Instances should not be configured to use the default service account with full access to all cloud APIs. The principle of least privilege should be used to prevent potential privilege escalation.
To remediate the misconfiguration “VM Instances Should Not Use Default Service Accounts With Full Access To Cloud APIs” for GCP using GCP console, follow these steps:
Go to the Google Cloud Console and select the project that contains the VM instances with default service accounts.
Click on the “Compute Engine” option from the left-hand side menu.
From the Compute Engine menu, select the “VM instances” option.
Select the VM instance that is using the default service account with full access to Cloud APIs.
Click on the “Edit” button at the top of the page.
Scroll down to the “Service account” section and click on the “Change” button.
Select “Create a new service account” from the dropdown menu.
Give the new service account a name and description.
Under “Role”, select the appropriate role for the service account based on the permissions required for the VM instance.
Click on the “Save” button to create the new service account.
Once the new service account is created, select it from the “Service account” dropdown menu.
Click on the “Save” button to apply the changes.
Repeat these steps for all VM instances that are using the default service account with full access to Cloud APIs.
By following these steps, you will remediate the misconfiguration “VM Instances Should Not Use Default Service Accounts With Full Access To Cloud APIs” for GCP using GCP console.
To remediate the misconfiguration “VM Instances Should Not Use Default Service Accounts With Full Access To Cloud APIs” for GCP using GCP CLI, please follow the steps below:
List all the VM instances in your GCP project using the following command:
Copy
Ask AI
gcloud compute instances list
For each VM instance that is using the default service account, create a new service account with limited access using the following command:
Copy
Ask AI
gcloud iam service-accounts create [SA-NAME] --description="[SA-DESCRIPTION]"
Replace [SA-NAME] with the name of your new service account and [SA-DESCRIPTION] with a brief description of the account.
Grant the new service account the minimum required permissions using the following command:
Replace [PROJECT-ID] with your GCP project ID, [SA-EMAIL] with the email address of your new service account, and [ROLE] with the minimum required role for your VM instance.
Update your VM instance to use the new service account using the following command:
Replace [INSTANCE-NAME] with the name of your VM instance.Repeat steps 2-5 for each VM instance that is using the default service account. This will ensure that your VM instances are not using the default service account with full access to Cloud APIs.
Using Python
To remediate the misconfiguration “VM Instances Should Not Use Default Service Accounts With Full Access To Cloud APIs” for GCP using Python, follow the below steps:
First, identify the VM instances that are using the default service accounts with full access to Cloud APIs. You can use the following command to get the list of VM instances:
Copy
Ask AI
from google.cloud import compute_v1compute_client = compute_v1.InstancesClient()project = "your-project-id"instances = compute_client.list(project=project)for instance in instances: for access_config in instance.service_accounts: if access_config.email.endswith('gserviceaccount.com') and 'Editor' in access_config.scopes: print(f"Instance {instance.name} is using the default service account with full access to Cloud APIs.")
Once you have identified the VM instances, create a new service account with the necessary permissions and grant it to the instances. You can use the following code to create a new service account:
After creating the new service account, grant it the necessary permissions. You can use the following code to grant the necessary roles to the service account:
Copy
Ask AI
from google.cloud import iam_v1iam_client = iam_v1.IAMClient()project_id = "your-project-id"service_account_email = "your-service-account-email"roles = ["roles/logging.logWriter", "roles/monitoring.metricWriter"]policy = iam_client.get_policy(request={"resource": f"projects/{project_id}"})bindings = policy.bindingsfor role in roles: binding = next((b for b in bindings if b.role == role), None) if binding is None: binding = policy.bindings.add(role=role) binding.members.append(f"serviceAccount:{service_account_email}")iam_client.set_iam_policy(request={"resource": f"projects/{project_id}", "policy": policy})print(f"Granted roles to service account {service_account_email}")
Finally, update the VM instances to use the newly created service account. You can use the following code to update the VM instances:
Copy
Ask AI
from google.cloud import compute_v1compute_client = compute_v1.InstancesClient()project = "your-project-id"zone = "your-zone"instance_name = "your-instance-name"service_account_email = "your-service-account-email"instance = compute_client.get(project=project, zone=zone, instance=instance_name)instance.service_accounts = [ { "email": service_account_email, "scopes": ["https://www.googleapis.com/auth/cloud-platform"] }]update_mask = ["service_accounts"]operation = compute_client.update(project=project, zone=zone, instance=instance_name, instance_resource=instance, update_mask=update_mask)print(f"Updated instance {instance_name} with new service account.")
By following the above steps, you can remediate the misconfiguration “VM Instances Should Not Use Default Service Accounts With Full Access To Cloud APIs” for GCP using Python.