escalation-kubernetes-rbac"],"seeAlso":[]},"core/nodes.update":{"id":"core/nodes.update","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":["impact:manipulation","destruction:metadata"],"notes":"The things that you can typically update are the metadata labels and annotations, and fields in the `spec` section of the node manifest: taints, which prevent certain pods to be scheduled on the node, and the  `unschedulable` property, which effectively cordons the node.  With enough nodes cordoned or tainted the  cluster may become \"paralyzed\" because workloads cannot be scheduled efficiently or not at all.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#nodespec-v1-core"],"seeAlso":[]},"core/nodes.updateStatus":{"id":"core/nodes.updateStatus","name":"Nodes","scope":"CRITICAL","parent":{"notes":"Nodes can be configured in multiple ways, and the configuration has a significant impact on Node security. In general, nodes should not be publicly accessible, block ssh access if possible (already enforced in AutoPilot mode), isolation between containers running on the  same node, isolation between the host operating system on the node and the workload running inside a container, performing timely upgrades of the node OS, Kubernetes, and the container runtime.","description":"Nodes are physical or virtual machines that serve as a worker in the cluster. Nodes provide the underlying pool of CPU, memory, storage, and network connectivity  resources for running containers and other tasks assigned by the control plane."},"risks":[],"notes":"Allows updating only the status component of a node. Does not have any real effect since status is managed by Kubernetes.","links":["https://kubernetes.io/docs/concepts/architecture/nodes/"],"seeAlso":[]},"core/pods.attach":{"id":"core/pods.attach","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["destruction:infra","impact:access"],"notes":"Allows attaching to a process that is already running inside an existing container. An attacker accesses the stdout output, and is able to send stdin input to the running process, for instance ctrl+c to stop the process.","links":[],"seeAlso":[]},"core/pods.create":{"id":"core/pods.create","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["impact:spend","impact:hijack","escalation:lateral","escalation:network","exfiltration:data"],"notes":"It is possible to create standalone pods not managed by a Deployment or other controller in Kubernetes. This action bears the risk of pulling in an arbitrary image (if the cluster is open to the internet) to hijack resources, or to move laterally by assuming the privileges of the pod's or node's service account. It also drains the cluster's limited resource pool.","links":[],"seeAlso":[]},"core/pods.delete":{"id":"core/pods.delete","name":"Pods","scope":"MEDIUM","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["destruction:infra","destruction:logs"],"notes":"Deleting a pod deletes its pods and ephemeral volumes. PersistentVolumes attached to the pod are left intact. Logs of the deleted pod disappear permanently when the pods shut down, unless they are exported to an external system for persistence.","links":[],"seeAlso":[]},"core/pods.evict":{"id":"core/pods.evict","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["impact:consumption"],"notes":"Eviction moves the pod to another node. An attacker may disrupt normal operations with many evictions, draining cluster resources.","links":[],"seeAlso":[]},"core/pods.exec":{"id":"core/pods.exec","name":"Pods","scope":"CRITICAL","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:privilege","escalation:lateral"],"notes":"The exec operation is similar to the `attach` operation, but instead of attaching to an existing process inside the container, it allows launching a new process from a command and attaching to it. Most often this command is opening the shell, dropping an attacker in a terminal inside the container. The risks arising are container and  application-specific. However, process run inside the container are authenticated as the service account, leading to privilege escalation, and potentially lateral movement into other cloud services.","links":[],"seeAlso":[]},"core/pods.get":{"id":"core/pods.get","name":"Pods","scope":"MEDIUM","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra","discovery:network"],"notes":"Describes detailed metadata about the Deployment, and Pods and Containers in it,  such as ports, IP address, replicas, attached volumes, containers and the images they are running.","links":[],"seeAlso":[]},"core/pods.getLogs":{"id":"core/pods.getLogs","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"Logs of the application running on any of the pod's containers can be read with the `getLogs` permission.","links":[],"seeAlso":[]},"core/pods.getStatus":{"id":"core/pods.getStatus","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"Allows reading the same Pod metadata as `pods.get`.","links":[],"seeAlso":[]},"core/pods.initialize":{"id":"core/pods.initialize","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"Documentation is lacking on this permission. It may be related to init-containers, or the initialization process of a Pod.","links":[],"seeAlso":[]},"core/pods.list":{"id":"core/pods.list","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["discovery:infra"],"notes":"List metadata about all