0

I am new to google cloud. I am trying to minimize the roles of Service accounts to improve security. The role assigned to my SA is of Compute Viewer, but the recommendation shows that these are excessive roles and are not used from 90 days.

But when I opened Metrics Explorer it shows that SA has authentication events of every date till now. Now, I am confused if SA is being authenticated, which role it is using as the only role (Computer Viewer) is not used from 90 days.

The SA is of bastion host.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
Shivangi Bhardwaj
  • 387
  • 9
  • 23

1 Answers1

1

The warning means that the service account has permissions that have not been used. The message does not mean that the "service account" has not been used.

Tip: A Bastion Host should not have any permissions except for logging (Stackdriver Logging and Stackdriver Monitoring).

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Hi John, Thank you for the answer. I mean to ask that Compute Viewer is the only role. Say we remove it, what other role will SA use? Which role is it currently using? – Shivangi Bhardwaj May 25 '21 at 05:20
  • 1
    If you remove the Compute Viewer role and that role is the only one, then the service account will have no permissions (roles). It won't use any other role unless you assign a role. For a Bastion host, you do not want any roles except for Stackdriver logging and monitoring. The purpose of a Bastion host is to protect the resources in the VPC. If the Bastion host is breached, it cannot do anything since it has no permissions. If you have logging setup you will know (be able to detect) that the Bastion has been breached. – John Hanley May 25 '21 at 05:58
  • 1
    Note: If a Bastion host is breached, it can still talk to the Internet which means that Bastion could become a proxy under an attacker's control. Examples are crypto mining, running DoS attacks, etc. Those examples are why a Bastion host should have limited resources (VM size, disk size, IAM Roles, etc.). – John Hanley May 25 '21 at 06:02
  • @ John Hansley I am confused that why are there authentication events if the only permissions it has are not used. – Shivangi Bhardwaj May 25 '21 at 09:53
  • 1
    Compute Engine provides a metadata service. The metadata service provides credentials to Compute Engine. Credentials must be renewed before they expire (default 3600 seconds). The service account is being used to generate credentials even if you do not use those credentials. – John Hanley May 25 '21 at 16:21