GCP-VM-instance-configured-with-default-service-account

Severity: High

Description: This control ensures that instances are not configured to use the default service account with full access to all Cloud APIs.

Remediation Steps:

For each Google Cloud Platform project :

Sign in to GCP Console https://console.cloud.google.com.
Go to the VM instances page in the Compute Engine.
Click on the impacted VM instance.
If the instance is not stopped, click the Stop button. Wait for the instance to be stopped.
Click on EDIT button.
Scroll down to the Service Account section.
To change scopes, in the Access scopes section, set the appropriate scopes as per business needs.
Click the Save button to save your changes.

gcloud command-line tool:

Set service account scope for an instance:

gcloud compute instances set-service-account [INSTANCE_NAME] --service-account [service_account_email] --scopes [scope1,scope2...]

Important:

To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.

Reference:

CIS reference: Google Cloud Platform Foundation Benchmark v1.1.0 - 03-12-2020: Recommendation #4.2
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
https://cloud.google.com/compute/docs/access/service-accounts