Compute Instance with Default Service Account
Risk Level
Hazardous (3)
Platform(s)
Compliance Frameworks
cis_8, GKE CIS, ISO/IEC 27001, Mitre ATT&CK v12, New Zealand Information Security Manual, NIST 800-190, NIST 800-53
Description
The Compute Engine default service account is created with the primitive editor role within the project scope. These roles are very powerful, and include a large number of permissions across all Google Cloud services. The compute instance {GcpVmInstance} was found to be bound to the default Service Account ({GcpVmInstance.ComputePermissions.ServiceAccount}). This allows the compute instance Editor permissions across the whole project.-
Recommended Mitigation
Default Service Accounts should be avoided when creating Compute Instances, or changed to not include the primitive editor role.