Using Default Service Account
- Query id: 3cb4af0b-056d-4fb1-8b95-fdc4593625ff
- Query name: Using Default Service Account
- Platform: Terraform
- Severity: Medium
- Category: Insecure Defaults
- CWE: 250
- URL: Github
Description¶
Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
#this is a problematic code where the query should report a result(s)
resource "google_compute_instance" "positive1" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
tags = ["foo", "bar"]
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
network = "default"
access_config {
// Ephemeral IP
}
}
}
resource "google_compute_instance" "positive2" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
tags = ["foo", "bar"]
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
network = "default"
access_config {
// Ephemeral IP
}
}
service_account {
scopes = ["userinfo-email", "compute-ro", "storage-ro"]
}
}
resource "google_compute_instance" "positive3" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
tags = ["foo", "bar"]
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
network = "default"
access_config {
// Ephemeral IP
}
}
service_account {
email = ""
scopes = ["userinfo-email", "compute-ro", "storage-ro"]
}
}
resource "google_compute_instance" "positive4" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
tags = ["foo", "bar"]
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
network = "default"
access_config {
// Ephemeral IP
}
}
service_account {
email = "a"
scopes = ["userinfo-email", "compute-ro", "storage-ro"]
}
}
resource "google_compute_instance" "positive5" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
tags = ["foo", "bar"]
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
network = "default"
access_config {
// Ephemeral IP
}
}
service_account {
email = "email@developer.gserviceaccount.com"
scopes = ["userinfo-email", "compute-ro", "storage-ro"]
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
#this code is a correct code for which the query should not find any result
resource "google_compute_instance" "negative1" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
tags = ["foo", "bar"]
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
// Local SSD disk
scratch_disk {
interface = "SCSI"
}
network_interface {
network = "default"
access_config {
// Ephemeral IP
}
}
service_account {
email = "email@email.com"
scopes = ["userinfo-email", "compute-ro", "storage-ro"]
}
}