CIS GCP 8.2 (Ensure Cloud Run services use custom service accounts) requires: Cloud Run services should not use the default compute service account. This is a medium-severity control.

How does EchelonGraph detect CIS GCP 8.2 violations?

EchelonGraph automatically detects CIS GCP 8.2 violations using scanner rule GCP-RUN-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS GCP 8.2?

Which Cloud Run services use the default compute service account? What permissions does each service actually need? How do you ensure new services are deployed with custom SAs?

🔷CIS GCP 8.2Rule: GCP-RUN-002medium

Ensure Cloud Run services use custom service accounts

Description

Cloud Run services should not use the default compute service account.

⚠️ Risk Impact

The default service account has overly broad permissions (Editor role). Exploited Cloud Run services gain full project access.

🔍 How EchelonGraph Detects This

GCP-RUN-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Google Cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.

🔧 Remediation

Create a dedicated service account with minimal permissions for each Cloud Run service.

💀 Real-World Attack Scenario

A Cloud Run service using the default compute service account had a dependency with a known RCE vulnerability (Log4Shell-style). The attacker exploited it to execute code, then used the default SA's Editor permissions to read all Firestore data, modify Cloud Functions, and establish persistent access.

💰 Cost of Non-Compliance

Cloud Run services with default SAs have 4x the blast radius of those with custom SAs. Average cost of Cloud Run compromise with default SA: $2.8M vs $350K with custom SA.

📋 Audit Questions

1.Which Cloud Run services use the default compute service account?
2.What permissions does each service actually need?
3.How do you ensure new services are deployed with custom SAs?

🎯 MITRE ATT&CK Mapping

T1078.004 — Cloud AccountsT1548 — Abuse Elevation Control Mechanism

🏗️ Infrastructure as Code Fix

main.tf

resource "google_service_account" "cloud_run_sa" {
  account_id   = "my-service-sa"
  display_name = "My Cloud Run Service SA"
}
resource "google_cloud_run_service" "service" {
  template {
    spec {
      service_account_name = google_service_account.cloud_run_sa.email
    }
  }
}

⚡ Common Pitfalls

⛔Creating a custom SA but granting it the same broad roles as the default SA
⛔Not testing service functionality after switching to a custom SA with restricted permissions
⛔Using one shared custom SA across multiple unrelated services

📈 Business Value

Per-service custom SAs enable precise permission auditing and reduce blast radius from any single service compromise to only the resources that service legitimately accesses.

⏱️ Effort Estimate

Manual

1-2 hours per service to create SA and test with reduced permissions

With EchelonGraph

EchelonGraph detects services using default SAs and recommends minimum required roles

🔗 Cross-Framework References

SOC2-CC6.3ISO27001-A.9.2.3

Automate CIS GCP 8.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →