GCP Kubernetes Engine Cluster Nodes Have Default Service Account For Project Access

This policy identifies Kubernetes Engine Cluster Nodes which have default Service account for Project access. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access and more permissions than are required to run your Kubernetes Engine cluster. You should create and use a least privileged service account to run your Kubernetes Engine cluster instead of using the Compute Engine default service account. If you are not creating a separate service account for your nodes, you should limit the scopes of the node service account to reduce the possibility of a privilege escalation in an attack.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP Kubernetes Engine Cluster Nodes have default Service account for Project access.
JSON Query:
$.resource[*].google_container_cluster[*].*[*].node_config anyNull or $.resource[*].google_container_cluster[*].*[*].node_config[*].service_account anyNull
Recommendation:
Recommended solution to ensuring that Kubernetes Engine Cluster Nodes does not have default Service account for Project access.
Ensure that GCP Kubernetes Engine Cluster Nodes does not have default Service account for Project access. Please make sure that the template have "node_config" defined and "service_account" is present under it and is not null.
For example:
"node_config": [ { "labels": [ { "foo": "bar" } ], "metadata": [ { "disable-legacy-endpoints": "true" } ], "oauth_scopes": [ "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring" ], "tags": [ "foo", "bar" ], "service_account" : "service_account" }]

Run Rule Recommendation

GCP Kubernetes Clusters Service account can be chosen only at the time of creation of clusters. So to fix this alert, create a new cluster with the least privileged Service account and then migrate all required cluster node data from the reported cluster to this new cluster.
To create the cluster with new Service account which has privileges as you needed, perform following steps:.
  1. Login to GCP Portal.
  2. Click on 'CREATE CLUSTER'.
  3. Choose required name/value for cluster fields.
  4. Click on 'More'.
  5. Choose 'Service account' which has the least privilege under Project access section, Instead of default 'Compute Engine default service account'.
    NOTE: The Compute Engine default service account by default, has devstorage.read_only, logging.write, monitoring, service.management.readonly, servicecontrol, and trace.append privileges/scopes.
    You can configure a service account with more restrictive privileges and assign the same.
  6. Click on 'Create'.

Compliance

There are 11 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • NIST 800-53 Rev4
  • HITRUST CSF v9.3
  • PCI DSS v3.2
  • ISO 27001:2013
  • HIPAA
  • CSA CCM v3.0.1
  • SOC 2
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • CCPA 2018

Recommended For You