Should enable service container googleapis com before generating a service account

Question

Error: Instances use default service account with full access to cloud APIs

Nội dung chính Show

Warden supports GCP environments.
Onboarding a Google Cloud Platform (GCP) Project
Onboarding a GCP Organization
When creating a new service account what does Google Cloud use to create a Google managed key pair?
Why does GCP require service account?

Bridgecrew Policy ID: BC_GCP_IAM_2
Checkov Check ID: CKV_GCP_31
Severity: MEDIUM

When an instance is configured with Compute Engine default service account with Scope Allow full access to all Cloud APIs, based on IAM roles assigned to the user(s) accessing Instance, it may result in privilege escalation. For example, a user may have permission to perform cloud operations and API calls that they are not required to perform.

Along with the ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account Compute Engine default service account for an instances to access necessary cloud services. Project Editor role is assigned to Compute Engine default service account for this service account to have almost all capabilities over all cloud services, except billing. When Compute Engine default service account is assigned to an instance it can operate in three scopes:

Allow default access: Allows only minimum access required to run an Instance (Least Privileges).
Allow full access to all Cloud APIs: Allows full access to all the cloud APIs/Services (too much access).
Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance.

We recommend you do not assign instances to default service account Compute Engine
default service account with Scope Allow full access to all Cloud APIs. This supports the principle of least privileges and helps prevent potential privilege escalation,

To change the policy using the GCP Console, follow these steps:

Log in to the GCP Console at https://console.cloud.google.com.
Navigate to VM instances.
Select the impacted VM instance.
If the instance is not stopped, click Stop. Wait for the instance to stop.
Click Edit.
Scroll down to the Service Account section.
Select a different service account or ensure Allow full access to all Cloud APIs is not selected.
To save your changes, click Save.
Click START.

Stop the instance:

gcloud compute instances stop INSTANCE_NAME

Update the instance:

gcloud compute instances set-service-account INSTANCE_NAME 
--serviceaccount=SERVICE_ACCOUNT 
--scopes [SCOPE1, SCOPE2...]

Restart the instance:

gcloud compute instances start INSTANCE_NAME

Resource: google_compute_instance
Field: service_account
Argument: If email is set to the default service account, or not specified, scope should not contain full access api.

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  service_account {
-    scopes = ["https://www.googleapis.com/auth/cloud-platform"]
-    email  = "[PROJECT_NUMBER][email protected]""
  }
}

Updated 4 months ago

Table of Contents
- Instances use default service account with full access to cloud APIs
- Description
- Fix - Runtime
  - GCP Console
  - CLI Command
- Fix - Buildtime
  - Terraform

Warden supports GCP environments.

Onboarding a GCP Project
Onboarding a GCP Organization
- Adding a GCP Cloud Organization
- Updating GCP Cloud Organization API Credentials
- Importing Projects from a GCP Cloud Organization
Enable Scanning for GCP workspace identities (IAM-specific)
- Enable scanning for GCP workspace (Project)
- Enable scanning for GCP workspace (Organization)

Onboarding a Google Cloud Platform (GCP) Project

Setting up Warden in a GCP project can only be done the manual way at this time.

1. Log into your Google Cloud Console, navigate to IAM Admin > Service Accounts and select the project to onboard.

2. Click on Create Service Account.

3. Under Service account details, enter Horangi Warden as the Service account name, then enter Horangi API Access as the Service account description.

4. Click on Create.

5. Under Service account permissions (optional), select the following roles to attach to the service account.

IAM > Security Reviewer
Compute Engine > Compute Network Viewer
BigQuery > BigQuery Metadata Viewer
Binary Authorisation > Binary Authorisation Policy Viewer
Other > Activity Analysis Viewer

6. Click on Continue.

7. Under Grant users access to this service account (optional), leave the fields blank and click on Done.

8. Select the service account that you just created (Horangi Warden) in the Service Accounts page.

9. Click on Add Key > Create New Key.

10. Leave the default JSON selected and click Create.

11. Save the provided JSON file.

12. Enable the APIs necessary for Warden to work.

Using Google Cloud Shell:

gcloud services enable compute.googleapis.com sqladmin.googleapis.com storage.googleapis.com dns.googleapis.com cloudkms.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com cloudresourcemanager.googleapis.com bigquery.googleapis.com binaryauthorization.googleapis.com policyanalyzer.googleapis.com

Via the Google Cloud Console API Library:

Enable the following APIs:

Compute Engine API
Cloud SQL Admin API
Cloud Storage API
Cloud DNS API
Cloud Key Management Service (KMS) API
Identity and Access Management (IAM) API
Kubernetes Engine API
Stackdriver Monitoring API
Cloud Logging API
Cloud Resource Manager API
BigQuery API
Binary Authorization API
Admin SDK API
Policy Analyzer API

The Compute Engine and Cloud DNS APIs require you to have billing enabled on the projects you are onboarding.

