Skip to content

compute.disks.setIamPolicy

GCP

compute.disks.setIamPolicy

service: GCP - Compute Engine
techniques:

Event

Sets the IAM policy on a Compute Engine persistent disk, controlling which principals have access to it.

Security Context

  • Adversaries attach overly permissive policies to maintain persistent, elevated access even after initial credentials are rotated.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco grants roles/compute.storageAdmin on the phoenix-backup-disk-001 PD-SSD persistent disk (which holds nightly snapshots of the production DB volume) to his external attacker-controlled service account attacker@555666661337-evil.iam.gserviceaccount.com. Once granted, the attacker can disks.createSnapshot and images.insert on this disk from his own project, exfiltrating raw block-level data without ever touching the source project’s network egress controls.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.disks.add-iam-policy-binding invocation-id/90000000000000000000001111101010 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T17:18:55.778899100Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.disks.setIamPolicy",
"authorizationInfo": [
{
"permission": "compute.disks.setIamPolicy",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/fantasticlogs-prod/zones/us-central1-a/disks/phoenix-backup-disk-001",
"type": "compute.disks"
}
}
],
"resourceName": "projects/fantasticlogs-prod/zones/us-central1-a/disks/phoenix-backup-disk-001",
"request": {
"@type": "type.googleapis.com/compute.v1.disks.setIamPolicy",
"policy": {
"version": 1,
"bindings": [
{
"role": "roles/compute.storageAdmin",
"members": [
"serviceAccount:attacker@555666661337-evil.iam.gserviceaccount.com"
]
}
],
"etag": "BwSAMPLEetag1010="
}
},
"response": {
"@type": "type.googleapis.com/google.iam.v1.Policy",
"version": 1,
"bindings": [
{
"role": "roles/compute.storageAdmin",
"members": [
"serviceAccount:attacker@555666661337-evil.iam.gserviceaccount.com"
]
}
],
"etag": "BwSAMPLEetag1011="
},
"serviceData": {
"@type": "type.googleapis.com/google.iam.v1.logging.AuditData",
"policyDelta": {
"bindingDeltas": [
{
"action": "ADD",
"role": "roles/compute.storageAdmin",
"member": "serviceAccount:attacker@555666661337-evil.iam.gserviceaccount.com"
}
]
}
},
"resourceLocation": {
"currentLocations": [
"us-central1-a"
]
}
},
"insertId": "evt001111101010",
"resource": {
"type": "gce_disk",
"labels": {
"project_id": "fantasticlogs-prod",
"zone": "us-central1-a",
"disk_id": "6100000000000001111101010"
}
},
"timestamp": "2026-04-15T17:18:55.667788990Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T17:18:56.001122334Z"
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...