Ensure instances do not use default Compute Engine service account

Error: Instances use default Compute Engine service account

Bridgecrew Policy ID: BC_GCP_IAM_1
Checkov Check ID: CKV_GCP_30
Severity: MEDIUM

Instances use default Compute Engine service account

Description

The default Compute Engine service account has Editor role on the project, allowing read and write access to most Google Cloud Services.

We recommend you configure your instance to not use the default Compute Engine service account.
You should create a new service account and assign only the permissions needed by your instance. This helps defend against compromised VM privilege escalations and prevent an attacker from gaining access to all of your project.

📘

Note

The default Compute Engine service account is named:
[PROJECT_NUMBER][email protected].

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to VM instances.
  3. Click on the instance name to go to its VM instance details page.
  4. Click STOP, then click EDIT.
  5. Under the section Service Account, select a service account. You may first need to create a new service account.

🚧

Warning

Do not select the default Compute Engine service account.

  1. Click Save and then click START.

CLI Command

  1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
  1. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME -
-serviceaccount=SERVICE_ACCOUNT
  1. Restart the instance:
gcloud compute instances start INSTANCE_NAME

Fix - Buildtime

Terraform

  • Resource: google_compute_instance
  • Field: service_account
  • Argument: email = <email other than the default service_account's>
resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
+  service_account {
    scopes = ["userinfo-email", "compute-ro", "storage-ro"]
-    email  = "[PROJECT_NUMBER][email protected]"
+    email  = "[email protected]"
  }
}