pods.","links":[],"seeAlso":[]},"core/pods.portForward":{"id":"core/pods.portForward","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:network","impact:access"],"notes":"Forwards a local port to a port on the Pod. This allows interaction with the application, if the application listens on any ports. An attacker may exploit application risks with the ability to port-forward.","links":[],"seeAlso":[]},"core/pods.proxy":{"id":"core/pods.proxy","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":["escalation:network","impact:access"],"notes":"The proxy action forwards the HTTP request to a specific port and request path inside the container. If a process is listening on that port and path, this is similar in effect to port forwarding, and may allow an attacker to exploit application-level risks.","links":[],"seeAlso":[]},"core/pods.update":{"id":"core/pods.update","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"An update is limited to a few fields in the Pod spec: may not change fields other than  spec.containers[*].image, spec.initContainers[*].image, spec.activeDeadlineSeconds, spec.tolerations (only additions to existing tolerations) or `spec.terminationGracePeriodSeconds` (allow it to be set to 1 if it was previously negative).  In practice even the image update is not possible since pods are typically run via a controller. In those cases an update to the `image` field has no effect.","links":["https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#pod-v1-core"],"seeAlso":[]},"core/pods.updateStatus":{"id":"core/pods.updateStatus","name":"Pods","scope":"HIGH","parent":{"notes":"The risks associated with Pods is similar to Deployments, StatefulSets, and DaemonSets. Pods consume CPU, memory, and  network resources of the cluster, thus they are susceptible to exhaustion attacks. Containers inside Pods run a specific image, and may lead to arbitrary code execution in the cluster if an attacker is able to run their image.  Pods also need access to other resources within the cluster, and outside the cluster, often using other services of the cloud provider. In order to do so, Pods have service account credentials, which, if leaked, allow one to move laterally by authenticating as the service account.","description":"A Kubernetes Pod is a logical host that encapsulates one or more Containers. It is the smallest and most basic unit of deployment. Containers can communicate with each other via localhost. Pod lifecycle is typically managed by a higher level controller, such as a Deployment, StatefulSet, or DaemonSet."},"risks":[],"notes":"Has no effect on the actual status, as it is managed by Kubernetes.","links":[],"seeAlso":[]},"core/secrets.create":{"id":"core/secrets.create","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":[],"notes":"Creating a secret does not represent a security risk by itself.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"core/secrets.delete":{"id":"core/secrets.delete","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["destruction:infra"],"notes":"Deleting a secret may disrupt communication of workloads with the Kubernetes API server, or other services.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"core/secrets.get":{"id":"core/secrets.get","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["discovery:data","discovery:infra","exfiltration:crypto","exfiltration:data"],"notes":"By default, secrets are stored unencrypted in Kubernetes, and anyone who can read the secret has access to its contents.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"core/secrets.list":{"id":"core/secrets.list","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["discovery:data","discovery:infra","exfiltration:crypto","exfiltration:data"],"notes":"List all secrets in a specific namespace. Listing also allows reading the data field of each secret.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"core/secrets.update":{"id":"core/secrets.update","name":"Secrets","scope":"CRITICAL","parent":{"notes":"By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.","description":"A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data."},"risks":["destruction:infra"],"notes":"Allows updating the contents of the secret (the `data` field) unless `immutable` property was set to true.","links":["https://kubernetes.io/docs/concepts/configuration/secret","https://kubernetes.io/docs/concepts/security/secrets-good-practices/"],"seeAlso":[]},"core/serviceaccounts.create":{"id":"core/serviceaccounts.create","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":[],"notes":"Creating a service account by itself does not represent a security risk. Service accounts need to be granted permissions via Roles.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"core/serviceaccounts.createToken":{"id":"core/serviceaccounts.createToken","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["escalation:lateral"],"notes":"Allows sending a TokenRequest to the API server. This request issues a new token and binds the token to a service account. The token is also returned to the caller, allowing it to act as  the service account bound to that token.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#tokenrequestspec-v1-authentication-k8s-io","https://securitylabs.datadoghq.com/articles/kubernetes-tokenrequest-api/"],"seeAlso":[]},"core/serviceaccounts.delete":{"id":"core/serviceaccounts.delete","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["destruction:infra"],"notes":"Deleting a service account may disrupt communication of workloads with the Kubernetes API server.