Lateral movement

Compute Instance with Permissive Service Account

Platform(s)
Compliance Frameworks

Description

Compute Instance with full access to all Cloud APIs and a service account that has a primitive editor role within the project scope. These roles are very powerful, and include a large number of permissions across all Google Cloud services. The compute instance {GcpVmInstance} was found to be bound to the Service Account ({GcpVmInstance.ComputePermissions.ServiceAccount}). This allows the compute instance Editor permissions across the whole project.

  • Recommended Mitigation

    Permissive Service Accounts should be avoided when creating Compute Instances, or changed to not include the primitive editor role.

Need help?

Get a free Security Risk Assessment. Start today

See Orca in action See Orca in action-> View a 10 minute recorded demo or sign up for a personalized one-on-one walk-through.