Lateral movement

Compute Instance with Permissive Service Account


Compute Instance with full access to all Cloud APIs and a service account that has a primitive editor role within the project scope. These roles are very powerful, and include a large number of permissions across all Google Cloud services. The compute instance {GcpVmInstance} was found to be bound to the Service Account ({GcpVmInstance.ComputePermissions.ServiceAccount}). This allows the compute instance Editor permissions across the whole project.
  • Recommended Mitigation

    Permissive Service Accounts should be avoided when creating Compute Instances, or changed to not include the primitive editor role.