< Back to rules searchInstances are not configured to use the default service account with full access to all cloud APIs
Description
To support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default Compute Engine default service account
with Scope Allow full access to all Cloud APIs
.
Rationale
The Google Compute Engine default service account
for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The Project Editor
role is assigned to Compute Engine default service account
so it has almost all capabilities over all cloud services except billing. However, when Compute Engine default service account
is assigned to an instance it can operate in three scopes:
Allow default access: Allows the minimum access required to run an
instance (least privileges).
Allow full access to all Cloud APIs: Allows full access to all cloud
APIs and services (too much access).
Set access for each API: Allows an instance administrator to choose only
those APIs that are needed to perform the specific business functionality
expected by instance.
When an instance is configured with the Compute Engine default service account
with
scope Allow full access to all Cloud APIs
, depending on the IAM roles assigned to the users
accessing the instance, it may allow users to perform cloud operations and API calls that they are not
supposed to perform, leading to successful privilege escalation.
Exception
VMs created by GKE are excluded from this rule. These VMs have names that start with gke-
and are labeled goog-gke-node
.
Impact
To change a service account or scope for an instance, the instance must be stopped.
From the console
- Go to the
VM instances
page by visiting:
https://console.cloud.google.com/compute/instances. - Click on the impacted VM instance.
- If the instance is not stopped, click the
Stop
button. Wait for the instance to stop. - Click the
Edit
button. - Scroll down to the
Service Account
section. - Select a different service account or ensure that
Allow full access to all Cloud APIs
is not selected. - Click the
Save
button to save your changes and then click START
.
From the command line
- Stop the instance:
gcloud compute instances stop <INSTANCE_NAME>
- Update the instance:
gcloud compute instances set-service-account <INSTANCE_NAME> --service-account=<SERVICE_ACCOUNT> --scopes [SCOPE1, SCOPE2...]
- Restart the instance:
gcloud compute instances start <INSTANCE_NAME>
Default value
By default, Compute instances are configured to use the default Compute Engine service
account.
References
- https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
- https://cloud.google.com/compute/docs/access/service-accounts
- User IAM roles override service account scope, but configuring minimal scope
ensures a deeper defence.
- Non-default service accounts do not offer selection of access scopes like the default
service account does. Use IAM roles with non-default service accounts to
control VM access.
CIS Controls
Version 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software
- Manage default accounts on enterprise assets and software, such as root,
administrator, and other pre-configured vendor accounts. Example implementations
can include: disabling default accounts or making them unusable.
Version 7 - 4.7 Limit Access to Script Tools
- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only
administrative or development users with the need to access those capabilities.