Privilege Escalation: AlloyDB Over-Privileged Grant
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
All privileges over a AlloyDB for PostgreSQL database (or all
functions or procedures in a database) were granted to one or more database
users.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open the Privilege Escalation: AlloyDB Over-Privileged Grant
finding, as directed in Reviewing findings.
On the Summary tab of the finding details panel, review the
information in the following sections:
What was detected, especially the following fields:
Database display name: the name of the database in the
AlloyDB for PostgreSQL instance that was affected.
Database user name: the PostgreSQL user who granted excess privileges.
Database query: the PostgreSQL query executed that granted the
privileges.
Database grantees: the grantees of the overbroad privileges.
Affected resource, especially the following fields:
Resource full name: the resource name of the AlloyDB for PostgreSQL
instance that was affected.
Parent full name: the resource name of the AlloyDB for PostgreSQL
instance.
Project full name: the Google Cloud project that contains
the AlloyDB for PostgreSQL instance.
Related links, especially the following fields:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
To see the complete JSON for the finding, click the JSON tab.
Databases. Use the \l or \list metacommand
and check what privileges are assigned for the database listed in
Database display name (from Step 1).
Functions or procedures. Use the \df metacommand and
check what privileges are assigned for functions or procedures in the
database listed in Database display name (from
Step 1).
Step 3: Check logs
In the Google Cloud console, go to Logs Explorer by clicking
the link in Cloud Logging URI (from
Step 1).
The Logs Explorer page includes all logs related to the relevant
Cloud SQL instance.
In the Logs explorer, check the PostgreSQL pgaudit logs, which record
executed queries to the database, by using the following filters:
To determine if additional remediation steps are necessary, combine your investigation results with MITRE
research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the instance with overprivileged grants.
Consider revoking
all permissions for the grantees that are listed in Database grantees
until the investigation is completed.
To limit access to the database (from Database display name of
Step 1),
revoke unnecessary
permissions from the grantees (from Database grantees of
Step 1).
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nAll privileges over a AlloyDB for PostgreSQL database (or all\nfunctions or procedures in a database) were granted to one or more database\nusers.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open the `Privilege Escalation: AlloyDB Over-Privileged Grant` finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n2. On the **Summary** tab of the finding details panel, review the\n information in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Database display name**: the name of the database in the AlloyDB for PostgreSQL instance that was affected.\n - **Database user name**: the PostgreSQL user who granted excess privileges.\n - **Database query**: the PostgreSQL query executed that granted the privileges.\n - **Database grantees**: the grantees of the overbroad privileges.\n - **Affected resource** , especially the following fields:\n - **Resource full name**: the resource name of the AlloyDB for PostgreSQL instance that was affected.\n - **Parent full name**: the resource name of the AlloyDB for PostgreSQL instance.\n - **Project full name**: the Google Cloud project that contains the AlloyDB for PostgreSQL instance.\n - **Related links** , especially the following fields:\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n3. To see the complete JSON for the finding, click the **JSON** tab.\n\nStep 2: Review database privileges\n\n1. [Connect to the AlloyDB for PostgreSQL instance](/alloydb/docs/connection-overview).\n2. [List and show access privileges](https://www.postgresql.org/docs/14/app-psql.html#APP-PSQL-META-COMMANDS) for the following:\n - Databases. Use the `\\l` or `\\list` metacommand and check what privileges are assigned for the database listed in **Database display name** (from [Step 1](#privesc_alloydb_over_privileged_grant_findings)).\n - Functions or procedures. Use the `\\df` metacommand and check what privileges are assigned for functions or procedures in the database listed in **Database display name** (from [Step 1](#privesc_alloydb_over_privileged_grant_findings)).\n\nStep 3: Check logs\n\n1. In the Google Cloud console, go to **Logs Explorer** by clicking the link in **Cloud Logging URI** (from [Step 1](#privesc_alloydb_over_privileged_grant_findings)). The **Logs Explorer** page includes all logs related to the relevant Cloud SQL instance.\n2. In the **Logs explorer** , check the PostgreSQL `pgaudit` logs, which record executed queries to the database, by using the following filters:\n - `protoPayload.request.database=\"var class=\"edit\"\u003edatabase``\"`\n\nStep 4: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/).\n2. To determine if additional remediation steps are necessary, combine your investigation results with MITRE research.\n\nStep 5: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the instance with overprivileged grants.\n- Consider [revoking](https://www.postgresql.org/docs/14/sql-revoke.html) all permissions for the grantees that are listed in **Database grantees** until the investigation is completed.\n- To limit access to the database (from **Database display name** of [Step 1](#privesc_alloydb_over_privileged_grant_findings)), [revoke](https://www.postgresql.org/docs/14/sql-revoke.html) unnecessary permissions from the grantees (from **Database grantees** of [Step 1](#privesc_alloydb_over_privileged_grant_findings)).\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
