GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Default Service Accounts Should Not Be Used
More Info:
Ensure Kubernetes cluster nodes do use the default service account. Kubernetes cluster nodes should use customized service accounts that have minimal privileges to run. This reduces the attack surface in the case of a malicious attack on the cluster.
Risk Level
Medium
Address
Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Default Service Accounts Should Not Be Used” in GCP using GCP console, please follow these steps:
-
Open the GCP Console and navigate to the “IAM & Admin” section.
-
Click on “Service Accounts” in the left-hand menu.
-
Identify the default service accounts that are being used in your project. The default service accounts are “App Engine default service account” and “Compute Engine default service account”.
-
Click on the default service account you want to remediate.
-
Click on the “Edit” button at the top of the page.
-
Scroll down to the “Roles” section and remove any unnecessary roles that have been assigned to the default service account.
-
Click on “Save” to apply the changes.
-
Repeat steps 4-7 for all default service accounts being used in your project.
-
Create new service accounts with the appropriate roles and permissions for your project.
-
Update your applications and services to use the new service accounts instead of the default service accounts.
By following these steps, you will have successfully remediated the misconfiguration “Default Service Accounts Should Not Be Used” in GCP using GCP console.
To remediate the “Default Service Accounts Should Not Be Used” misconfiguration for GCP using GCP CLI, follow these steps:
-
Open the GCP Cloud Shell.
-
Run the following command to list all the default service accounts in your GCP project:
gcloud iam service-accounts list -
Identify the default service account that you want to disable.
-
Run the following command to disable the default service account:
gcloud iam service-accounts disable [SERVICE_ACCOUNT_EMAIL]Replace
[SERVICE_ACCOUNT_EMAIL]with the email address of the default service account that you want to disable. -
Verify that the default service account has been disabled by running the following command:
gcloud iam service-accounts describe [SERVICE_ACCOUNT_EMAIL]Replace
[SERVICE_ACCOUNT_EMAIL]with the email address of the default service account that you disabled. The output should show that the account is disabled. -
Repeat steps 4-5 for any other default service accounts that you want to disable.
By following these steps, you have successfully remediated the “Default Service Accounts Should Not Be Used” misconfiguration for GCP using GCP CLI.
To remediate the misconfiguration “Default Service Accounts Should Not Be Used” in GCP using Python, you can follow these steps:
- Identify the default service accounts that are currently being used in your GCP project. You can do this by running the following command in the Cloud Shell or in your local terminal with gcloud CLI installed:
gcloud iam service-accounts list
- Create a new service account to replace the default service account. You can do this by running the following command:
gcloud iam service-accounts create [SA-NAME] --description="[SA-DESCRIPTION]"
Replace [SA-NAME] and [SA-DESCRIPTION] with your desired service account name and description.
- Grant the necessary roles and permissions to the new service account. You can do this by running the following command:
gcloud projects add-iam-policy-binding [PROJECT-ID] --member="serviceAccount:[SA-EMAIL]" --role="[ROLE]"
Replace [PROJECT-ID], [SA-EMAIL], and [ROLE] with your project ID, new service account email, and the desired role to grant to the service account.
- Update your application or service to use the new service account instead of the default service account. You can do this by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the new service account key file.
export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"
Replace [PATH] with the path to the new service account key file.
- Disable the default service account to prevent it from being used. You can do this by running the following command:
gcloud iam service-accounts disable [SA-EMAIL]
Replace [SA-EMAIL] with the email of the default service account.
By following these steps, you can remediate the misconfiguration “Default Service Accounts Should Not Be Used” in GCP using Python.