Lateral movement
Recommended Mitigation
Default Service Accounts should be avoided when creating Compute Instances, or changed to not include the primitive editor role. ## Remediation --- Choose one of the following: >1. Assign another Service Account- >>a. Sign in to the GCP Console and go to the **[VM instances](https://console.cloud.google.com/compute/instances)** page. >>b. Click the VM instance name for which you want to change the service account. >>c. If the instance is not stopped, at the top of the page under **More actions** click **Stop**. Wait for the instance to be stopped. >>d. Next, click **Edit**. >>e. Scroll down to the **Service Account** section. >>f. From the drop-down list, select a service account with the relevnat scope, to assign to the instance. >>g. Click **Save** to save your changes. >>h. At the top of the page under **More actions** click **START / RESUME** to run the instance. >2. Edit Service Account's primitive editor role- >>a. Sign in to the GCP Console and go to the **[IAM & Admin](https://console.cloud.google.com/iam-admin)**. >>b. At the left toolbar, choose **IAM**. >>c. Select a project, folder, or organization. >>d. Under **PERMISSIONS** tab, **View By: PRINCIPALS**, Find the row containing the principal's name and choose **Edit principal** in that row. >>e. Replace the primitive role (Editor) - Select a role to grant from the drop-down list. For best security practices, choose a role that includes only the permissions that your principal needs. >>f. Choose **Save**. The principal is granted the role on the resource.
