gcp-gce-default-svcacct¶
Ensure that instances are not configured to use the default service account
When creating a Google Cloud project, it will get automatically populated with a default Compute Engine service account. This service account is granted the Editor
role, which means it has full Read
/Write
access to most Google Cloud service resources. By default, this service account (which has a name like [PROJECT_NUMBER]-compute@developer.gserviceaccount.com
) will get assigned to any new Compute Engine instance (virtual machines). This creates an unnecessary risk as it would allow an attacker who compromises an instance to elevate their privileges and view, modify or delete any resources in the project.
It is highly recommended that you create a dedicated service account which has limited scope and roles and set it as the service account when creating instances.
Examples¶
Insecure Example
resource "google_compute_instance" "default" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
network = "default"
access_config {}
}
service_account {
email = "123456789-compute@developer.gserviceaccount.com" # Default service account
scopes = ["cloud-platform"]
}
}
Secure Example
resource "google_compute_instance" "default" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
network = "default"
access_config {}
}
service_account {
email = "basic-vm-access@123456789.iam.gserviceaccount.com"
scopes = ["cloud-platform"]
}
}