Skip to content

Latest commit

 

History

History
29 lines (24 loc) · 2.81 KB

vm-instances-least-privilege.md

File metadata and controls

29 lines (24 loc) · 2.81 KB

CloudSploit

GOOGLE / Compute / VM Instances Least Privilege

Quick Info

Plugin Title VM Instances Least Privilege
Cloud GOOGLE
Category Compute
Description Ensures that instances are not configured to use the default service account with full access to all cloud APIs
More Info To support the principle of least privilege and prevent potential privilege escalation, it is recommended that instances are not assigned to the default service account, Compute Engine default service account with a scope allowing full access to all cloud APIs.
GOOGLE Link https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
Recommended Action For all instances, if the default service account is used, ensure full access to all cloud APIs is not configured.

Detailed Remediation Steps

  1. Log into the Google Cloud Platform Console.
  2. Scroll down the left navigation panel and choose the "Compute Engine" to select the "VM Instances" option.
  3. On the "VM Instances" page, select the VM instance which needs to be verified.
  4. On the "VM instance details" page, scroll down and check "Cloud API access scopes" and see if the "Default service account" is used or not.
  5. Repeat steps number 2 - 4 to verify other VM instances in the network.
  6. Navigate to "Compute Engine", choose the "VM instances" and select the "VM instance" which needs to ensures that instances are not configured to use the default service account with full access to all cloud APIs.
  7. On the "VM instance details" page, select the "Edit" button at the top.
  8. On the "VM instance details - Edit page", scroll down the page and check the "Cloud API access scopes" and make sure "full access to all cloud APIs is not configured."
  9. Click on the "Save" button to make the changes.
  10. If "full access to all cloud APIs is configured", we need to create a replica of that instance and need to launch the "Instance" with restricting "Cloud APIs" access.
  11. Repeat steps number 6 - 10 to ensure if the default service account is used, ensure full access to all cloud APIs is not configured.