VM Instances Should Not Use Default Service Accounts With Full Access To Cloud APIs
More Info:
Instances should not be configured to use the default service account with full access to all cloud APIs. The principle of least privilege should be used to prevent potential privilege escalation.Risk Level
HighAddress
SecurityCompliance Standards
CISGCP, CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “VM Instances Should Not Use Default Service Accounts With Full Access To Cloud APIs” for GCP using GCP console, follow these steps:
- Go to the Google Cloud Console and select the project that contains the VM instances with default service accounts.
- Click on the “Compute Engine” option from the left-hand side menu.
- From the Compute Engine menu, select the “VM instances” option.
- Select the VM instance that is using the default service account with full access to Cloud APIs.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Service account” section and click on the “Change” button.
- Select “Create a new service account” from the dropdown menu.
- Give the new service account a name and description.
- Under “Role”, select the appropriate role for the service account based on the permissions required for the VM instance.
- Click on the “Save” button to create the new service account.
- Once the new service account is created, select it from the “Service account” dropdown menu.
- Click on the “Save” button to apply the changes.
- Repeat these steps for all VM instances that are using the default service account with full access to Cloud APIs.
Using CLI
Using CLI
To remediate the misconfiguration “VM Instances Should Not Use Default Service Accounts With Full Access To Cloud APIs” for GCP using GCP CLI, please follow the steps below:Replace [SA-NAME] with the name of your new service account and [SA-DESCRIPTION] with a brief description of the account.Replace [PROJECT-ID] with your GCP project ID, [SA-EMAIL] with the email address of your new service account, and [ROLE] with the minimum required role for your VM instance.Replace [INSTANCE-NAME] with the name of your VM instance and [SA-EMAIL] with the email address of your new service account.Replace [INSTANCE-NAME] with the name of your VM instance.Repeat steps 2-5 for each VM instance that is using the default service account. This will ensure that your VM instances are not using the default service account with full access to Cloud APIs.
- List all the VM instances in your GCP project using the following command:
- For each VM instance that is using the default service account, create a new service account with limited access using the following command:
- Grant the new service account the minimum required permissions using the following command:
- Update your VM instance to use the new service account using the following command:
- Verify that your VM instance is now using the new service account by running the following command:
Using Python
Using Python
To remediate the misconfiguration “VM Instances Should Not Use Default Service Accounts With Full Access To Cloud APIs” for GCP using Python, follow the below steps:By following the above steps, you can remediate the misconfiguration “VM Instances Should Not Use Default Service Accounts With Full Access To Cloud APIs” for GCP using Python.
- First, identify the VM instances that are using the default service accounts with full access to Cloud APIs. You can use the following command to get the list of VM instances:
- Once you have identified the VM instances, create a new service account with the necessary permissions and grant it to the instances. You can use the following code to create a new service account:
- After creating the new service account, grant it the necessary permissions. You can use the following code to grant the necessary roles to the service account:
- Finally, update the VM instances to use the newly created service account. You can use the following code to update the VM instances: