VM Instances Should Not Use Default Service Account

More Info:

It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “VM Instances Should Not Use Default Service Account” in GCP using GCP CLI, you can follow the below steps:Step 1: List all the instances that are using the default service account by running the following command:

gcloud compute instances list --filter="serviceAccounts.email:[PROJECT_NUMBER][email protected]"

Note: Replace [PROJECT_NUMBER] with your GCP project number.Step 2: For each instance that is using the default service account, create a new service account and assign the required IAM roles to it by running the following commands:

gcloud iam service-accounts create [NEW_SERVICE_ACCOUNT_NAME] --display-name "[NEW_SERVICE_ACCOUNT_DISPLAY_NAME]"

gcloud projects add-iam-policy-binding [PROJECT_ID] --member="serviceAccount:[NEW_SERVICE_ACCOUNT_NAME]@[PROJECT_ID].iam.gserviceaccount.com" --role="[REQUIRED_IAM_ROLE]"

Note: Replace [NEW_SERVICE_ACCOUNT_NAME] and [NEW_SERVICE_ACCOUNT_DISPLAY_NAME] with the desired name and display name for the new service account, [PROJECT_ID] with your GCP project ID and [REQUIRED_IAM_ROLE] with the required IAM role for the instance.Step 3: Update the instance to use the new service account by running the following command:

gcloud compute instances set-service-account [INSTANCE_NAME] --service-account [NEW_SERVICE_ACCOUNT_NAME]@[PROJECT_ID].iam.gserviceaccount.com

Note: Replace [INSTANCE_NAME] with the name of the instance that needs to be updated and [NEW_SERVICE_ACCOUNT_NAME]@[PROJECT_ID].iam.gserviceaccount.com with the name of the new service account created in Step 2.Step 4: Verify that the instance is now using the new service account by running the following command:

gcloud compute instances describe [INSTANCE_NAME] --format="get(serviceAccounts.email)"

Note: Replace [INSTANCE_NAME] with the name of the instance that was updated in Step 3.Repeat the above steps for all the instances that are using the default service account to remediate the misconfiguration.

Using Python

To remediate the issue “VM Instances Should Not Use Default Service Account” for GCP using Python, you can follow the below steps:

First, we need to identify the list of all VM instances that are using the default service account. This can be achieved by using the Google Cloud Python SDK’s googleapiclient library.

from googleapiclient import discovery
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('path/to/credentials.json')

compute = discovery.build('compute', 'v1', credentials=credentials)

project = 'project-id'

instances = compute.instances().list(project=project).execute()

for instance in instances['items']:
    if instance['serviceAccounts'][0]['email'].endswith('gserviceaccount.com'):
        print(f"Instance {instance['name']} is using the default service account.")

Once we have identified the instances that are using the default service account, we need to update the service account for each instance. This can be done using the instances().setServiceAccount method.

for instance in instances['items']:
    if instance['serviceAccounts'][0]['email'].endswith('gserviceaccount.com'):
        print(f"Instance {instance['name']} is using the default service account.")
        updated_instance = compute.instances().setServiceAccount(
            project=project,
            zone=instance['zone'].split('/')[-1],
            instance=instance['name'],
            body={
                "serviceAccounts": [
                    {
                        "email": "[email protected]",
                        "scopes": [
                            "https://www.googleapis.com/auth/cloud-platform"
                        ]
                    }
                ]
            }
        ).execute()
        print(f"Updated service account for instance {instance['name']} to [email protected].")

In the above code, we are updating the service account for each instance to a new service account [email protected] with cloud-platform scope. You can replace this with the appropriate service account and scopes as per your requirements.

Finally, you can verify that the instances are no longer using the default service account by running the code in step 1 again.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

VM Instances Should Not Use Default Service Account

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation