gcp-gce-default-svcacct

Ensure that instances are not configured to use the default service account

When creating a Google Cloud project, it will get automatically populated with a default Compute Engine service account. This service account is granted the Editor role, which means it has full Read/Write access to most Google Cloud service resources. By default, this service account (which has a name like [PROJECT_NUMBER]-compute@developer.gserviceaccount.com) will get assigned to any new Compute Engine instance (virtual machines). This creates an unnecessary risk as it would allow an attacker who compromises an instance to elevate their privileges and view, modify or delete any resources in the project.

It is highly recommended that you create a dedicated service account which has limited scope and roles and set it as the service account when creating instances.

Examples

Insecure Example

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    network = "default"
    access_config {}
  }

  service_account {
    email  = "123456789-compute@developer.gserviceaccount.com" # Default service account
    scopes = ["cloud-platform"]
  }
}

Secure Example

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    network = "default"
    access_config {}
  }

  service_account {
    email  = "basic-vm-access@123456789.iam.gserviceaccount.com"
    scopes = ["cloud-platform"]
  }
}

More information

• GCP Docs
• Terraform Docs