Check for Instances Associated with Default Service Accounts

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your Google Compute Engine instances are not configured to use the default Google Cloud service account in order implement the principle of least privilege (POLP) and secure the access to your cloud resources. A service account is an IAM identity attached to a Google Cloud VM instance. The default Compute Engine service account, named <project-number>-compute@developer.gserviceaccount.com, is associated with the Editor role at the project level, which allows read and write access to most Google Cloud Platform (GCP) services.

Security

By default, Google Cloud virtual machine (VM) instances are configured to use the default Compute Engine service account. To protect against privilege escalation, in case one of your Google Compute Engine instances are being compromised, and stop attackers from gaining access to all of your project resources, it is strongly recommended to avoid using the default service account. Instead, a new service account that follows the principle of least privilege (allowing only the permissions needed) should be created for each instance within your project.


Audit

To determine if your Google Cloud VM instances are using the default service account, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the VM instance that you want to examine.

06 Select the Details tab to access the instance configuration details and check the Service account attribute value (ID). If the Service account ID has the following format: <gcp-project-number>-compute@developer.gserviceaccount.com, the selected Google Cloud VM instance is configured to use the default Compute Engine service account.

07 Repeat step no. 5 and 6 for each virtual machine instance created within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-stack-project-123123
cc-nodejs-app-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance provisioned inside the selected project:

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project:

NAME                      ZONE
cc-web-stack-instance     us-central1-a
cc-backend-vm-instance    us-central1-a
cc-dev-platform-instance  us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the email of the service account configured for the selected VM instance:

gcloud compute instances describe cc-web-stack-instance
	--zone us-central1-a
	--format="table(serviceAccounts.email)"

06 The command output should return the requested service account email address:

EMAIL
['123456789012-compute@developer.gserviceaccount.com']

If the email address returned by the compute instances describe command output has the following format: <gcp-project-number>-compute@developer.gserviceaccount.com, as shown in the example above, the selected Google Cloud VM instance is configured to use the default Compute Engine service account.

07 Repeat step no. 5 and 6 for each virtual machine instance provisioned within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To replace the default Compute Engine service account within your Google Cloud VM instances configuration, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Service Accounts.

05 Create the secure and compliant GCP service account that your VM instances will use when calling Google Cloud APIs. Click CREATE SERVICE ACCOUNT to initiate the service account setup process.

06 On the Create service account page, perform the following actions:

  1. Provide a name for your new account in the Service account name box.
  2. Enter a short description for the account in the Service account description text box.
  3. Click Create to create your new Google Cloud Platform (GCP) service account.
  4. In the Service account permissions (optional) section, grant the service account access to the GCP project by selecting the IAM role(s) that you attach to the service account:
    • Select the necessary role from the Select a role dropdown list.
    • (Optional) Click on the Add condition link and configure the required condition on the Edit condition configuration panel.
    • Click ADD ANOTHER ROLE to attach more IAM roles, based on your application needs.
    • Once the service account permissions are configured, click CONTINUE.
  5. In the Grant users access to this service account (optional) section, perform the following:
    • Use the Service account users role and Service account admins role text boxes to grant access to users or groups that need to perform actions as this service account.
    • (Optional) If required, click CREATE KEY to create service account authentication keys.
    • Grant users the permissions to deploy jobs and VMs with this service account.
    • Click DONE to complete the service account setup process and return to the IAM dashboard.

07 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

08 In the navigation panel, select VM instances to access the list with all the VM instances provisioned for the selected project.

09 Select the virtual machine (VM) instance that you want to reconfigure.

10 Click on the STOP button from the dashboard top menu to stop the selected instance. Click STOP inside the confirmation box to confirm the action.

11 Once the VM instance is stopped, click on the instance name to access the resource configuration page, then click EDIT to enter the edit mode.

12 From the Service account dropdown list, select the service account created at step no. 6, to replace the default Compute Engine service account with the new, compliant GCP service account.

