Improper Access Control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Granting organization-level IAM roles to default Google Compute Engine service accounts allows these accounts broad access across all projects. Default service accounts are not intended for organization-wide use and may be abused if compromised.
Impact#
If exploited, attackers could use the overly-permissive default service account to access or modify resources across the entire Google Cloud organization, potentially leading to data breaches, privilege escalation, or unauthorized changes to cloud infrastructure.