gcp-res-man-default-svcacct

Ensure Default Service account is not used at a project level

It is recommended not to set IAM role binding using the default compute engine service account (which has a name like PROJECTNUMBER-compute@developer.gserviceaccount.com) on Folder level in the resource manager hierarchy. This poses unecessary risk as it would apply to an arbitrary hierarchy of projects which we may change over time. In case of a compromise of the service account it would allow for privilege escalation across a large scope.

Examples

Insecure Example

resource "google_folder_iam_member" "folder" {
  folder  = "folders/1234567"
  role    = "roles/editor"
  member  = "serviceAccount:1234567-compute@developer.gserviceaccount.com"
}

Secure Example

You should simply avoid doing that.

More information

• GCP Docs
• Terraform Docs