Default service account is used Affecting Compute Engine service in Google

Snyk CCSS

IAM / Least Privilege

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google CSA-CCM HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00380
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

The default Compute Engine service account has an "Editor" role, which allows read and write access to most Google Cloud services. To mitigate the risk of a Compute Engine instance being compromised, create a new service account for an instance with only the necessary permissions assigned. Note that GKE-created instances should be exempted from this.

How to fix?

Set service_account attribute with custom service account information.

Example Configuration

resource "google_service_account" "test" {
  account_id   = "test-service-account"
  display_name = "Test Service Account"
}

resource "google_compute_instance" "test" {
  name         = "no-metadata-keys-set"
  machine_type = "e2-micro"
  zone         = "us-east1-b"

  service_account {
    email  = google_service_account.test.email
    scopes = ["logging-write"]
  }

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network = "default"
  }
}

Terraform

Resource: google_compute_instance

References

Service accounts