Check for Instance-Associated Service Accounts with Full API Access

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

To enforce the principle of least privileges and prevent potential privilege escalation, ensure that your Google Compute Engine instances are not configured to use the default service account with the Cloud API access scope set to "Allow full access to all Cloud APIs". The principle of least privilege (POLP), also known as the principle of least authority, is the security concept of giving the user/system/service the minimal set of permissions required to successfully perform its tasks.

Security

By default, Google Cloud virtual machine (VM) instances are configured to use the default Compute Engine service account. The default service account can operate in 3 scopes:

"Allow default access" scope – allows only minimum access required to run a VM instance (the scope with the least privileges).

"Allow full access to all Cloud APIs" scope – allows full access to all the Google Cloud APIs and services (the scope that provides too much access).

"Set access for each API" scope – allows VM instance administrator to choose only those APIs that are needed by the instance.

When a VM instance is configured to use the default service account with the Cloud API access scope set to "Allow full access to all Cloud APIs", based on the IAM role(s) assigned to the users accessing the instance, it can allow users to make API calls that they are not supposed to perform. To protect against privilege escalation, avoid using the default service account that allows full access to all the Google Cloud APIs and services.


Audit

To determine if your virtual machine (VM) instances are using the default service account that allows full access to all Google Cloud APIs, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the VM instance that you want to examine.

06 Select the Details tab to access the instance configuration details and check the Service account attribute value (ID). If the Service account ID has the following pattern: <gcp-project-number>-compute@developer.gserviceaccount.com, the selected Google Cloud VM instance is configured to use the default Compute Engine service account. If the instance is using the default service account, continue the audit process and check the Cloud API access scopes configuration attribute value. If Cloud API access scopes is set to Allow full access to all Cloud APIs, the selected VM instance is using a default service accounts that allows full access to all Google Cloud APIs.

07 Repeat step no. 5 and 6 for each virtual machine instance created within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-stack-project-123123
cc-nodejs-app-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance provisioned inside the selected project:

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project:

NAME                      ZONE
cc-backend-vm-instance    us-central1-a
cc-web-stack-instance     us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the email and the access scope of the service account configured for the selected VM instance:

gcloud compute instances describe cc-backend-vm-instance
	--zone us-central1-a
	--format="table(serviceAccounts.email,serviceAccounts.scopes)"

06 The command output should return the requested service account email address and scope:

EMAIL                                                  SCOPES
['123456789012-compute@developer.gserviceaccount.com'] [['https://www.googleapis.com/auth/cloud-platform']]

If the email address returned by the compute instances describe command output has the following pattern: <gcp-project-number>-compute@developer.gserviceaccount.com, the selected Google Cloud VM instance is configured to use the default Compute Engine service account. If the instance is using the default service account, continue the audit process and check the SCOPES attribute value (URL). If SCOPES URL is set to https://www.googleapis.com/auth/cloud-platform, the selected virtual machine (VM) instance is using a default service accounts that allows full access to all Google Cloud APIs.

07 Repeat step no. 5 and 6 for each virtual machine instance provisioned within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To implement the principle of least privileges you can either replace the default service account with a secure and compliant service account, or change the access scope set for the default service account.

Case A: To replace the default Compute Engine service account within your Google Cloud VM instances configuration, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Service Accounts.

05 Create the secure and compliant GCP service account that your VM instances will use when calling Google Cloud APIs. Click CREATE SERVICE ACCOUNT to initiate the service account setup process.

06 On the Create service account page, perform the following actions:

  1. Provide a name for your new account in the Service account name box.
  2. Enter a short description for the account in the Service account description text box.
  3. Click Create to create your new Google Cloud Platform (GCP) service account.
  4. In the Service account permissions (optional) section, grant the service account access to the GCP project by selecting the IAM role(s) that you attach to the service account:
    • Select the necessary role from the Select a role dropdown list.
    • (Optional) Click on the Add condition link and configure the required condition on the Edit condition configuration panel.
    • Click ADD ANOTHER ROLE to attach more IAM roles, based on your application needs.
    • Once the service account permissions are configured, click CONTINUE.
  5. In the Grant users access to this service account (optional) section, perform the following:
    • Use the Service account users role and Service account admins role text boxes to grant access to users or groups that need to perform actions as this service account.
    • (Optional) If required, click CREATE KEY to create service account authentication keys.
    • Grant users the permissions to deploy jobs and VMs with this service account
    • Click DONE to complete the service account setup process and return to the IAM dashboard.

07 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

08 In the navigation panel, select VM instances to access the list with all the VM instances provisioned for the selected project.

09 Select the virtual machine (VM) instance that you want to reconfigure.

10 Click on the STOP button from the dashboard top menu to stop the selected instance. Click STOP inside the confirmation box to confirm the action.

11 Once the VM instance is stopped, click on the instance name to access the resource configuration page, then click EDIT to enter the edit mode.

12 From the Service account dropdown list, select the service account created at step no. 6, to replace the default Compute Engine service account with the new, compliant GCP service account.

13 Click Save to apply the changes.

14 Click on the START button from the dashboard top menu to restart the reconfigured Google Cloud VM instance. Click START inside the confirmation box to confirm the action.

15 If required, repeat steps no. 3 – 14 to reconfigure other virtual machine instances created within the selected project.