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"core/serviceaccounts.get":{"id":"core/serviceaccounts.get","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["discovery:infra"],"notes":"Read which secrets are associated with a specific service account. The secret contents cannot be read with this permission.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"core/serviceaccounts.list":{"id":"core/serviceaccounts.list","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["discovery:infra"],"notes":"Read all service accounts in a namespace.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"core/serviceaccounts.update":{"id":"core/serviceaccounts.update","name":"ServiceAccounts","scope":"CRITICAL","parent":{"notes":"Each service account has a unique token associated with it, which is used to authenticate requests.  This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.","description":"A Kubernetes service account is a machine identity for Kubernetes workloads.  It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server."},"risks":["destruction:infra"],"notes":"An update may remove or add more secrets. In particular, a removal may remove the imagePullSecret of service account or the Kubernetes API secret.","links":["https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account"],"seeAlso":[]},"core/services.create":{"id":"core/services.create","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["escalation:network"],"notes":"Services open up communication to your pods from other Kubernetes workloads. Depending on other settings in the Kubernetes cluster and the presence of ingress controllers, it may allow public exposure as well.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"core/services.delete":{"id":"core/services.delete","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["destruction:network"],"notes":"Deleting a service may disrupt communication to Pods, taking down an application completely.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"core/services.get":{"id":"core/services.get","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"Retrieve status information such as Pod selector, IP (virtual), port. Additionally, load-balancer information is returned, if any: public IP, port, host name.","links":["https://kubernetes.io/docs/concepts/services-networking/service","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#loadbalancerstatus-v1-core"],"seeAlso":[]},"core/services.getStatus":{"id":"core/services.getStatus","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"While this is a different permission from `services.get`, calling the `GET api/v1/namespaces/default/services/{{service-name}}/status` endpoint retrieves the same information as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"core/services.list":{"id":"core/services.list","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"List all services and their description to the same detail as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"core/services.proxy":{"id":"core/services.proxy","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["escalation:lateral","escalation:network","exfiltration:data","impact:manipulation"],"notes":"Allows an attacker to interact with your application as if they were inside the Kubernetes cluster. Creates a proxy server or between localhost and a specified service running on Kubernetes. This service can be a kube-system service started by Kubernetes and retrieved by the `kubectl cluster-info` command or a user-defined Service object. The resulting proxy allows sending payloads to the targeted Service which otherwise would be unreachable. This is different from the `kubectl proxy` command which creates a proxy for  the Kubernetes API server - this endpoint acts like a bastion and exposes the user-defined application endpoints  of a Service.","links":["https://kubernetes.io/docs/concepts/services-networking/service","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#create-connect-proxy-service-v1-core","https://kubernetes.io/docs/concepts/cluster-administration/proxies/"],"seeAlso":[]},"core/services.update":{"id":"core/services.update","name":"Services","scope":"CRITICAL","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["destruction:network","escalation:network"],"notes":"Modifying a Service may render Pods unreachable to other Kubernetes workloads or establish new connections to Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"core/services.updateStatus":{"id":"core/services.updateStatus","name":"Services","scope":"MEDIUM","parent":{"notes":"Services control how your Kubernetes Pods are exposed on the Kubernetes network.","description":"Services provide a stable network endpoint for one or more pods, allowing them to be  accessed by other pods or external clients."},"risks":["discovery:network"],"notes":"Updating the status metadata has no effect on the actual status of the Service. Services are managed by controllers. However, the response returns the entire Service object, with the same information as the `GET api/v1/namespaces/default/services/{{service-name}}` endpoint, allowing discovery of Service parameters.","links":["https://kubernetes.io/docs/concepts/services-networking/service"],"seeAlso":[]},"discovery.k8s.io/endpointslices.create":{"id":"discovery.k8s.io/endpointslices.create","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["escalation:network"],"notes":"Creating an endpoint may open up access to Pods from the public Internet.