Default service account is used Affecting Compute Engine service in Google
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00380
- creditSnyk Research Team
Description
The default Compute Engine service account has an "Editor" role, which allows read and write access to most Google Cloud services. To mitigate the risk of a Compute Engine instance being compromised, create a new service account for an instance with only the necessary permissions assigned. Note that GKE-created instances should be exempted from this.
How to fix?
Set service_account attribute with custom service account information.
Example Configuration
resource "google_service_account" "test" {
account_id = "test-service-account"
display_name = "Test Service Account"
}
resource "google_compute_instance" "test" {
name = "no-metadata-keys-set"
machine_type = "e2-micro"
zone = "us-east1-b"
service_account {
email = google_service_account.test.email
scopes = ["logging-write"]
}
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = "default"
}
}