Ensure instances do not use default service account with full access to cloud APIs

Error: Instances use default service account with full access to cloud APIs

Bridgecrew Policy ID: BC_GCP_IAM_2
Checkov Check ID: CKV_GCP_31
Severity: MEDIUM

Instances use default service account with full access to cloud APIs

Description

When an instance is configured with Compute Engine default service account with Scope Allow full access to all Cloud APIs, based on IAM roles assigned to the user(s) accessing Instance, it may result in privilege escalation. For example, a user may have permission to perform cloud operations and API calls that they are not required to perform.

Along with the ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account Compute Engine default service account for an instances to access necessary cloud services. Project Editor role is assigned to Compute Engine default service account for this service account to have almost all capabilities over all cloud services, except billing. When Compute Engine default service account is assigned to an instance it can operate in three scopes:

  1. Allow default access: Allows only minimum access required to run an Instance (Least Privileges).
  2. Allow full access to all Cloud APIs: Allows full access to all the cloud APIs/Services (too much access).
  3. Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance.

We recommend you do not assign instances to default service account Compute Engine
default service account
with Scope Allow full access to all Cloud APIs. This supports the principle of least privileges and helps prevent potential privilege escalation,

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to VM instances.
  3. Select the impacted VM instance.
  4. If the instance is not stopped, click Stop. Wait for the instance to stop.
  5. Click Edit.
  6. Scroll down to the Service Account section.
  7. Select a different service account or ensure Allow full access to all Cloud APIs is not selected.
  8. To save your changes, click Save.
  9. Click START.

CLI Command

  1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
  1. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME 
--serviceaccount=SERVICE_ACCOUNT 
--scopes [SCOPE1, SCOPE2...]
  1. Restart the instance:
gcloud compute instances start INSTANCE_NAME

Fix - Buildtime

Terraform

  • Resource: google_compute_instance
  • Field: service_account
  • Argument: If email is set to the default service account, or not specified, scope should not contain full access api.
resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  service_account {
-    scopes = ["https://www.googleapis.com/auth/cloud-platform"]
-    email  = "[PROJECT_NUMBER][email protected]""
  }
}