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"discovery.k8s.io/endpointslices.delete":{"id":"discovery.k8s.io/endpointslices.delete","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network"],"notes":"Deleting an endpoint may partially or completely disrupt public access to Kubernetes Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"discovery.k8s.io/endpointslices.get":{"id":"discovery.k8s.io/endpointslices.get","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve metadata about a specific endpoint: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"discovery.k8s.io/endpointslices.list":{"id":"discovery.k8s.io/endpointslices.list","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["discovery:network"],"notes":"Retrieve  about all endpoints: the IP address, port, and target reference, typically a Pod.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"discovery.k8s.io/endpointslices.update":{"id":"discovery.k8s.io/endpointslices.update","name":"EndpointSlices","scope":"MEDIUM","parent":{"notes":"Typically endpoint slices are not managed directly. Endpoint slices are a lower-level abstraction managed by a Service object. Endpoint slices are a newer addition to Kubernetes, and serve the same purpose as endpoints. However, they slice the potentially large Endpoint object into multiple smaller slices for reduced network traffic between nodes when pods are updated.","description":"A Kubernetes endpoint slice contains up to 100 mapping entries from an IP address and a port to target reference, mostly a Pod. The same IP and port may map to multiple Pods to describe a load balancing scheme."},"risks":["destruction:network","escalation:network"],"notes":"An endpoint update allows remapping IP addresses and ports to different Pods.","links":["https://kubernetes.io/docs/concepts/services-networking/endpoint-slices","https://kubernetes.io/docs/concepts/services-networking/service/#endpoints"],"seeAlso":[]},"rbac.authorization.k8s.io/clusterrolebindings.create":{"id":"rbac.authorization.k8s.io/clusterrolebindings.create","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRoleBinding unless at least one of the following two conditions is met: 1) the caller has the permission it is granting 2) the caller has the `clusterRoles.bind` permission","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/clusterrolebindings.delete":{"id":"rbac.authorization.k8s.io/clusterrolebindings.delete","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["destruction:policy"],"notes":"Deleting a ClusterRoleBinding removes the permissions of the ClusterRole from a list of principals","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterrolebindings.get":{"id":"rbac.authorization.k8s.io/clusterrolebindings.get","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["discovery:policy"],"notes":"Retrieves the list of principals and the role in a specific ClusterRoleBinding","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterrolebindings.list":{"id":"rbac.authorization.k8s.io/clusterrolebindings.list","name":"ClusterRoleBindings","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":["discovery:policy"],"notes":"List all ClusterRoleBindings within a namespace","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterrolebindings.update":{"id":"rbac.authorization.k8s.io/clusterrolebindings.update","name":"ClusterRoleBindings","scope":"MEDIUM","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A ClusterRoleBinding is used to associate a ClusterRole with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a ClusterRole and the entities that should have those permissions. ClusterRoles are scoped to the entire Kubernetes cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRoleBinding unless one of the following two conditions are met: 1) the caller has the permission it is granting 2) the caller has the `clusterRoles.bind` permission","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.bind":{"id":"rbac.authorization.k8s.io/clusterroles.bind","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by binding a ClusterRole to them.  Also requires the `clusterRoleBindings.create` or `clusterRoleBindings.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.create":{"id":"rbac.authorization.k8s.io/clusterroles.create","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":[],"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding. Kubernetes does not allow the creation or update of a ClusterRole unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `clusterRoles.escalate` permission","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.delete":{"id":"rbac.authorization.k8s.io/clusterroles.delete","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["destruction:policy"],"notes":"ClusterRoles that are attached to principals via a ClusterRoleBinding can be deleted in Kubernetes.","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.escalate":{"id":"rbac.authorization.k8s.io/clusterroles.escalate","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by creating a new ClusterRole or updating an existing ClusterRole. Also requires the `clusterRoles.create` or `clusterRoles.