Default Service Accounts Should Not Be Used
More Info:
Ensure Kubernetes cluster nodes do use the default service account. Kubernetes cluster nodes should use customized service accounts that have minimal privileges to run. This reduces the attack surface in the case of a malicious attack on the cluster.Risk Level
MediumAddress
SecurityCompliance Standards
HITRUST, SOC2, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Default Service Accounts Should Not Be Used” in GCP using GCP console, please follow these steps:
- Open the GCP Console and navigate to the “IAM & Admin” section.
- Click on “Service Accounts” in the left-hand menu.
- Identify the default service accounts that are being used in your project. The default service accounts are “App Engine default service account” and “Compute Engine default service account”.
- Click on the default service account you want to remediate.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Roles” section and remove any unnecessary roles that have been assigned to the default service account.
- Click on “Save” to apply the changes.
- Repeat steps 4-7 for all default service accounts being used in your project.
- Create new service accounts with the appropriate roles and permissions for your project.
- Update your applications and services to use the new service accounts instead of the default service accounts.
Using CLI
Using CLI
To remediate the “Default Service Accounts Should Not Be Used” misconfiguration for GCP using GCP CLI, follow these steps:
- Open the GCP Cloud Shell.
-
Run the following command to list all the default service accounts in your GCP project:
- Identify the default service account that you want to disable.
-
Run the following command to disable the default service account:
Replace
[SERVICE_ACCOUNT_EMAIL]with the email address of the default service account that you want to disable. -
Verify that the default service account has been disabled by running the following command:
Replace
[SERVICE_ACCOUNT_EMAIL]with the email address of the default service account that you disabled. The output should show that the account is disabled. - Repeat steps 4-5 for any other default service accounts that you want to disable.
Using Python
Using Python
To remediate the misconfiguration “Default Service Accounts Should Not Be Used” in GCP using Python, you can follow these steps:Replace [SA-NAME] and [SA-DESCRIPTION] with your desired service account name and description.Replace [PROJECT-ID], [SA-EMAIL], and [ROLE] with your project ID, new service account email, and the desired role to grant to the service account.Replace [PATH] with the path to the new service account key file.Replace [SA-EMAIL] with the email of the default service account.By following these steps, you can remediate the misconfiguration “Default Service Accounts Should Not Be Used” in GCP using Python.
- Identify the default service accounts that are currently being used in your GCP project. You can do this by running the following command in the Cloud Shell or in your local terminal with gcloud CLI installed:
- Create a new service account to replace the default service account. You can do this by running the following command:
- Grant the necessary roles and permissions to the new service account. You can do this by running the following command:
- Update your application or service to use the new service account instead of the default service account. You can do this by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the new service account key file.
- Disable the default service account to prevent it from being used. You can do this by running the following command: