Compute instances should not use the default service account

Description

The default Compute Engine service account has an “Editor” role, which allows read and write access to most Google Cloud services. To apply the principle of least privileges and mitigate the risk of a Compute Engine instance being compromised, create a new service account for an instance with only the necessary permissions assigned. Note that GKE-created instances should be exempted from this.

Remediation Steps

Google Cloud Console

  • Navigate to VM instances.

  • Click on the instance name to go to the VM instance details page.

  • Click STOP if the instance is running, and then click EDIT.

  • Under the Service Account section, select a service account other than the default Compute Engine service. This service account is named [PROJECT_NUMBER]- compute@developer.gserviceaccount.com.

  • Click Save and then click START.

gcloud CLI

  • Stop the Compute Engine instance:

    • gcloud compute instances stop INSTANCE_NAME

  • Update the Compute Engine instance to use a different service account:

    • gcloud compute instances set-service-account INSTANCE_NAME --service- account=SERVICE_ACCOUNT

  • Restart the Compute Engine instance:

    • gcloud compute instances start INSTANCE_NAME