Roles should not be assigned to default service accounts

Property
Language
Severity
Service	iam
Provider	Google
Vulnerability Type	misconfiguration

Description#

This vulnerability occurs when IAM roles are assigned to default Google service accounts instead of custom, purpose-specific accounts. Default service accounts have broad permissions and are often shared across multiple services, which increases risk.

Impact#

If exploited, this misconfiguration can grant excessive or unintended permissions to default service accounts, potentially allowing attackers or compromised workloads to access or modify critical resources across the organization, violating the principle of least privilege.

Resolution#

Use specialised service accounts for specific purposes.