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.get":{"id":"rbac.authorization.k8s.io/clusterroles.get","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["discovery:policy"],"notes":"Retrieves the permissions contained in a specific ClusterRole.","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.list":{"id":"rbac.authorization.k8s.io/clusterroles.list","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":["discovery:policy"],"notes":"List all ClusterRoles","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/clusterroles.update":{"id":"rbac.authorization.k8s.io/clusterroles.update","name":"ClusterRoles","scope":"CRITICAL","parent":{"notes":"ClusterRoles are only definitions of permissions. A role does not take effect unless assigned to principal via a ClusterRoleBinding.","description":"A cluster role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. ClusterRoles are scoped to the entire cluster."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a ClusterRole unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `clusterRoles.escalate` permission","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/rolebindings.create":{"id":"rbac.authorization.k8s.io/rolebindings.create","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a RoleBinding unless at least one of the following two conditions is met: 1) the caller has the permission it is granting 2) the caller has the `roles.bind` permission","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/rolebindings.delete":{"id":"rbac.authorization.k8s.io/rolebindings.delete","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["destruction:policy"],"notes":"Deleting a RoleBinding removes the permissions of the Role from a list of principals","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/rolebindings.get":{"id":"rbac.authorization.k8s.io/rolebindings.get","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"Retrieves the list of principals and the role in a specific RoleBinding","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/rolebindings.list":{"id":"rbac.authorization.k8s.io/rolebindings.list","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"List all RoleBindings within a namespace","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/rolebindings.update":{"id":"rbac.authorization.k8s.io/rolebindings.update","name":"RoleBindings","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A RoleBinding is used to associate a Role with one or more principals (users, groups, or service accounts).  It establishes a connection between a set of permissions defined in a Role and the entities that should have those permissions. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a RoleBinding unless one of the following two conditions are met: 1) the caller has the permission it is granting 2) the caller has the `roles.bind` permission","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/roles.bind":{"id":"rbac.authorization.k8s.io/roles.bind","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by binding a Role to them.  Also requires the `roleBindings.create` or `roleBindings.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/roles.create":{"id":"rbac.authorization.k8s.io/roles.create","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding. Kubernetes does not allow the creation or update of a Role unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `roles.escalate` permission","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/roles.delete":{"id":"rbac.authorization.k8s.io/roles.delete","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["destruction:policy"],"notes":"Roles that are attached to principals via a RoleBinding can be deleted in Kubernetes.","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/roles.escalate":{"id":"rbac.authorization.k8s.io/roles.escalate","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["escalation:lateral","escalation:privilege"],"notes":"Allows escalating the current or other users' permissions by creating a new Role or updating an existing Role. Also requires the `roles.create` or `roles.update` permission.","links":["https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update"],"seeAlso":[]},"rbac.authorization.k8s.io/roles.get":{"id":"rbac.authorization.k8s.io/roles.get","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"Retrieves the permissions contained in a specific role.","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/roles.list":{"id":"rbac.authorization.k8s.io/roles.list","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":["discovery:policy"],"notes":"List all roles within a namespace","links":[],"seeAlso":[]},"rbac.authorization.k8s.io/roles.update":{"id":"rbac.authorization.k8s.io/roles.update","name":"Roles","scope":"CRITICAL","parent":{"notes":"Roles are only definitions of permissions. A role does not take effect unless assigned to principal via a RoleBinding.","description":"A role is a set of permissions that defines a specific level of access to resources within a single namespace. It consists of rules that specify which API operations can be performed on specific resource types. Roles are scoped to a specific Kubernetes namespace."},"risks":[],"notes":"Kubernetes does not allow the creation or update of a Role unless one of the following two conditions are met: 1) the caller already has the permissions contained in the role 2) the caller has the `roles.escalate` permission","links":[],"seeAlso":[]}},"workspace":{"ADMIN_DASHBOARD":{"id":"ADMIN_DASHBOARD","name":"Admin","scope":"CRITICAL","parent":{"notes":"","description":"The Admin console and API allow control over the Google Workspace, including its users, groups, organizational units, schemata, licenses, domains, and security settings."