Ensure That Instances Are Not Configured To Use the Default Service Account

The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account. Instead, you should create a new service account and assigning only the permissions needed by your instance.

Suggest Edits

Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.IAM.21
Covered by Spectral: No
Category: Compute

GSL LOGIC

VMInstance should not have serviceAccounts contain [isDefaultServiceAccount=true]

REMEDIATION

From Portal

  1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
  2. Click on each instance name to go to its VM instance details page.
  3. Click STOP and then click EDIT.
  4. Under the section API and identity management, select a service account other than the default Compute Engine service account. You may first need to create a new service account.
  5. Click Save and then click START.

From TF
Set the service account email to non default service account:

resource 'google_compute_instance' 'vm_instance' {
	..
	service_account {
		email  = 'SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com'
		scopes = ['SCOPES']
	}
	..
}

From Command Line

  1. stop the instance:
gcloud compute instances stop INSTANCE_NAME
  1. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME --service-account=SERVICE_ACCOUNT
  1. restart the instance:
gcloud compute instances start INSTANCE_NAME

References

  1. https://cloud.google.com/compute/docs/access/service-accounts
  2. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
  3. https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP Security Risk Management

Updated 7 months ago