gce/BP_EXT/2023_001
Compute Engine scopes best practices
Product: Compute Engine
Rule class: BP_EXT - (Extended) Best practice, opinionated recommendation
Description
Google recommends enabling a custom service account with very fine-grained permissions and a very restricted access scope so that you can ensure that access scopes to connect to or from the VM is limited and implements a security-in-depth strategy where multiple layers of security are used for holistic protection.
Remediation
Please consider following the principle of least previlige and avoid using defaults service account for production applications. It is recommended to use a custom service account with restricted permissions that are required to your use case.