To enforce the principle of least privileges and prevent potential privilege escalation, ensure that your Google Compute Engine instances are not configured to use the default service account with the Cloud API access scope set to "Allow full access to all Cloud APIs". The principle of least privilege (POLP), also known as the principle of least authority, is the security concept of giving the user/system/service the minimal set of permissions required to successfully perform its tasks.
By default, Google Cloud virtual machine (VM) instances are configured to use the default Compute Engine service account. The default service account can operate in 3 scopes:
"Allow default access" scope – allows only minimum access required to run a VM instance (the scope with the least privileges).
"Allow full access to all Cloud APIs" scope – allows full access to all the Google Cloud APIs and services (the scope that provides too much access).
"Set access for each API" scope – allows VM instance administrator to choose only those APIs that are needed by the instance.
When a VM instance is configured to use the default service account with the Cloud API access scope set to "Allow full access to all Cloud APIs", based on the IAM role(s) assigned to the users accessing the instance, it can allow users to make API calls that they are not supposed to perform. To protect against privilege escalation, avoid using the default service account that allows full access to all the Google Cloud APIs and services.
To determine if your virtual machine (VM) instances are using the default service account that allows full access to all Google Cloud APIs, perform the following actions:
Remediation / Resolution
To implement the principle of least privileges you can either replace the default service account with a secure and compliant service account, or change the access scope set for the default service account.
Case A: To replace the default Compute Engine service account within your Google Cloud VM instances configuration, perform the following actions:
Case B: To change the access scope set for the default service account associated with your Google Cloud VM instance, perform the following actions:
- Google Cloud Platform (GCP) Documentation
- Service accounts
- Creating and enabling service accounts for instances
- Granting, changing, and revoking access to resources
- CIS Security Documentation
- Securing Google Cloud Computing Platform
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud compute instances list
- gcloud compute instances describe
- gcloud iam service-accounts create
- gcloud projects add-iam-policy-binding
- gcloud compute instances stop
- gcloud compute instances set-service-account
- gcloud compute instances start
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Check for Instance-Associated Service Accounts with Full API Access
Risk level: Medium