Risk Level: High
Cloud Entity: Service Account
CloudGuard Rule ID: D9.GCP.IAM.05
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

ServiceAccount should not have roles contain-any [ ($ like '%admin%') or $ in ('roles/owner', 'roles/editor') ]

REMEDIATION

From Portal

Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
Go to the Principals
Identify the service account with over-permissive roles, click on the edit member icon.
Identify the over-permissive roles and click on the delete bin icon to remove role from the service account.

From Command Line

Get the policy that you want to modify, and write it to a file:

gcloud projects get-iam-policy PROJECT_ID > PATH_TO_NEWLY_CREATED_FILE

In the created file, detect the overly permissive service account and delete any role containing 'admin', 'roles/owner' or 'roles/editor'
Set the new iam policy of the service account:

gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE

References

https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
https://cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
https://cloud.google.com/iam/docs/understanding-roles
https://cloud.google.com/iam/docs/understanding-service-accounts

Service Account

A service account is an account that belongs to your application instead of an individual end user. When you run code that is hosted on GCP, you specify the account that the code should run as. You can create as many service accounts as needed to represent the different logical components of your application.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Controls V 8
GCP CIS Foundations v. 1.0.0
GCP CIS Foundations v. 1.1.0
GCP CIS Foundations v. 1.2.0
GCP CIS Foundations v. 1.3.0
GCP CIS Foundations v. 2.0
GCP CloudGuard Best Practices
GCP CloudGuard CheckUp
GCP Dashboard System Ruleset
GCP GDPR Readiness
GCP HIPAA
GCP LGPD regulation
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5
GCP PCI-DSS 4.0