Ensure That Service Account Has No Admin Privileges

A Service Account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved It's recommended not to use admin access for Service Account.

Risk Level: High
Cloud Entity: Service Account
CloudGuard Rule ID: D9.GCP.IAM.05
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

ServiceAccount should not have roles contain-any [ ($ like '%admin%') or $ in ('roles/owner', 'roles/editor') ]

REMEDIATION

From Portal

  1. Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
  2. Go to the Principals
  3. Identify the service account with over-permissive roles, click on the edit member icon.
  4. Identify the over-permissive roles and click on the delete bin icon to remove role from the service account.

From Command Line

  1. Get the policy that you want to modify, and write it to a file:
gcloud projects get-iam-policy PROJECT_ID > PATH_TO_NEWLY_CREATED_FILE
  1. In the created file, detect the overly permissive service account and delete any role containing 'admin', 'roles/owner' or 'roles/editor'
  2. Set the new iam policy of the service account:
gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE

References

  1. https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
  2. https://cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
  3. https://cloud.google.com/iam/docs/understanding-roles
  4. https://cloud.google.com/iam/docs/understanding-service-accounts

Service Account

A service account is an account that belongs to your application instead of an individual end user. When you run code that is hosted on GCP, you specify the account that the code should run as. You can create as many service accounts as needed to represent the different logical components of your application.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP Dashboard System Ruleset
  • GCP GDPR Readiness
  • GCP HIPAA
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0