},"risks":[],"notes":"The exact use of this privilege is not well documented. Naming suggests that this allows access to the Admin console.","links":[],"seeAlso":[]},"GROUPS_ALL":{"id":"GROUPS_ALL","name":"Groups","scope":"CRITICAL","parent":{"notes":"Groups are identities that may be granted to users or other groups within Workspace. Groups may be granted privileges within other systems, notably Google Cloud. This catalog treats groups as system accounts for the purposes of risk assignment.","description":"Privileges for viewing and managing groups."},"risks":["discovery:account","destruction:account","destruction:policy","escalation:lateral","impact:manipulation"],"notes":"Create / read / update / delete on groups. Allows modification of the group's aliases, email address, name, and description. Allows updating group settings, which can alter who can join groups, and who can approve group join requests.\nLateral movement in this context indicates movement from one user or group account to the managed group account.","links":["https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups#Group","https://developers.google.com/admin-sdk/groups-settings/manage"],"seeAlso":[]},"GROUPS_MANAGE_LOCKED_LABEL":{"id":"GROUPS_MANAGE_LOCKED_LABEL","name":"Groups","scope":"CRITICAL","parent":{"notes":"Groups are identities that may be granted to users or other groups within Workspace. Groups may be granted privileges within other systems, notably Google Cloud. This catalog treats groups as system accounts for the purposes of risk assignment.","description":"Privileges for viewing and managing groups."},"risks":["destruction:policy","escalation:privilege"],"notes":"Locked labels are labels that are used in application policies. Altering these labels allows destruction or escalation of privileges to these policies.","links":["https://support.google.com/a/answer/13127870"],"seeAlso":[]},"GROUPS_MANAGE_SECURITY_LABEL":{"id":"GROUPS_MANAGE_SECURITY_LABEL","name":"Groups","scope":"CRITICAL","parent":{"notes":"Groups are identities that may be granted to users or other groups within Workspace. Groups may be granted privileges within other systems, notably Google Cloud. This catalog treats groups as system accounts for the purposes of risk assignment.","description":"Privileges for viewing and managing groups."},"risks":["impact:access"],"notes":"Converting a group to a security group is a one-time irreversible operation. Security groups can not be automatically joined by your organization's members, nor joined by non-security groups or users external to your organization.\nSince this is a non-reversible operation, converting a group to a security group can impact group access.","links":["https://support.google.com/a/answer/10607394"],"seeAlso":[]},"USERS_RETRIEVE":{"id":"USERS_RETRIEVE","name":"Groups","scope":"CRITICAL","parent":{"notes":"Users are accounts with static usernames, passwords, and email addresses. Typically used for human accounts.","description":"Privileges for viewing and managing users."},"risks":["discovery:account","exfiltration:data"],"notes":"Gives access to the account's user name, email address, and profile fields. Many profile fields are personally identifying or otherwise sensitive, including addresses, telephone numbers, and gender.","links":["https://developers.google.com/admin-sdk/directory/reference/rest/v1/users#User"],"seeAlso":[]},"ORGANIZATION_UNITS_RETRIEVE":{"id":"ORGANIZATION_UNITS_RETRIEVE","name":"Organizational Units","scope":"CRITICAL","parent":{"notes":"Organizational units provide a mechanism for organizing users within a Workspace, as well as for applying settings and access policies to those users.","description":"Privileges for viewing and managing organizational units."},"risks":["discovery:infra"],"notes":"Allows the caller to retrieve organizational unit paths.","links":["https://developers.google.com/admin-sdk/directory/reference/rest/v1/orgunits#OrgUnit"],"seeAlso":[]},"SUPER_ADMIN":{"id":"SUPER_ADMIN","name":"Super Admin","scope":null,"parent":{"notes":null,"description":"Google super admins have access to all features in Google Admin, can alter any organizational settings, and have full access to all users' calendars.\nSome actions can only be taken by super admins, including: creating and assigning administrator roles, managing other super admins, inviting unmanaged user accounts, restoring deleted user accounts, installing Google Marketplace apps, granting domain-wide delegation, and modifying SAML apps."},"risks":["destruction:account","destruction:crypto","destruction:defense","destruction:metadata","destruction:policy","destruction:infra","discovery:account","discovery:policy","escalation:privilege","persistence:account","takeover:account"],"notes":"Super admins have the highest level of privilege in a Workspace account.\nHolding this privilege allows creation and deletion of accounts, as well as account takeover via password reset. It allows modification of administrator roles and role assignments. It also can allow disabling (or enabling) of two- factor security settings.","links":["https://support.google.com/a/answer/2405986"],"seeAlso":[]}}}}