Ensure instances are not configured to use the default service account

From Google Cloud Console

1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances
2. Click on each VM instance name to go to its details page
3. Click STOP and then click EDIT
4. Under the section Identity and API access, select a service account other than the default Compute Engine service account. You may first need to create a new service account.
5. Click Save and then click START

Using Google Cloud CLI

1. Stop the instance:

gcloud compute instances stop <instanceName>

1. Update the instance:

gcloud compute instances set-service-account <instanceName> --serviceaccount=<serviceAccount>

1. Restart the instance:

gcloud compute instances start <instanceName>

Default Value

By default, Compute instances are configured to use the default Compute Engine service account.

References

1. https://cloud.google.com/compute/docs/access/service-accounts
2. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
3. https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Google Cloud

Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.