Profile Applicability:
Level 1
Description:
Instances should not use the default Compute Engine service account as it has broad permissions with the Editor role (roles/editor) across the project. Instead, instances should be assigned a custom service account with only the necessary permissions.
Rationale:
The default Compute Engine service account is automatically granted the Editor role, providing read and write access to most Google Cloud services. This level of access poses a security risk, as a compromised VM could lead to privilege escalation and unauthorized access to the entire project. By disabling the use of the default service account and assigning a custom service account with the principle of least privilege, the potential for privilege escalation is minimized.
Default Value:
By default, Compute Engine instances use the default Compute Engine service account:
[PROJECT_NUMBER][email protected].
Audit Steps:
From Google Cloud Console:
Navigate to the VM Instances page: https://console.cloud.google.com/compute/instances.
Click on each instance name to view its details.
Under API and Identity Management, confirm that the service account is not the default Compute Engine service account:
[PROJECT_NUMBER]-[email protected].
From Google Cloud CLI:
List all instances and their associated service accounts:
gcloud compute instances list --format=json | jq -r '.[] | "Instance: \(.name), Service Account: \(.serviceAccounts[].email)"'
Ensure that the service account for each instance does not match the pattern:
[PROJECT_NUMBER][email protected].
Exceptions:
VMs created by GKE (Google Kubernetes Engine) are exempt. These VMs typically have names starting with gke- and are labeled with goog-gke-node.
Remediation Steps:
From Google Cloud Console:
Navigate to the VM Instances page: https://console.cloud.google.com/compute/instances.
Click on the instance name to view its details.
Click STOP and then EDIT.
Under API and Identity Management, select a custom service account other than the default Compute Engine service account
If a custom service account is not available, create one first.
Click Save, then START the instance.
From Google Cloud CLI:
Stop the instance:
gcloud compute instances stop INSTANCE_NAME
Assign a custom service account to the instance:
gcloud compute instances set-service-account INSTANCE_NAME --service-account=SERVICE_ACCOUNT
Restart the instance:
gcloud compute instances start INSTANCE_NAME