Lateral movement

Compute Instance with Default Service Account

Risk Level

Hazardous (3)

Compliance Frameworks


The Compute Engine default service account is created with the primitive editor role within the project scope. These roles are very powerful, and include a large number of permissions across all Google Cloud services. The compute instance {GcpVmInstance} was found to be bound to the default Service Account ({GcpVmInstance.ComputePermissions.ServiceAccount}). This allows the compute instance Editor permissions across the whole project.
  • Recommended Mitigation

    Default Service Accounts should be avoided when creating Compute Instances, or changed to not include the primitive editor role.