16 Repeat steps no. 2 – 5 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run iam service-accounts create command (Windows/macOS/Linux) to create a new Google Cloud Platform (GCP) service account. The following iam service-accounts create request example, creates a service account named "cc-backend-service-account", for a GCP project named "cc-web-stack-project-123123":

gcloud iam service-accounts create cc-backend-service-account
	--display-name="Backend Instance Service Account"
	--project cc-web-stack-project-123123
	--format="table(email)"

02 The command output should return the email address of the new GCP service account:

Created service account [cc-backend-service-account].
EMAIL
cc-backend-service-account@cc-web-stack-project-123123.iam.gserviceaccount.com

03 Run add-iam-policy-binding command (Windows/macOS/Linux) to grant the appropriate IAM role to the newly created GCP service account in order to allow that service account access to relevant API methods. The following command request example applies the App Engine Code Viewer IAM role (i.e. "roles/appengine.codeViewer") to a service account identified by the email address "cc-backend-service-account@cc-web-stack-project-123123.iam.gserviceaccount.com". The new role assignment follows the principle of least privilege and provides the selected service account only the ability to view App Engine application status and deployed source code:

gcloud projects add-iam-policy-binding cc-web-stack-project-123123
	--member serviceAccount:cc-backend-service-account@cc-web-stack-project-123123.iam.gserviceaccount.com
	--role roles/appengine.codeViewer

04 The command output should return the updated project IAM policy:

Updated IAM policy for project [cc-web-stack-project-123123].
bindings:
- members:
  - serviceAccount:cc-backend-service-account@cc-web-stack-project-123123.iam.gserviceaccount.com
  role: roles/appengine.codeViewer
- members:
  - serviceAccount:service-123456789012@compute-system.iam.gserviceaccount.com
  role: roles/compute.serviceAgent
- members:
  - serviceAccount:123456789012-compute@developer.gserviceaccount.com
  role: roles/editor
- members:
  - user:admin@cloudconformity.com
  role: roles/monitoring.admin
- members:
  - user:admin@cloudconformity.com
  role: roles/owner
etag: ABCDABCDABCD
version: 1

05 Run compute instances stop command (Windows/macOS/Linux) using the name of the VM instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the instance that uses the default Compute Engine service account), to stop the selected instance:

gcloud compute instances stop backend-vm-instance
	--zone=us-central1-a

06 The command output should return the compute instances stop command request status:

Stopping instance(s) backend-vm-instance...done.
Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/backend-vm-instance].

07 Run compute instances set-service-account command (Windows/macOS/Linux) to associate the GCP service account created at the previous steps with the selected Google Compute Engine instance. This account represents the service account that the instance uses when calling Google Cloud APIs:

gcloud compute instances set-service-account backend-vm-instance
	--zone=us-central1-a
	--service-account=cc-backend-service-account@cc-web-stack-project-123123.iam.gserviceaccount.com

08 The command output should return the URL of the reconfigured VM instance:

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/backend-vm-instance].

09 Run compute instances start command (Windows/macOS/Linux) to restart the reconfigured Google Compute Engine instance:

gcloud compute instances start backend-vm-instance
	--zone=us-central1-a

10 The command output should return the compute instances start command request status:

Starting instance(s) backend-vm-instance...done.
Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/backend-vm-instance].

11 If required, repeat steps no. 1 – 10 to reconfigure other virtual machine (VM) instances created within the selected project.

12 Repeat steps no. 1 – 11 for each GCP project deployed in your Google Cloud account.

Case B: To change the access scope set for the default service account associated with your Google Cloud VM instance, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the Google Compute Engine instances created for the selected project.

05 Select the virtual machine (VM) instance that you want to reconfigure.

06 Click on the STOP button from the dashboard top menu to stop the selected instance. Click STOP inside the confirmation box to confirm the action.

07 Once the VM instance is stopped, click on the instance name to access the resource configuration page, then click EDIT to enter the edit mode.

08 For Access scopes, choose one of the following options to configure the type and the level of API access to grant the instance:

  1. Select Allow default access to allow only minimum access required to run the VM instance (i.e. read-only access to Storage and Service Management, write access to Stackdriver Logging and Monitoring, read and write access to Service Control).
  2. Select Set access for each API and configure access for each supported API listed in this section. This option allows instance administrators to choose only those APIs that are needed to perform specific business functionality expected by the selected instance.

09 Click Save to apply the changes.

10 Click on the START button from the dashboard top menu to restart the reconfigured Google Cloud VM instance. Click START inside the confirmation box to confirm the action.

11 If required, repeat steps no. 3 – 14 to reconfigure other virtual machine instances created within the selected project.

12 Repeat steps no. 2 – 5 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run compute instances stop command (Windows/macOS/Linux) using the name of the VM instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to stop the selected instance:

gcloud compute instances stop backend-vm-instance
	--zone=us-central1-a

02 The command output should return the compute instances stop command request status:

Stopping instance(s) backend-vm-instance...done.
Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/backend-vm-instance]

03 Run compute instances set-service-account command (Windows/macOS/Linux) to change the access scope set for the default service account associated with the Google Compute Engine instance to default. Default scope allows only minimum access required to run the selected VM instance (i.e. read-only access to Storage and Service Management, write access to Stackdriver Logging and Monitoring, read and write access to Service Control):

gcloud compute instances set-service-account backend-vm-instance
	--zone=us-central1-a
	--service-account=cc-backend-service-account@cc-web-stack-project-123123.iam.gserviceaccount.com
	--scopes=default

04 The command output should return the URL of the reconfigured VM instance:

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/backend-vm-instance].

05 Run compute instances start command (Windows/macOS/Linux) to restart the reconfigured Google Compute Engine instance:

gcloud compute instances start backend-vm-instance
	--zone=us-central1-a

06 The command output should return the compute instances start command request status:

Starting instance(s) backend-vm-instance...done.
Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/backend-vm-instance].

07 If required, repeat steps no. 1 – 6 to reconfigure other virtual machine (VM) instances created within the selected project.

08 Repeat steps no. 1 – 7 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 12, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Instance-Associated Service Accounts with Full API Access

Risk level: Medium