medium

GCP Default compute account is project Editor

Published Sun, Nov 22nd, 2020
Platforms

Summary

When the compute API is enabled on a GCP Project, the default compute account is created. This account gets the primitive role Editor assigned by default, which allows for a wide variety of privilege excalation and resource abuse in the project. Especially, all new VMs created inherit this permissions by default. This issue is arguably a technical decision by GCP, but the documents advise customers to undo this.

Affected Services

N/A

Remediation

Remove these permissions, it can be done via an organization policy

Tracked CVEs

No tracked CVEs

References

Disclosure Date
-
Exploitablity Period
Since the creation of GCP
Known ITW Exploitation
-
Detection Methods
-
Discovered by
-