GCP_CAN_MODIFY_TAGS

Summary

FSProtect ACL Alias

GCP_CAN_MODIFY_TAGS

GCP Alias

IAM & Hierarchy Control

Affected Object Types

Organizations, Folders, Projects

Exploitation Certainty

Likely

Granting Roles

roles/resourcemanager.tagAdmin

Description

GCP_CAN_MODIFY_TAGS indicates that an identity holds roles/resourcemanager.tagAdmin, granting the ability to create, update, and delete GCP tag keys and tag values (tag definitions).

This edge is significant because GCP supports Attribute-Based Access Control (ABAC) via IAM Conditions: IAM policy bindings can use resource.matchTag() conditions to grant or deny access based on tag presence. An attacker who controls tag definitions can undermine security controls that rely on specific tag keys or values existing with expected semantics.

Key abuse scenarios:

Delete a tag value or key that an existing IAM condition binding or deny policy depends on — causing the condition to stop matching, which can fail open (allow unintended access) or fail closed (break legitimate access as a disruption).
Modify a tag value's short name that security tooling or org policies reference by name, breaking enforcement silently.
Create a new tag value under a controlled tag key with a name that satisfies a loosely-written IAM condition, if the condition matches on tag key namespace rather than a specific value ID.

Identification

gcloud CLI

# Find who has the Tag Admin role at org level
ORG_ID=$(gcloud organizations list --format="value(name)" | head -1)
gcloud organizations get-iam-policy $ORG_ID --format=json | \
  jq '.bindings[] | select(.role == "roles/resourcemanager.tagAdmin") | {role: .role, members: .members}'

# Also check at project level
PROJECT_ID="my-project"
gcloud projects get-iam-policy $PROJECT_ID --format=json | \
  jq '.bindings[] | select(.role == "roles/resourcemanager.tagAdmin")'

GCP Console

Check IAM & Admin → IAM for principals with Tag Admin role.

Exploitation

gcloud CLI

# Identify IAM conditions or deny policies referencing a specific tag value
ORG_ID=$(gcloud organizations list --format="value(name)" | head -1)

# List tag keys and values to find security-relevant ones
gcloud resource-manager tags keys list --parent=$ORG_ID
gcloud resource-manager tags values list --parent="tagKeys/123456789"

# Delete a tag value that a deny policy condition depends on
# This causes the deny condition to stop matching, removing the explicit deny
TAG_VALUE_ID="tagValues/987654321"
gcloud resource-manager tags values delete $TAG_VALUE_ID

# Alternatively: update a tag value's short name to break enforcement by name
gcloud resource-manager tags values update $TAG_VALUE_ID \
  --short-name="production-disabled"

After deleting or renaming the tag value, IAM conditions or deny policies that reference it by exact match will stop evaluating as intended — potentially allowing access that was explicitly denied, or breaking org policies that relied on the tag.

Mitigation

Restrict roles/resourcemanager.tagAdmin to org-level automation accounts; never assign to regular users.
Audit tag bindings on sensitive resources (privileged SAs, production projects) for unexpected attachments.
Use tag-based IAM conditions carefully — document which conditions are security-relevant and monitor for tag changes on those resources.
Prefer explicit deny policies over tag-only allow conditions for sensitive access grants.

Detection

Log Type

Method

Key Fields

Admin Activity

CreateTagKey UpdateTagKey DeleteTagKey

resource.type=tagKey, methodName=DeleteTagKey

Admin Activity

CreateTagValue UpdateTagValue DeleteTagValue

resource.type=tagValue, methodName=DeleteTagValue

gcloud logging read \
  'protoPayload.methodName=~"TagKeys" OR protoPayload.methodName=~"TagValue"' \
  --project=$PROJECT_ID \
  --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.methodName)"

Alert on:

Deletion of tag keys or values referenced in IAM condition expressions or deny policies.
Tag value short-name updates on security-relevant tag keys (e.g., env, data-classification).

References

https://cloud.google.com/resource-manager/docs/tags/tags-overview
https://cloud.google.com/iam/docs/conditions-attribute-reference#resource-tag
https://cloud.google.com/iam/docs/deny-overview

PreviousGCP_CAN_MODIFY_CUSTOM_ROLES NextGCP_CAN_SET_FOLDER_IAMPOLICY

Last updated 7 days ago

Was this helpful?