gcp-res-man-default-svcacct¶
Ensure Default Service account is not used at a project level
It is recommended not to set IAM role binding using the default compute engine service account (which has a name like PROJECTNUMBER-compute@developer.gserviceaccount.com
) on Folder level in the resource manager hierarchy. This poses unecessary risk as it would apply to an arbitrary hierarchy of projects which we may change over time. In case of a compromise of the service account it would allow for privilege escalation across a large scope.
Examples¶
Insecure Example
resource "google_folder_iam_member" "folder" {
folder = "folders/1234567"
role = "roles/editor"
member = "serviceAccount:1234567-compute@developer.gserviceaccount.com"
}
Secure Example
You should simply avoid doing that.