compute.instances.addAccessConfig
GCP
compute.instances.addAccessConfig
Event
Adds an external IP access configuration to an instance, exposing an internal resource to the internet.
Security Context
- Adding an external IP to an instance that was previously internal-only exposes it directly to the internet, creating an entry point that bypasses perimeter security controls.
- Adversaries add access configs to pivot from a compromised internal instance to an internet-facing one, enabling inbound access from external infrastructure or outbound data exfiltration.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco adds an external IP AccessConfig (ONE_TO_ONE_NAT) to the previously internal-only demiguise-infer-001 VM, exposing it directly to the internet. Combined with the wider firewall change (gcp-compute-firewalls-patch), this gives the adversary inbound reachability to a high-value ML inference VM that holds DEMIGUISE model artifacts and customer feature data. The change is reversible (no infrastructure destroyed) and easy to overlook in change-control reviews. Compute LROs emit a paired last entry on completion; this is the first entry.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.instances.add-access-config invocation-id/90000000000000000000001111101100 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T14:33:18.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.instances.addAccessConfig", "authorizationInfo": [ { "permission": "compute.instances.addAccessConfig", "granted": true, "resourceAttributes": { "service": "compute", "name": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001", "type": "compute.instances" } }, { "permission": "compute.subnetworks.useExternalIp", "granted": true, "resourceAttributes": { "service": "compute", "name": "projects/fantasticlogs-prod/regions/us-central1/subnetworks/default", "type": "compute.subnetworks" } } ], "resourceName": "projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001", "request": { "@type": "type.googleapis.com/compute.instances.addAccessConfig", "networkInterface": "nic0", "accessConfig": { "type": "ONE_TO_ONE_NAT", "name": "external-nat", "networkTier": "PREMIUM" } }, "response": { "@type": "type.googleapis.com/operation", "id": "8200000000000001111101100", "name": "operation-1776267198000-62fa274d8e201-ab001100-cd001100", "operationType": "addAccessConfig", "targetId": "6100000000000001111101100", "targetLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/instances/demiguise-infer-001", "selfLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/operations/operation-1776267198000-62fa274d8e201-ab001100-cd001100", "selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a/operations/8200000000000001111101100", "zone": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/zones/us-central1-a", "user": "draco@fantasticlogs.cloud", "status": "RUNNING", "progress": "0", "insertTime": "2026-04-15T07:33:18.301-07:00", "startTime": "2026-04-15T07:33:18.318-07:00" }, "resourceLocation": { "currentLocations": [ "us-central1-a" ] } }, "insertId": "evt001111101100", "resource": { "type": "gce_instance", "labels": { "project_id": "fantasticlogs-prod", "zone": "us-central1-a", "instance_id": "6100000000000001111101100" } }, "timestamp": "2026-04-15T14:33:18.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "operation": { "id": "operation-1776267198000-62fa274d8e201-ab001100-cd001100", "producer": "compute.googleapis.com", "first": true }, "receiveTimestamp": "2026-04-15T14:33:18.567890123Z"}MITRE ATT&CK Mapping
Tactics: Initial Access
Techniques:
- T1190 — Exploit Public-Facing Application — Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.