Risk Level: High
Cloud Entity: GCP IAM Policy
CloudGuard Rule ID: D9.GCP.IAM.02
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

GcpIamPolicy should not have bindings contain-any [ members contain-any ['%@gmail.com']]

REMEDIATION

From Portal

Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
Go to the Principals
Identify the personal account, select it and click remove.

From Command Line

Get the policy that you want to modify, and write it to a file:

gcloud projects get-iam-policy PROJECT_ID > PATH_TO_NEWLY_CREATED_FILE

In the created file, detect the personal (gmail) account and delete it.
Set the new iam policy of the project:

gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE

References

GCP IAM Policy

You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Controls V 8
GCP CIS Foundations v. 1.0.0
GCP CIS Foundations v. 1.1.0
GCP CIS Foundations v. 1.2.0
GCP CIS Foundations v. 1.3.0
GCP CIS Foundations v. 2.0
GCP CSA CCM v.3.0.1
GCP CloudGuard Best Practices
GCP CloudGuard CheckUp
GCP CloudGuard SOC2 based on AICPA TSC 2017
GCP GDPR Readiness
GCP HIPAA
GCP ISO 27001:2013
GCP LGPD regulation
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 4
GCP NIST 800-53 Rev 5
GCP NIST CSF v1.1
GCP PCI-DSS 3.2
GCP PCI-DSS 4.0