The Hidden Risk of GCP Viewer Role: Cross-Project Disk Replication
TL;DR: The legacy Basic roles/viewer is riskier than you think. It grants compute.disks.useReadOnly, which allows an attacker to clone disks (even CMEK encrypted ones) into an external project, effectively removing the CMEK encryption and bypassing specific KMS permissions you would expect to prevent this. While Google patched the direct disk cloning bypass following my disclosure, I have discovered a new workaround using snapshots that still allows attackers to strip CMEK encryption. ...