- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
To follow the principle of least privilege and to prevent potential privilege escalation, assign instances to a service account other than the default Compute Engine service account. These accounts have a scope option of Allow full access to all Cloud APIs
, which grants Editor rights on the project.
When an instance is assigned the default compute engine and the non-default scope Allow full access to all Cloud APIs
is selected, the instance has full Editor access on the Google Cloud project. This may allow users to perform malicious cloud operations and API calls leading to successful privilege escalation.
To defend against privilege escalation if your VM is compromised and prevent an attacker from gaining administrative rights to your project, it is recommended that you not use the default Compute Engine service account with an unrestricted scope. Instead, create a new service account and assign only the permissions needed by your instance.
The default Compute Engine service account is named [PROJECT_NUMBER]-compute@developer.gserviceaccount.com
.
VMs created by GKE are excluded from this rule. These VMs have names that start with gke-
and are labeled goog-gke-node
.
To change a service account or scope for an instance, the instance must be stopped.
VM instances
page by visiting:
https://console.cloud.google.com/compute/instances.Stop
button. Wait for the instance to stop.Edit
button.Service Account
section.Allow full access to all Cloud APIs
is not selected.Save
button to save your changes and then click START
.gcloud compute instances stop <INSTANCE_NAME>
gcloud compute instances set-service-account <INSTANCE_NAME> --service-account=<SERVICE_ACCOUNT> --scopes [SCOPE1, SCOPE2...]
gcloud compute instances start <INSTANCE_NAME>
By default, Compute instances are configured to use the default Compute Engine service account, but with a limited access scope that has read-only access to data in the project.
Version 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software
Version 7 - 4.7 Limit Access to Script Tools