Compute instances should not use the default service account with full access to all Cloud APIs

Description

If using the default Compute Engine service account (which is not recommended), note that the “Editor” role is assigned with three possible scopes: allow default access, allow full access to all Cloud APIs, and set access for each Cloud API. Avoid allowing the scope for full access to all Cloud APIs, as this may enable users accessing the Compute Engine instance to perform cloud operations outside the scope of responsibility, or increase the potential impact of a compromised instance. Note that GKE-created instances should be exempted from this.

Remediation Steps

Google Cloud Console

• Navigate to VM instances.

• Click on the instance name to go to the VM instance details page.

• Click STOP if the instance is running, and then click EDIT.

• Under the Service Account section, ensure that Allow full access to all Cloud APIs is not selected for the default Compute Engine service account.

• Click Save and then click START.

gcloud CLI

• Stop the Compute Engine instance:

  • gcloud compute instances stop INSTANCE_NAME

• Update the Compute Engine instance default service acount scope:

  • gcloud compute instances set-service-account INSTANCE_NAME --service- account=SERVICE_ACCOUNT --scopes [SCOPE1, SCOPE2...]

• Restart the Compute Engine instance:

  • gcloud compute instances start INSTANCE_NAME

Documentation Links

Runtime

• Compute engine service accounts

• Creating and enabling service accounts

• CLI: gcloud compute instances set-service-account