Aqua CSPM

VM Instances with No Access

Quick Info

Plugin TitleVM Instances with No Access
CloudGOOGLE
CategoryCompute
DescriptionEnsure that instances are not configured to use the default service account with full access to all Cloud APIs.
More InfoTo support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.
GOOGLE Linkhttps://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
Recommended ActionIn Service Account Section, ensure Allow full access to all Cloud APIs is not selected if selecting the default service account.

Detailed Remediation Steps

  1. Log into the Google Cloud Platform Console.
  2. Scroll down the left navigation panel and choose the “Compute Engine” to select the “VM Instances” option.
  3. On the “VM Instances” page, select the VM instance which needs to be verified.
  4. On the “VM instance details” page, scroll down and check “Cloud API access scopes” and if “Allow full access to all Cloud APIs” is selected then it’s not as per the best practices of GCP.
  5. Repeat steps number 2 - 4 to verify other VM instances in the network.
  6. Navigate to “Compute Engine”, choose the “VM instances” and select the “VM instance” which needs to disabled “full access to all Cloud APIs” for VM instance.
  7. On the “VM instance details” page, select the “CREATE SIMILAR” button at the top.
  8. Enter the “Name” of the instance, Region, Choose the “Machine Configuration” as per the previous instance had.
  9. Scroll down the “Create an Instance” page, click on the “Access Scopes” option under the “Identity and API access” and choose “Allow default access” option.
  10. Click on the “Create” button at the bottom to make the changes.
  11. Once the new similar instance is up and running, delete the instance with “full access to all Cloud APIs” enabled.
  12. Repeat steps number 6 - 11 to ensure Allow full access to all Cloud APIs is not selected if selecting the default service account.