Lateral movement

Compute Instance with Default Service Account

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

cis_8, GKE CIS, ISO/IEC 27001, Mitre ATT&CK v12, New Zealand Information Security Manual, NIST 800-190, NIST 800-53

Description

The Compute Engine default service account is created with the primitive editor role within the project scope. These roles are very powerful, and include a large number of permissions across all Google Cloud services. The compute instance {GcpVmInstance} was found to be bound to the default Service Account ({GcpVmInstance.ComputePermissions.ServiceAccount}). This allows the compute instance Editor permissions across the whole project.
  • Recommend icon

    Recommended Mitigation

    Default Service Accounts should be avoided when creating Compute Instances, or changed to not include the primitive editor role.

Need help?

Get a free Security Risk Assessment. Start today

A screenshot of the Orca platform dashboard summarizing all of your cloud security risks

Personalized Demo

See Orca Security in Action

Gain visibility, achieve compliance, and prioritize risks with the Orca Cloud Security Platform.

Get a Demo