VM With Full Cloud Access
- Query id: bc280331-27b9-4acb-a010-018e8098aa5d
- Query name: VM With Full Cloud Access
- Platform: Terraform
- Severity: High
- Category: Access Control
- URL: Github
Description¶
A VM instance is configured to use the default service account with full access to all Cloud APIs
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_compute_instance" "positive1" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
network = "default"
access_config {
// Ephemeral IP
}
}
service_account {
scopes = ["userinfo-email", "compute-ro", "storage-ro", "cloud-platform"]
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_compute_instance" "negative1" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
network = "default"
access_config {
// Ephemeral IP
}
}
service_account {
scopes = ["userinfo-email", "compute-ro", "storage-ro"]
}
}