GCP Compute Engine Default Service Account has overly permissive access to resources in the project

gcp
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

The Compute Engine default service account is associated with your Google Cloud project and attached by default to Compute Engine virtual machines, unless you explicitly assign another service account on virtual machine creation, to provide credentials to applications running on the instance.

Rationale

Depending on your organization policy configuration, the default service account automatically grants the Editor role on your project. The permissions in the Editor role let you create and delete resources for most Google Cloud services within your Google Cloud project.

Remediation

Datadog recommends reducing the permissions attached to the Compute Engine default service account to the minimum required for it to fulfill its function. To remediate the issue, remove the Editor role binding from the Compute Engine default service account on the project resource, and create a new role binding with the required permissions for your Compute Engine virtual machines.