Skip to content
TheCloud.Events

compute.instances.addAccessConfig

CSP: GCP
Tactics:
Initial Access
Techniques:
T1190
Tags:
GCP Compute Engine

Event

Adds an external IP access configuration to an instance, exposing an internal resource to the internet.

Security Context

  • Adding an external IP to an instance that was previously internal-only exposes it directly to the internet, creating an entry point that bypasses perimeter security controls.
  • Adversaries add access configs to pivot from a compromised internal instance to an internet-facing one, enabling inbound access from external infrastructure or outbound data exfiltration.

Log Source

Cloud Audit Logs

Sample Event

MITRE ATT&CK Mapping

Tactics: Initial Access

Techniques:
  • T1190 — Exploit Public-Facing Application — Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.