Lateral movement
Compute Instance with Default Service Account
Risk Level
Hazardous (3)
Platform(s)
Compliance Frameworks
- cis_8 ,
- GKE CIS ,
- ISO/IEC 27001 ,
- Mitre ATT&CK v12 ,
- New Zealand Information Security Manual ,
- NIST 800-190 ,
- NIST 800-53
Description
The Compute Engine default service account is created with the primitive editor role within the project scope. These roles are very powerful, and include a large number of permissions across all Google Cloud services. The compute instance {GcpVmInstance} was found to be bound to the default Service Account ({GcpVmInstance.ComputePermissions.ServiceAccount}). This allows the compute instance Editor permissions across the whole project.-
Recommended Mitigation
Default Service Accounts should be avoided when creating Compute Instances, or changed to not include the primitive editor role.