Using the default service account on a compute instance allows an attacker to spread through the network

Severity	Exploitability	Providers	Categories
CRITICAL	HIGH	Google Cloud Provider	PERMISSION

Description

The default service account has the Editor role. A compute instance configured with this account has the potential to access more resources than it should, and so could an attacker that gained access to this instance.

Note that if the default service account has been stripped from the Editor role, the vulnerability is mitigated but the service account could still be changed later on.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	True	False	True

Potential spread of an attacker once a compute instance is compromised.

Remediation guidelines

Create a service accounts and remove the use of the default service account.

References

• Google Cloud Documentation - Service accounts
• Google Cloud Documentation - Best practices for securing service accounts
• How a malicious actor can own all your VMs
• Disable automatic role grants to default service accounts

Was this page helpful?