GCP_BUILTIN_PRIVILEGED_ROLE

Summary

FSProtect ACL Alias

GCP Alias

IAM & Hierarchy Control

Affected Object Types

Organizations, Folders, Projects

Exploitation Certainty

Certain

Granting Roles

Any GCP built-in role flagged as privileged that is not covered by a specific attack path mapping

Description

GCP_BUILTIN_PRIVILEGED_ROLE represents an assignment of a GCP predefined (built-in) role that is flagged as privileged and does not have an explicit, mapped attack path edge. This catch-all edge flags identities holding elevated built-in roles (such as service-specific admin roles) that carry significant permissions but are not covered by more specific attack path mappings.

Roles like roles/owner, roles/editor, roles/iam.securityAdmin, etc., have explicit mappings and do NOT trigger this edge. Only privileged built-in roles without specific mappings generate GCP_BUILTIN_PRIVILEGED_ROLE. GCP predefined roles are Google-managed and can be updated at any time — a role considered safe today may gain dangerous permissions in a future update. Identities with this edge should be reviewed to understand what specific permissions they hold and whether those permissions enable privilege escalation or lateral movement.

Common examples of roles flagged by this edge:

Service-specific admin roles.
Any built-in privileged role not explicitly mapped to a more specific attack path edge.

Identification

gcloud CLI

# Inspect a specific unflagged privileged role's permissions
ROLE_NAME="roles/storage.admin"
gcloud iam roles describe $ROLE_NAME --format=json | \
  jq '.includedPermissions[]'

# Find who holds potentially-flagged built-in roles at project level
PROJECT_ID="my-project"
gcloud projects get-iam-policy $PROJECT_ID --format=json | \
  jq '.bindings[] | select(.role | startswith("roles/")) | {role: .role, members: .members}'

# Find who holds potentially-flagged built-in roles at organization level
ORG_ID=$(gcloud organizations list --format="value(name)" | head -1)
gcloud organizations get-iam-policy $ORG_ID --format=json | \
  jq '.bindings[] | select(.role | startswith("roles/")) | {role: .role, members: .members}'

GCP Console

Open GCP Console → IAM & Admin → IAM.
Review all role assignments — focus on service-specific admin roles (e.g., storage.admin, bigquery.admin, secretmanager.admin).
For each flagged role, click Roles → search the role name → review its Included Permissions for dangerous entries (e.g., setIamPolicy, actAs, getAccessToken).

Exploitation

The exploitation path depends on the specific permissions the unflagged role contains. Identify the role's permissions and map them to known attack paths:

Common dangerous permissions in unmapped privileged roles and their attack vectors:

resourcemanager.projects.setIamPolicy → privilege escalation via IAM policy manipulation → see GCP_CAN_SET_PROJECT_IAMPOLICY
resourcemanager.folders.setIamPolicy → privilege escalation via IAM policy manipulation → see GCP_CAN_SET_FOLDER_IAMPOLICY
resourcemanager.organizations.setIamPolicy → privilege escalation via IAM policy manipulation → see GCP_CAN_SET_ORG_IAMPOLICY
iam.serviceAccounts.actAs → SA attachment to compute resources → see GCP_CAN_ACT_AS_SA.
iam.serviceAccounts.getAccessToken → direct SA token generation → see GCP_CAN_IMPERSONATE_SA.
compute.instances.create + SA attachment → vehicle for token extraction → see GCP_CAN_CREATE_COMPUTE + GCP_CAN_ACT_AS_SA.

Mitigation

Identify which permissions the flagged role grants — not all privileged roles are equally dangerous.
Replace with narrowly-scoped custom roles if the built-in role grants unnecessary permissions.
Scope assignments narrowly — use folder/project scope instead of org scope where possible.
Audit all role assignments flagged by this edge — prioritize roles with setIamPolicy, actAs, or getAccessToken permissions.
Monitor Google Cloud release notes — built-in roles can gain new permissions without your control; watch for additions to roles assigned to your users.

Detection

Log Type

Method

Key Fields

Admin Activity

SetIamPolicy

New role assignments flagged as privileged

# Monitor for builtin role assignments in a project
PROJECT_ID="my-project"
gcloud logging read \
  'protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.bindingDeltas.role:"roles/"' \
  --project=$PROJECT_ID \
  --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.serviceData.policyDelta)"

# Monitor for builtin role assignments in the organization
ORG_ID=$(gcloud organizations list --format="value(name)" | head -1)
gcloud logging read \
  'protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.bindingDeltas.role:"roles/"' \
  --organization=$ORG_ID \
  --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.serviceData.policyDelta)"

Alert on:

New role assignments of privileged roles to users.
Changes to built-in role permissions via Google Cloud release notes (external monitoring).

References

https://cloud.google.com/iam/docs/understanding-roles
https://cloud.google.com/iam/docs/roles-overview#predefined

PreviousGCP NextGCP_CAN_ACT_AS_SA

Last updated 21 hours ago

Was this helpful?