Detections
Analytics

Ensure default service account is not used at organization level for Google Cloud

HIGH

Description

Using Service Accounts for automated cloud processes is generally considered best practice, however the default service accounts created by most cloud providers follow a standard, and well known, naming convention and are often given elevated access. Individual Service Accounts should be used with limited access privileges. For more information on the default service account, see the GCP documentation.
References:
https://cloud.google.com/iam/docs/service-accounts#default

Remediation

In GCP Console -

  1. Log into the GCP Console and go to IAM.
  2. Under Service Accounts, select the pencil icon next to the entry you wish to edit.
  3. After editing the permissions as needed, select Save.

In Terraform -

  1. In the google_organization_iam_binding resource, remove the default service account from the members list.

References:
https://cloud.google.com/resource-manager/docs/creating-managing-organization
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder_iam

Policy Details

Rule Reference ID: AC_GCP_0248
CSP: GCP
Remediation Available: Yes
Domain: Identity and Access Management
Resource: google_organization_iam_binding
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks