GCP App Engine Default Service Account has overly permissive access to resources in the project

gcp
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

The App Engine default service account is associated with your Google Cloud project and executes tasks on behalf of your apps running in App Engine.

Rationale

Depending on your organization policy configuration, the default service account might automatically be granted the Editor role on your project. The permissions in the Editor role let you create and delete resources for most Google Cloud services within your Google Cloud project.

Remediation

Datadog recommends reducing the permissions attached to the App Engine default service account to the minimum required for it to fulfill its function. To remediate the issue, remove the Editor role binding from the App Engine default service account on the project resource and create a new role binding with the required permissions for your App Engine applications.