Default service account is used Affecting Compute Engine service in Google


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    IAM / Least Privilege

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Controls CIS-Google CSA-CCM HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00380
  • credit Snyk Research Team

Description

The default Compute Engine service account has an "Editor" role, which allows read and write access to most Google Cloud services. To mitigate the risk of a Compute Engine instance being compromised, create a new service account for an instance with only the necessary permissions assigned. Note that GKE-created instances should be exempted from this.

How to fix?

Set service_account attribute with custom service account information.

Example Configuration

resource "google_service_account" "test" {
  account_id   = "test-service-account"
  display_name = "Test Service Account"
}

resource "google_compute_instance" "test" {
  name         = "no-metadata-keys-set"
  machine_type = "e2-micro"
  zone         = "us-east1-b"

  service_account {
    email  = google_service_account.test.email
    scopes = ["logging-write"]
  }

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network = "default"
  }
}

References