Lateral movement

Compute Instance with Default Service Account

Risk Level

Hazardous (3)

Compliance Frameworks


The Compute Engine default service account is created with the primitive editor role within the project scope. These roles are very powerful, and include a large number of permissions across all Google Cloud services. The compute instance {GcpVmInstance} was found to be bound to the default Service Account ({GcpVmInstance.ComputePermissions.ServiceAccount}). This allows the compute instance Editor permissions across the whole project.
  • Recommended Mitigation

    Default Service Accounts should be avoided when creating Compute Instances, or changed to not include the primitive editor role. ## Remediation --- Choose one of the following: >1. Assign another Service Account- >>a. Sign in to the GCP Console and go to the **[VM instances](** page. >>b. Click the VM instance name for which you want to change the service account. >>c. If the instance is not stopped, at the top of the page under **More actions** click **Stop**. Wait for the instance to be stopped. >>d. Next, click **Edit**. >>e. Scroll down to the **Service Account** section. >>f. From the drop-down list, select a service account with the relevnat scope, to assign to the instance. >>g. Click **Save** to save your changes. >>h. At the top of the page under **More actions** click **START / RESUME** to run the instance. >2. Edit Service Account's primitive editor role- >>a. Sign in to the GCP Console and go to the **[IAM & Admin](**. >>b. At the left toolbar, choose **IAM**. >>c. Select a project, folder, or organization. >>d. Under **PERMISSIONS** tab, **View By: PRINCIPALS**, Find the row containing the principal's name and choose **Edit principal** in that row. >>e. Replace the primitive role (Editor) - Select a role to grant from the drop-down list. For best security practices, choose a role that includes only the permissions that your principal needs. >>f. Choose **Save**. The principal is granted the role on the resource.