By default, Compute Engine assigns new instances to a default service account that has wide permissions on the current project.
Compute instances using the default service account typically grants applications unnecessary permissions and may allow attackers to access sensitive data.
The Compute Engine default service account has "Editor" rights on the current project. By default, compute instances can only use a subset of these permissions, defined by the access scope
https://www.googleapis.com/auth/devstorage.read_only. This default allows to read data from all GCS buckets, BigQuery datasets and Container Registry images.
If the access scope associated with the instance is
https://www.googleapis.com/auth/cloud-platform, the instance and any application that runs on it has effective project editor rights.
These credentials can be retrieved from the instance metadata service:
PROJECT_ID=$(curl -s -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/project/numeric-project-id) curl \ -H "Metadata-Flavor: Google" \ http://169.254.169.254/computeMetadata/v1/instance/service-accounts/$PROJECT_IDemail@example.com/token
The resulting access token can then be used from another machine, directly in Google Cloud API requests, or imported for use with the gcloud CLI:
gcloud config set project PROJECT_NAME gcloud storage buckets list --access-token-file=./access-token # Alternatively, you can instruct the gcloud CLI to use the access token using an environment variable export CLOUDSDK_AUTH_ACCESS_TOKEN=$(cat access-token)
Identify affected resources
Use the following gcloud CLI command to identify compute instances using the default service account:
gcloud compute instances list \ --filter="serviceAccounts.firstname.lastname@example.org'"
You can use the following command to restrict your search to compute instances that use the default service account and have full project editor permissions because they don't restrict the scope:
gcloud compute instances list --filter=" serviceAccounts.email@example.com' AND serviceAccounts.scopes=('https://www.googleapis.com/auth/cloud-platform') "
Remediate vulnerable resources
Assign a non-default service account to the compute instance. If the instance needs to access other Google Cloud services, use the least privilege principle to assign the minimum required permissions to the service account. Refer to the Authenticate workloads using service accounts for more information.
As an additional layer of security, you can enable the Organization policy constraint
constraints/iam.automaticIamGrantsForDefaultServiceAccounts to prevent the default compute service accounts from being assigned privileged permissions automatically.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the following out-of-the-box rules:
The Google Cloud Compute Engine default service account
Default service accounts access scopes
PortSwigger: Google pays hacker duo $22k in bug bounties for flaws in multiple cloud projects