13. Copy and paste the contents of the JSON file into the API Credentials field.

14. Click on Add.

Enable Scanning for Google Workspace Identities (GCP Project).

15.To enable Warden to scan Google Workspace Identities, the following steps are necessary:

Go to admin.google.com -> Admin Roles
Click Create New Role
Fill in the name (For example, Horangi Warden)
Scroll down to Admin API privileges and tick Users->Read and Groups->Read. Click Continue. If done correctly, you will only see 2 permissions, as follows:
Go back to the Admin Role page and select Horangi Warden (the role that was created earlier)
Click ASSIGN ROLE -> Assign Service Accounts
Type in the service account name from Step 3 then Click Assign Role.

Onboarding a GCP Organization

For all GCP projects that you want to scan, Warden will enable the following APIs during scanning.

Compute Engine API
Cloud SQL Admin API
Cloud Storage API
Cloud DNS API
Cloud Key Management Service (KMS) API
Identity and Access Management (IAM) API
Kubernetes Engine API
Stackdriver Monitoring API
Cloud Logging API
Cloud Resource Manager API
BigQuery API
Binary Authorization API
Admin SDK API
Policy Analyzer API

If you are unable to create the IAM Role (see step 10 below), you will have to manually enable all of the above APIs in each project. You can run the following command in google cloud shell to enable the APIs:

gcloud services enable compute.googleapis.com sqladmin.googleapis.com storage.googleapis.com dns.googleapis.com cloudkms.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com cloudresourcemanager.googleapis.com bigquery.googleapis.com binaryauthorization.googleapis.com policyanalyzer.googleapis.com

Repeat the command once for each project.

Pre-Requisites:

A GCP account within the organization assigned with the Organization Administrator and Organization Role Administrator roles.
An active Cloud Billing Account

Adding a GCP Cloud Organization

1. Login to the GCP console using an account assigned with the Organization Administrator and Organization Role Administrator roles.

2. Create a new project within the organization to ensure API limits for Warden are controlled separately from production workloads.

3. Enter a unique project name and click Create. You will then be redirected to the project view.

4. Click the hamburger menu button on the top left corner and click Billing.

5. If a billing account has already been linked to the project, you should see the Billing Overview page. Otherwise, click Link a Billing Account.

6. Select the billing account you would like to associate the project with from the dropdown menu and click on Link Account.

7. Navigate to IAM & Admin > Service Accounts, then click on Create Service Account.

8. Under Service account details, enter Horangi Warden as the Service account name, then enter Horangi API Access as the Service account description.

9. Click Create, then Done.

10. Note down the email address of the service account you just created (Horangi Warden) in an accessible location.

11. Click the 3-dot menu icon under the Actions column for the new service account and click Create key.

12. Leave the Key type as JSON and click Create.

13. Save the JSON file to a secure location. You will not be able to recover the key if you lose it.

14. Enable the APIs necessary for Warden to work.

Method 1: Using Google Cloud Shell

Type the following command in the Google Cloud Shell:

gcloud services enable compute.googleapis.com sqladmin.googleapis.com storage.googleapis.com dns.googleapis.com cloudkms.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com cloudresourcemanager.googleapis.com bigquery.googleapis.com binaryauthorization.googleapis.com cloudbilling.googleapis.com policyanalyzer.googleapis.com

Method 2: Via the Google Cloud Console API Library:

Enable the following APIs:

Compute Engine API
Cloud SQL Admin API
Cloud Storage API
Cloud DNS API
Cloud Key Management Service (KMS) API
Identity and Access Management (IAM) API
Kubernetes Engine API
Stackdriver Monitoring API
Cloud Logging API
Cloud Resource Manager API
BigQuery API
Binary Authorization API
Cloud Billing API
Admin SDK API
Policy Analyzer API

The Compute Engine and Cloud DNS APIs require you to have billing enabled on the projects you are onboarding.

