Ensure that your Google Compute Engine instances are not configured to use the default Google Cloud service account in order to implement the principle of least privilege (POLP) and secure the access to your cloud resources. A service account is an IAM identity attached to a Google Cloud VM instance. The default Compute Engine service account, named <project-number>-compute@developer.gserviceaccount.com, is associated with the Editor role at the project level, which allows read and write access to most Google Cloud Platform (GCP) services.
This rule resolution is part of the Conformity Security & Compliance tool for GCP.
By default, Google Cloud virtual machine (VM) instances are configured to use the default Compute Engine service account. To protect against privilege escalation, in case one of your Google Compute Engine instances are being compromised, and stop attackers from gaining access to all of your project resources, it is strongly recommended to avoid using the default service account. Instead, a new service account that follows the principle of least privilege (allowing only the permissions needed) should be created for each instance within your project.
Note: VMs created by GKE are excluded from this recommendation.
Audit
To determine if your Google Cloud VM instances are using the default service account, perform the following operations:
Remediation / Resolution
To replace the default Compute Engine service account within your Google Cloud VM instances configuration, perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- Service accounts
- Creating and enabling service accounts for instances
- Manage access to projects, folders, and organizations
- CIS Security Documentation
- Securing Google Cloud Computing Platform
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud compute instances list
- gcloud compute instances describe
- gcloud iam service-accounts create
- gcloud projects add-iam-policy-binding
- gcloud compute instances stop
- gcloud compute instances set-service-account
- gcloud compute instances start
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Check for Instances Associated with Default Service Accounts
Risk Level: Medium