Ensure default Service Account is not used at project level

Error: Default Service Account is used at project level

Bridgecrew Policy ID: BC_GCP_IAM_7
Checkov Check ID: CKV_GCP_46
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

Default Service Account is used at project level

Description

A service account is a special Google account that belongs to an application or a VM, not to an individual end-user. The application uses the service account to call the service's Google API so that users are not directly involved. Service accounts represent service-level security of application or VM Resources, determined by the roles assigned to them. The use of Default service accounts should be avoided, see below for details.

We recommend you do not set IAM role bindings using the default Compute Engine and App Engine service account.

Default Compute Engine Service Account: Used by GKE, Compute, DataProc, DataFlow, Composer.
[email protected]

Default Appspot Service Account: Used by App Engine, Cloud Functions, App Engine based services.
[email protected]

Fix - Buildtime

Terraform

  • Resources:
    google_project_iam_member
    google_project_iam_binding
  • Argument: member
resource "google_project_iam_member" "project" {
  project = "project/1234567"
  role    = "roles/owner"
- member  = "[email protected]"
- member  = "[email protected]"
}
resource "google_project_iam_member" "project" {
  project = "project/1234567"
  role    = "roles/owner"
- members  = [
      "[email protected]",
      "[email protected]"
     ]
}