15. Switch back to Organization view to start setting up the organization-wide permissions.

16. Navigate to IAM & Admin > Roles, then click Create Role.

17. Under Title, enter Horangi Warden Scanner, then enter HorangiWardenScanner as the ID.

18. Click Add Permissions.

19. Under the Filter table field, enter and select `serviceusage.services.enable`

20. Once the permission has been selected, click Add.

21. Click Create to finish creating the custom role.

22. Still in Organization view, navigate to IAM & Admin > IAM. Click Add to add permissions for the service account you created in Steps 7-9.

23. Input the email of the service account you created as New members.

24. Add the following roles:

Custom > Horangi Warden Scanner (the Role created earlier)
Resource Manager > Organization Viewer
Resource Manager > Folder Viewer
Billing > Billing Account Viewer
IAM > Security Reviewer
Compute Engine > Compute Network Viewer
BigQuery > BigQuery Metadata Viewer
Binary Authorisation > Binary Authorisation Policy Viewer
Service Usage > Service Usage Viewer
Other > Activity Analysis Viewer

If you can’t find the Role `Horangi Warden Scanner`, wait for a few minutes and try again. It may take some time for the Role to appear after creation.

25. Click Save to finish adding permissions.

26. Go to Storyfier’s Settings (gear icon) page, then click on Integrations.

27. Click the Add button next to GCP. A popup of the list of organizations linked to your Storyfier org will appear.

28. Click Add New GCP Cloud Organization.

You can only add a GCP organization once. If you need to make changes to your service account credentials, you can edit an existing GCP organization.

29. Paste the service account credentials JSON file you saved earlier in the API Credentials field.

30. For the Identifier field, enter the text `organizations/` followed by your Organization ID. The Organization ID can be found by clicking on the dropdown menu on the top and looking at the ID next to your organization.

31. Click Add.

Enable Scanning for Google Workspace Identities (GCP Organization).

32. [Optional] To enable Warden to scan Google Workspace Identities, refer to here.

Go to admin.google.com -> Admin Roles
Click Create New Role
Fill in the name (For example, Horangi Warden)
Scroll down to Admin API privileges and tick Users->Read and Groups->Read. Click Continue. If done correctly, you will only see 2 permissions, as follows:
Go back to the Admin Role page and select Horangi Warden (the role that was created earlier)
Click ASSIGN ROLE -> Assign Service Accounts
Type in the service account name from Step 8 then Click Assign Role.

Caution: You cannot remove GCP organizations in Storyfier and doing so will disable all scans tied to that GCP organization. If you have to remove your organization, contact us at for assistance.

Updating GCP Cloud Organization API Credentials

1. Follow Steps 1-25 of Adding a GCP Cloud Organization to create a new Service Account.

2. In Storyfier, click on Settings > Integrations, then click Update next to GCP.

3. Click Update next to the GCP Organization you want to update.

4. Paste the API credentials you downloaded in Step 12 of Adding a GCP Cloud Organization.

5. Click Save Changes.

Importing Projects from a GCP Cloud Organization

1. Navigate to the Settings page (gear icon), then click Scan Configuration on the left sidebar.

2. Create a new scan group or use an existing one.

3. On the Scan Configuration page, click on the pencil icon next to the scan group which you would like to import GCP projects into.

4. On the right-side panel, click Add Account.

5. Select Add Projects From Google Cloud Organization and click Next.

6. Select the Organization that you created previously and click on Next.

7. Select the projects you want to onboard in Warden and click Add Projects.

8. On the Scan Configuration page, you should see the projects imported into the scan group.

9. Click on the Refresh icon next to each project to start a scan.

Only projects that have billing accounts linked are imported. If there is a project in your organization that has not been imported, check to see if the project is linked to a billing account.

When creating a new service account what does Google Cloud use to create a Google managed key pair?

Use the IAM API to create a user-managed key pair automatically. Google generates a public/private key pair; stores only the public key; and returns the private key to you.

Why does GCP require service account?

A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Typically, service accounts are used in scenarios such as: Running workloads on virtual machines (VMs).

Công Nghệ Google Gcloud services enable Service account JSON