Detections
Analytics

Ensure default service account is not used for project access in Google Container Cluster

HIGH

Description

Using Service Accounts for automated cloud processes is generally considered best practice, however the default service accounts created by most cloud providers follow a standard, and well known, naming convention and are often given elevated access. Individual Service Accounts should be used with limited access privileges. For more information on the default service account, see the GCP documentation.
References:
https://cloud.google.com/compute/docs/access/service-accounts#default_service_account

Remediation

In GCP Console -

  1. Open the Network Security Page.
  2. Click on Cloud Armor
  3. Select the name of the policy to edit.
  4. Click Add Rule, select Advanced mode .
  5. In the match block Type valuatePreconfiguredExpr('cve-canary') and choose a priority.
  6. Click Add.

In Terraform -

  1. In the google_compute_ssl_policy resource, add an action set to deny having match block with the exp having expression = evaluatePreconfiguredExpr('cve-canary').

References:
https://registry.terraform.io/providers/hashicorp/google/4.50.0/docs/resources/compute_security_policy#expr
https://cloud.google.com/load-balancing/docs/ssl-policies-concepts

Policy Details

Rule Reference ID: AC_GCP_0242
CSP: GCP
Remediation Available: Yes
Domain: Security Best Practices
Resource: google_container_cluster
Resource Category: Compute
Resource Type: Google Kubernetes Engine (GKE)

Frameworks