---
names: 
  full: "Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs"
  contextual: "Instance is configured to use the Default Service Account with full access to all Cloud APIs"
description: "To support principle of least privileges and prevent potential privilege escalation it is \
 recommended that instances are not assigned to default service account Compute Engine default service \ 
 account with Scope Allow full access to all Cloud APIs."
type: COMPLIANCE_POLICY
categories:
  - "SECURITY"
frameworkMappings:
  - /frameworks/cis-gcp-v3.0.0/04/02
  - /frameworks/cloudaware/identity-and-access-governance/rbac-management
  - /frameworks/nist-sp-800-53-r4/ac/06
  - /frameworks/nist-sp-800-53-r5/ia/05
  - /frameworks/pci-dss-v3.2.1/07/01/02
  - /frameworks/pci-dss-v4.0/02/02/02
  - /frameworks/pci-dss-v4.0/02/03/01
  - /frameworks/iso-iec-27001-2013/09/02/03
  - /frameworks/iso-iec-27001-2022/08/02
  - /frameworks/iso-iec-27001-2022/08/09
  - /frameworks/nist-csf-v1.1/pr-ac/01
  - /frameworks/soc-2/cc6/03/01
  - /frameworks/soc-2/cc6/03/02
  - /frameworks/soc-2/cc6/03/03
similarPolicies:
  cloudConformity:
    - url: "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/gcp/ComputeEngine/default-service-accounts-with-full-access-in-use.html"
      name: "Check for Instance-Associated Service Accounts with Full API Access"