compute.disks.setIamPolicy
GCP
compute.disks.setIamPolicy
Event
Sets the IAM policy on a Compute Engine persistent disk, controlling which principals have access to it.
Security Context
- Adversaries attach overly permissive policies to maintain persistent, elevated access even after initial credentials are rotated.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco grants roles/compute.storageAdmin on the phoenix-backup-disk-001 PD-SSD persistent disk (which holds nightly snapshots of the production DB volume) to his external attacker-controlled service account attacker@555666661337-evil.iam.gserviceaccount.com. Once granted, the attacker can disks.createSnapshot and images.insert on this disk from his own project, exfiltrating raw block-level data without ever touching the source project’s network egress controls.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.disks.add-iam-policy-binding invocation-id/90000000000000000000001111101010 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T17:18:55.778899100Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.disks.setIamPolicy", "authorizationInfo": [ { "permission": "compute.disks.setIamPolicy", "granted": true, "resourceAttributes": { "service": "compute", "name": "projects/fantasticlogs-prod/zones/us-central1-a/disks/phoenix-backup-disk-001", "type": "compute.disks" } } ], "resourceName": "projects/fantasticlogs-prod/zones/us-central1-a/disks/phoenix-backup-disk-001", "request": { "@type": "type.googleapis.com/compute.v1.disks.setIamPolicy", "policy": { "version": 1, "bindings": [ { "role": "roles/compute.storageAdmin", "members": [ "serviceAccount:attacker@555666661337-evil.iam.gserviceaccount.com" ] } ], "etag": "BwSAMPLEetag1010=" } }, "response": { "@type": "type.googleapis.com/google.iam.v1.Policy", "version": 1, "bindings": [ { "role": "roles/compute.storageAdmin", "members": [ "serviceAccount:attacker@555666661337-evil.iam.gserviceaccount.com" ] } ], "etag": "BwSAMPLEetag1011=" }, "serviceData": { "@type": "type.googleapis.com/google.iam.v1.logging.AuditData", "policyDelta": { "bindingDeltas": [ { "action": "ADD", "role": "roles/compute.storageAdmin", "member": "serviceAccount:attacker@555666661337-evil.iam.gserviceaccount.com" } ] } }, "resourceLocation": { "currentLocations": [ "us-central1-a" ] } }, "insertId": "evt001111101010", "resource": { "type": "gce_disk", "labels": { "project_id": "fantasticlogs-prod", "zone": "us-central1-a", "disk_id": "6100000000000001111101010" } }, "timestamp": "2026-04-15T17:18:55.667788990Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T17:18:56.001122334Z"}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...