Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs

To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs

Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.IAM.01
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance should not have serviceAccounts contain [ isDefaultServiceAccount=true and scopes contain [ $ in('https://www.googleapis.com/auth/cloud-platform','cloud-platform')]]

REMEDIATION

Note: instance state must be stopped before changing service account.

From Portal

  1. Go to the VM instances page in the Compute Engine using: https://console.cloud.google.com/compute/instances
  2. Click on the impacted VM instance
  3. If the instance is not stopped, click the Stop button. Wait for the instance to be stopped.
  4. Next, click the Edit button.
  5. Scroll down to the Service Account section.
  6. Select a different service account or ensure that Allow full access to all Cloud APIs is not selected.
  7. Click the Save button to save your changes and then click START.

From TF
Set the service account email to non default service account:

resource 'google_compute_instance' 'vm_instance' {
	..
	service_account {
		email  = 'SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com'
		scopes = ['SCOPES']
	}
	..
}

From Command Line

  1. stop the instance:
gcloud compute instances stop INSTANCE_NAME
  1. update the instances service account or service account scopes:
gcloud compute instances set-service-account INSTANCE_NAME --service-account=SERVICE_ACCOUNT --scopes=SCOPES
  1. restart the instance:
gcloud compute instances start INSTANCE_NAME

References

  1. Instance stop: https://cloud.google.com/sdk/gcloud/reference/compute/instances/stop
  2. Instance update service account: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account
  3. Instance start: https://cloud.google.com/sdk/gcloud/reference/compute/instances/start

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CSA CCM v.3.0.1
  • GCP CloudGuard Best Practices
  • GCP Dashboard System Ruleset
  • GCP GDPR Readiness
  • GCP HIPAA
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2
  • GCP PCI-DSS 4.0
  • GCP Security Risk Management