TF 0517 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Instances should not use the default service account
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | compute |
| Provider | |
| Vulnerability Type | misconfiguration |
Description
Google Compute Engine instances are configured to use the default service account, which grants broad, project-wide permissions instead of limiting access to only what's necessary. This approach violates the principle of least privilege and increases risk in case of compromise.
Impact
If the instance is compromised, an attacker could leverage the default service account to gain full access to Google Cloud project resources, potentially reading, modifying, or deleting sensitive data and services across the entire project.
Resolution
Remove use of default service account