--- title: Using default service account description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Using default service account --- # Using default service account {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `3cb4af0b-056d-4fb1-8b95-fdc4593625ff` **Cloud Provider:** GCP **Platform:** Terraform **Severity:** Medium **Category:** Insecure Defaults #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) ### Description{% #description %} Google Compute Engine instances should not be configured to use the default service account, which has broad permissions and full access to all Cloud APIs. If the attribute `service_account`—specifically the `email` sub-attribute—is missing, empty, or set to the default Google Compute Engine service account, it increases the risk of privilege escalation and unauthorized access to sensitive resources. Instead, instances should explicitly specify a custom service account with only the necessary permissions, such as in the following example: ``` service_account { email = "custom-sa@project-id.iam.gserviceaccount.com" scopes = ["userinfo-email", "compute-ro", "storage-ro"] } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform #this code is a correct code for which the query should not find any result resource "google_compute_instance" "negative1" { name = "test" machine_type = "e2-medium" zone = "us-central1-a" tags = ["foo", "bar"] boot_disk { initialize_params { image = "debian-cloud/debian-9" } } // Local SSD disk scratch_disk { interface = "SCSI" } network_interface { network = "default" access_config { // Ephemeral IP } } service_account { email = "email@email.com" scopes = ["userinfo-email", "compute-ro", "storage-ro"] } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform #this is a problematic code where the query should report a result(s) resource "google_compute_instance" "positive1" { name = "test" machine_type = "e2-medium" zone = "us-central1-a" tags = ["foo", "bar"] boot_disk { initialize_params { image = "debian-cloud/debian-9" } } network_interface { network = "default" access_config { // Ephemeral IP } } } resource "google_compute_instance" "positive2" { name = "test" machine_type = "e2-medium" zone = "us-central1-a" tags = ["foo", "bar"] boot_disk { initialize_params { image = "debian-cloud/debian-9" } } network_interface { network = "default" access_config { // Ephemeral IP } } service_account { scopes = ["userinfo-email", "compute-ro", "storage-ro"] } } resource "google_compute_instance" "positive3" { name = "test" machine_type = "e2-medium" zone = "us-central1-a" tags = ["foo", "bar"] boot_disk { initialize_params { image = "debian-cloud/debian-9" } } network_interface { network = "default" access_config { // Ephemeral IP } } service_account { email = "" scopes = ["userinfo-email", "compute-ro", "storage-ro"] } } resource "google_compute_instance" "positive4" { name = "test" machine_type = "e2-medium" zone = "us-central1-a" tags = ["foo", "bar"] boot_disk { initialize_params { image = "debian-cloud/debian-9" } } network_interface { network = "default" access_config { // Ephemeral IP } } service_account { email = "a" scopes = ["userinfo-email", "compute-ro", "storage-ro"] } } resource "google_compute_instance" "positive5" { name = "test" machine_type = "e2-medium" zone = "us-central1-a" tags = ["foo", "bar"] boot_disk { initialize_params { image = "debian-cloud/debian-9" } } network_interface { network = "default" access_config { // Ephemeral IP } } service_account { email = "email@developer.gserviceaccount.com" scopes = ["userinfo-email", "compute-ro", "storage-ro"] } } ```