- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
To follow the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default Compute Engine service account.
Even when used with the default “Allow default access” scope, the default Compute Engine service account has sensitive read permissions. For instance, it can access data from all Google Cloud Storage buckets in the project.
To defend against data theft if your VM is compromised and prevent an attacker from gaining access to sensitive data in your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance.
The default Compute Engine service account is named [PROJECT_NUMBER]-compute@developer.gserviceaccount.com
.
VMs created by GKE are excluded from this guidance. These VMs have names that start with gke-
and are labeled goog-gke-node
.
VM instances
page by visiting:
https://console.cloud.google.com/compute/instances.VM instance details
page.STOP
and then click EDIT
.API and identity management
, select a service account other
than the default Compute Engine service account. You may first need to create a new
service account.Save
and then click START
.gcloud compute instances stop <INSTANCE_NAME>
gcloud compute instances set-service-account <INSTANCE_NAME> --service-account=<SERVICE_ACCOUNT>
gcloud compute instances start <INSTANCE_NAME>
By default, Compute instances are configured to use the default Compute Engine service account.
Version 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software
Version 7 - 4.7 Limit Access to Script Tools