IAM misconfigurations

Over privileged Vm instance

Risk Level

Informational (4)

Platform(s)
Compliance Frameworks

Description

We have found a Vm instance with full access to all Cloud APIs that is using the default service account. To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.

  • Recommended Mitigation

    Create a new service account and assign only the permissions needed by your instance and ensure that the instance is not configured to allow 'cloud-platform' scope. ## Remediation --- >1. Sign in to the GCP Console and go to the **[VM instances](https://console.cloud.google.com/compute/instances)** page. >2. Click the VM instance name for which you want to change the service account. >3. If the instance is not stopped, at the top of the page under **More actions** click **Stop**. Wait for the instance to be stopped. >4. Next, click **Edit**. >5. Scroll down to the **Service Account** section. >6. From the drop-down list, select a service account with the relevnat scope, to assign to the instance. >7. Click **Save** to save your changes. >8. At the top of the page under **More actions** click **START / RESUME** to run the instance.

Need help?

Get a free Security Risk Assessment. Start today

See Orca in action See Orca in action-> View a 10 minute recorded demo or sign up for a personalized one-on-one walk-through.