Ensure default service accounts having complete cloud access are not used by Google Compute Instance

HIGH

Description

As with many cloud providers, Google recommends the use of service accounts for automated functions. It is best practice to ensure that these service accounts have access that aligns with the task for which they are used rather than having broad access to many or all services.

Remediation

In GCP Console -

Open the Compute Engine page.
Stop the instance.
Click on the VM instance tab.
Click on Instance to edit.
Click on Edit and Go to Access scopes in Identity and API access.
Select on Set access for each API.
Select the APIs required.
Click Save.

In Terraform -

In the resource google_compute_instance, ensure that service_account.scopes attribute does not contain cloud-platform.

References:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#service_account
https://cloud.google.com/sdk/gcloud/reference/alpha/compute/instances/set-scopes#--scopes

Policy Details

Rule Reference ID: AC_GCP_0041

CSP: GCP

Remediation Available: Yes

Domain: Infrastructure Security

Resource: google_compute_instance

Resource Category: Compute

Resource Type: Virtual Machine

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
SOC2