Lateral movement

Compute Instance with Default Service Account

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks
  • cis_8
  • ,
  • GKE CIS
  • ,
  • ISO/IEC 27001
  • ,
  • Mitre ATT&CK v12
  • ,
  • New Zealand Information Security Manual
  • ,
  • NIST 800-190
  • ,
  • NIST 800-53

Description

The Compute Engine default service account is created with the primitive editor role within the project scope. These roles are very powerful, and include a large number of permissions across all Google Cloud services. The compute instance {GcpVmInstance} was found to be bound to the default Service Account ({GcpVmInstance.ComputePermissions.ServiceAccount}). This allows the compute instance Editor permissions across the whole project.
  • Recommend icon

    Recommended Mitigation

    Default Service Accounts should be avoided when creating Compute Instances, or changed to not include the primitive editor role.