GCP-VM-instance-configured-with-default-service-account
Severity: High
Description: This control ensures that instances are not configured to use the default service account with full access to all Cloud APIs.
Remediation Steps:
For each Google Cloud Platform project :
Sign in to GCP Console https://console.cloud.google.com.
Go to the VM instances page in the Compute Engine.
Click on the impacted VM instance.
If the instance is not stopped, click the
Stop
button. Wait for the instance to be stopped.Click on
EDIT
button.Scroll down to the
Service Account
section.To change scopes, in the
Access scopes
section, set the appropriate scopes as per business needs.Click the
Save
button to save your changes.
gcloud command-line tool:
Set service account scope for an instance:
gcloud compute instances set-service-account [INSTANCE_NAME] --service-account [service_account_email] --scopes [scope1,scope2...]
Important:
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.
Reference:
CIS reference: Google Cloud Platform Foundation Benchmark v1.1.0 - 03-12-2020: Recommendation #4.2
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
https://cloud.google.com/compute/docs/access/service-accounts
Related content
Blue Hexagon Proprietary