Profile Applicability:

Level 1

Description:

Instances should not be configured to use the default Compute Engine service account with the scope set to "Allow full access to all Cloud APIs". Instead, service accounts should use only the permissions necessary for their specific tasks, following the principle of least privilege.

Rationale:

The default Compute Engine service account is assigned the Editor role (roles/editor), granting broad permissions across all Google Cloud services (excluding billing). Configuring instances with this service account and "Allow full access to all Cloud APIs" grants excessive permissions that may lead to privilege escalation if the VM is compromised. To mitigate this risk, instances should either:

  1. Use custom service accounts with minimal permissions, or

  2. Use the default service account with more restrictive scopes (e.g., "Allow default access" or specific API access).

Impact:

To update the service account or scope of an instance, the instance must be stopped, which could temporarily disrupt workloads.

Default Value:

By default, Compute Engine instances are configured to use the default service account with the scope "Allow default access."

Audit Steps:

From Google Cloud Console:

  1. Go to the VM Instances page: https://console.cloud.google.com/compute/instances.

                     

  1. Click on the name of each instance to view its details.

                   

  1. Under API and Identity Management, confirm that Cloud API access scopes is not set to Allow full access to all Cloud APIs.

                   

From Google Cloud CLI:

List all instances and their service account details:

gcloud compute instances list --format=json | jq -r '.[] | "Instance: \(.name), Service Account: \(.serviceAccounts[].email), Scopes: \(.serviceAccounts[].scopes)"'

  1. Check that no instance uses the default Compute Engine service account with the scope "Allow full access to all Cloud APIs".

Exceptions:

  • Exclude GKE VMs. These VMs usually have names starting with gke- and are labeled as goog-gke-node.

Remediation Steps:

From Google Cloud Console:

  1. Navigate to the VM Instances page: https://console.cloud.google.com/compute/instances.

                     

  1. Click on the affected VM instance.

                        

  1. Stop the instance if it is running.

                     

  1. Click Edit and navigate to the Service Account section.

  2. Choose a custom service account or ensure the scope is not set to "Allow full access to all Cloud APIs".

           

  1. Save changes and restart the instance.

           

From Google Cloud CLI:

Stop the instance:

gcloud compute instances stop INSTANCE_NAME

Update the instance service account and scopes:

gcloud compute instances set-service-account INSTANCE_NAME --service-account=SERVICE_ACCOUNT --scopes=SCOPE1,SCOPE2

Restart the instance:

gcloud compute instances start INSTANCE_NAME

References:

  1. Understanding Service Accounts

Additional Information:

  • Custom service accounts should use IAM roles instead of relying on access scopes.

  • IAM roles override service account scopes, but configuring minimal scopes ensures defense-in-depth security.


CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.7 Manage Default Accounts

Manage default accounts on enterprise assets and software, such as root or administrator accounts.

4.7 Limit Access to Script Tools

Limit access to scripting tools to authorized users only.