13 Click Save to apply the changes.

14 Click on the START button from the dashboard top menu to restart the reconfigured Google Cloud VM instance. Click START inside the confirmation box to confirm the action.

15 If required, repeat steps no. 3 – 14 to reconfigure other virtual machine instances created within the selected project.

16 Repeat steps no. 2 – 5 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run iam service-accounts create command (Windows/macOS/Linux) to create a new Google Cloud Platform (GCP) service account. The following iam service-accounts create request example, creates a service account named "cc-web-stack-service-account", for a GCP project named "cc-web-stack-project-123123":

gcloud iam service-accounts create cc-web-stack-service-account
	--display-name="Web Stack Instance Service Account"
	--project cc-web-stack-project-123123
	--format="table(email)"

02 The command output should return the email address of the new GCP service account:

Created service account [cc-web-stack-service-account].
EMAIL
cc-web-stack-service-account@cc-web-stack-project-123123.iam.gserviceaccount.com

03 Run add-iam-policy-binding command (Windows/macOS/Linux) to grant the appropriate IAM role to the newly created GCP service account in order to allow that service account access to relevant API methods. The following command request example applies the App Engine Code Viewer IAM role (i.e. "roles/appengine.codeViewer") to a service account identified by the email address "cc-web-stack-service-account@cc-web-stack-project-123123.iam.gserviceaccount.com". The new role assignment follows the principle of least privilege (POLP) and provides the selected service account only the ability to view App Engine application status and deployed source code:

gcloud projects add-iam-policy-binding cc-web-stack-project-123123
	--member serviceAccount:cc-web-stack-service-account@cc-web-stack-project-123123.iam.gserviceaccount.com
	--role roles/appengine.codeViewer

04 The command output should return the updated project IAM policy:

Updated IAM policy for project [cc-web-stack-project-123123].
bindings:
- members:
  - serviceAccount:cc-web-stack-service-account@cc-web-stack-project-123123.iam.gserviceaccount.com
  role: roles/appengine.codeViewer
- members:
  - serviceAccount:service-123456789012@compute-system.iam.gserviceaccount.com
  role: roles/compute.serviceAgent
- members:
  - serviceAccount:123456789012-compute@developer.gserviceaccount.com
  role: roles/editor
- members:
  - user:admin@cloudconformity.com
  role: roles/monitoring.admin
- members:
  - user:admin@cloudconformity.com
  role: roles/owner
etag: ABCDABCDABCD
version: 1

05 Run compute instances stop command (Windows/macOS/Linux) using the name of the VM instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the instance that uses the default Compute Engine service account), to stop the selected instance:

gcloud compute instances stop cc-web-stack-instance
	--zone=us-central1-a

06 The command output should return the compute instances stop command request status:

Stopping instance(s) cc-web-stack-instance...done.
Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-web-stack-instance].

07 Run compute instances set-service-account command (Windows/macOS/Linux) to associate the GCP service account created at the previous steps with the selected Google Compute Engine instance. This account represents the service account that the instance uses when calling Google Cloud APIs:

gcloud compute instances set-service-account cc-web-stack-instance
	--zone=us-central1-a
	--service-account=cc-web-stack-service-account@cc-web-stack-project-123123.iam.gserviceaccount.com

08 The command output should return the URL of the reconfigured VM instance:

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-web-stack-instance].

09 Run compute instances start command (Windows/macOS/Linux) to restart the reconfigured Google Compute Engine instance:

gcloud compute instances start cc-web-stack-instance
	--zone=us-central1-a

10 The command output should return the compute instances start command request status:

Starting instance(s) cc-web-stack-instance...done.
Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-web-stack-instance].
Instance internal IP is 10.0.0.2
Instance external IP is 10.10.10.5

11 If required, repeat steps no. 1 – 10 to reconfigure other virtual machine (VM) instances created within the selected project.

12 Repeat steps no. 1 – 11 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 12, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Instances Associated with Default Service Accounts

Risk level: Medium