Profile Applicability:

Level 1

Description:

Instances should not use the default Compute Engine service account as it has broad permissions with the Editor role (roles/editor) across the project. Instead, instances should be assigned a custom service account with only the necessary permissions.

Rationale:

The default Compute Engine service account is automatically granted the Editor role, providing read and write access to most Google Cloud services. This level of access poses a security risk, as a compromised VM could lead to privilege escalation and unauthorized access to the entire project. By disabling the use of the default service account and assigning a custom service account with the principle of least privilege, the potential for privilege escalation is minimized.

Default Value:

By default, Compute Engine instances use the default Compute Engine service account:
[PROJECT_NUMBER]-compute@developer.gserviceaccount.com.

Audit Steps:

From Google Cloud Console:

  1. Navigate to the VM Instances page: https://console.cloud.google.com/compute/instances.

                   

  1. Click on each instance name to view its details.

  1. Under API and Identity Management, confirm that the service account is not the default Compute Engine service account:
    [PROJECT_NUMBER]-compute@developer.gserviceaccount.com.

               

From Google Cloud CLI:

List all instances and their associated service accounts:

gcloud compute instances list --format=json | jq -r '.[] | "Instance: \(.name), Service Account: \(.serviceAccounts[].email)"'

  1. Ensure that the service account for each instance does not match the pattern:
    [PROJECT_NUMBER]-compute@developer.gserviceaccount.com.

Exceptions:

  • VMs created by GKE (Google Kubernetes Engine) are exempt. These VMs typically have names starting with gke- and are labeled with goog-gke-node.

Remediation Steps:

From Google Cloud Console:

  1. Navigate to the VM Instances page: https://console.cloud.google.com/compute/instances.

                             

  1. Click on the instance name to view its details.

               

  1. Click STOP and then EDIT.

                 

  1. Under API and Identity Management, select a custom service account other than the default Compute Engine service account

    • If a custom service account is not available, create one first.

  2. Click Save, then START the instance.

                 

From Google Cloud CLI:

Stop the instance:

gcloud compute instances stop INSTANCE_NAME

Assign a custom service account to the instance:

gcloud compute instances set-service-account INSTANCE_NAME --service-account=SERVICE_ACCOUNT

Restart the instance:

gcloud compute instances start INSTANCE_NAME

References:

  1. Google Cloud Service Accounts Documentation

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.7 Manage Default Accounts

Manage default accounts on enterprise assets and software, such as root or administrator accounts.

4.7 Limit Access to Script Tools

Limit access to scripting tools to authorized users only.