Ensure that instances are not configured to use the default service account

Ensure that instances are not configured to use the default service account to enhance security and minimize the risk of privilege escalation. Configuring instances with a custom service account allows for better access control and adherence to the principle of least privilege, ensuring that instances only have the permissions necessary for their specific tasks.

Suggest Edits

Risk Level: high
Cloud Entity: Compute Engine
Spectral Rule ID: TFGCP209
Category: Compute

REMEDIATION

set service_account.email to non-default service account

resource "google_compute_instance" "custom" {
  name         = "custom-instance"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

+  service_account {
+    email  = google_service_account.custom.email
+    ...
+  }
}

+ resource "google_service_account" "custom" {
+  account_id   = "custom-service-account"
+  display_name = "Custom Service Account"
+ }

Compute Engine

Secure and customizable compute service that lets you create and run virtual machines on Google’s infrastructure.

Updated 7 days ago

REMEDIATION

Compute Engine

Read more: