Ensure that service accounts are not granted with permissions to use other service accounts or set iam policies

In case of a compromised service account, an attacker would be able to make lateral movement easily. Therefore you should avoid giving a service account permissions to use other service accounts or to set iam policies.

Risk Level: High
Cloud Entity: Service Account
CloudGuard Rule ID: D9.GCP.IAM.11
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


ServiceAccount should not have roles contain-any [ $ like 'roles/iam.serviceAccount%' ] or roles contain-any [ $ like 'roles/iam.securityAdmin' ]


From Portal

  1. Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
  2. Go to the Members
  3. Identify the service account with over-permissive roles, click on the edit member icon.
  4. Identify the over-permissive roles and click on the delete bin icon to remove role from the service account.

From Command Line

  1. Get the policy that you want to modify, and write it to a yaml file, Run:
gcloud projects get-iam-policy PROJECT_ID  PATH_TO_NEWLY_CREATED_FILE
  1. In the created yaml, detect the overly permissive service account and delete any role containing 'roles/iam.serviceAccount' or 'roles/iam.securityAdmin'
  2. Set the new iam policy of the service account:
gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE


  1. https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
  2. https://cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
  3. https://cloud.google.com/iam/docs/understanding-roles
  4. https://cloud.google.com/iam/docs/understanding-service-accounts

Service Account

A service account is an account that belongs to your application instead of an individual end user. When you run code that is hosted on GCP, you specify the account that the code should run as. You can create as many service accounts as needed to represent the different logical components of your application.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP GDPR Readiness
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5