VM With Full Cloud Access

  • Query id: bc280331-27b9-4acb-a010-018e8098aa5d
  • Query name: VM With Full Cloud Access
  • Platform: Terraform
  • Severity: High
  • Category: Access Control
  • URL: Github

Description

A VM instance is configured to use the default service account with full access to all Cloud APIs
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "google_compute_instance" "positive1" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    network = "default"
    access_config {
      // Ephemeral IP
    }
  }

  service_account {
    scopes = ["userinfo-email", "compute-ro", "storage-ro", "cloud-platform"]
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "google_compute_instance" "negative1" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    network = "default"
    access_config {
      // Ephemeral IP
    }
  }

  service_account {
    scopes = ["userinfo-email", "compute-ro", "storage-ro"]
  }
}