More Info:

Ensure Kubernetes cluster nodes do use the default service account. Kubernetes cluster nodes should use customized service accounts that have minimal privileges to run. This reduces the attack surface in the case of a malicious attack on the cluster.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Default Service Accounts Should Not Be Used” in GCP using GCP console, please follow these steps:
  1. Open the GCP Console and navigate to the “IAM & Admin” section.
  2. Click on “Service Accounts” in the left-hand menu.
  3. Identify the default service accounts that are being used in your project. The default service accounts are “App Engine default service account” and “Compute Engine default service account”.
  4. Click on the default service account you want to remediate.
  5. Click on the “Edit” button at the top of the page.
  6. Scroll down to the “Roles” section and remove any unnecessary roles that have been assigned to the default service account.
  7. Click on “Save” to apply the changes.
  8. Repeat steps 4-7 for all default service accounts being used in your project.
  9. Create new service accounts with the appropriate roles and permissions for your project.
  10. Update your applications and services to use the new service accounts instead of the default service accounts.
By following these steps, you will have successfully remediated the misconfiguration “Default Service Accounts Should Not Be Used” in GCP using GCP console.

To remediate the “Default Service Accounts Should Not Be Used” misconfiguration for GCP using GCP CLI, follow these steps:
  1. Open the GCP Cloud Shell.
  2. Run the following command to list all the default service accounts in your GCP project: 
    gcloud iam service-accounts list
  3. Identify the default service account that you want to disable.
  4. Run the following command to disable the default service account: 
    gcloud iam service-accounts disable [SERVICE_ACCOUNT_EMAIL]
    Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the default service account that you want to disable.
  5. Verify that the default service account has been disabled by running the following command: 
    gcloud iam service-accounts describe [SERVICE_ACCOUNT_EMAIL]
    Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the default service account that you disabled. The output should show that the account is disabled.
  6. Repeat steps 4-5 for any other default service accounts that you want to disable.
By following these steps, you have successfully remediated the “Default Service Accounts Should Not Be Used” misconfiguration for GCP using GCP CLI.
To remediate the misconfiguration “Default Service Accounts Should Not Be Used” in GCP using Python, you can follow these steps:
  1. Identify the default service accounts that are currently being used in your GCP project. You can do this by running the following command in the Cloud Shell or in your local terminal with gcloud CLI installed:
gcloud iam service-accounts list
  1. Create a new service account to replace the default service account. You can do this by running the following command:
gcloud iam service-accounts create [SA-NAME] --description="[SA-DESCRIPTION]"
Replace [SA-NAME] and [SA-DESCRIPTION] with your desired service account name and description.
  1. Grant the necessary roles and permissions to the new service account. You can do this by running the following command:
gcloud projects add-iam-policy-binding [PROJECT-ID] --member="serviceAccount:[SA-EMAIL]" --role="[ROLE]"
Replace [PROJECT-ID], [SA-EMAIL], and [ROLE] with your project ID, new service account email, and the desired role to grant to the service account.
  1. Update your application or service to use the new service account instead of the default service account. You can do this by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the new service account key file.
export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"
Replace [PATH] with the path to the new service account key file.
  1. Disable the default service account to prevent it from being used. You can do this by running the following command:
gcloud iam service-accounts disable [SA-EMAIL]
Replace [SA-EMAIL] with the email of the default service account.By following these steps, you can remediate the misconfiguration “Default Service Accounts Should Not Be Used” in GCP using Python.

Additional Reading: