Compute Instance with Default Service Account

Lateral movement

Compute Instance with Default Service Account

Risk Level

Hazardous (3)

Platform(s)

Compliance Frameworks

cis_8
GKE CIS
ISO/IEC 27001
Mitre ATT&CK v12
New Zealand Information Security Manual
NIST 800-190
NIST 800-53

Description

The Compute Engine default service account is created with the primitive editor role within the project scope. These roles are very powerful, and include a large number of permissions across all Google Cloud services. The compute instance {GcpVmInstance} was found to be bound to the default Service Account ({GcpVmInstance.ComputePermissions.ServiceAccount}). This allows the compute instance Editor permissions across the whole project.

Recommended Mitigation

Default Service Accounts should be avoided when creating Compute Instances, or changed to not include the primitive editor role.

Compute Instance with Default Service Account

Description

Need help?

CLOUD SECURITY PLATFORM

TECHNOLOGY ECOSYSTEM

By Solution

By Industry

COMPARISONS