Skip to main content

Using the default service account on a compute instance allows an attacker to spread through the network

  • GG_ID: GG_IAC_0011
  • Severity: CRITICAL
  • Complexity: LOW
  • Categories: PERMISSION
  • Providers: Google Cloud Provider
  • Potential data exposure: True
  • Visible in logs: True
  • User interaction required: False
  • Privileges required: True


The default service account has the Editor role. A compute instance configured with this account has the potential to access more resources than it should, and so could an attacker that gained access to this instance.

Note that if the default service account has been stripped from the Editor role, the vulnerability is mitigated but the service account could still be changed later on.


Potential spread of an attacker once a compute instance is compromised.

Remediation guidelines#

Create a service accounts and remove the use of the default service account.

External documentation#