Avoid using pre-IAM basic (primitive) roles
Basic roles include many permissions across all GCP services. Using them will result violation of the principle of least privilege. You should avoid using basic roles, and use predefined roles or custom roles instead.
Risk Level: High
Cloud Entity: GCP IAM Policy
CloudGuard Rule ID: D9.GCP.IAM.12
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
GcpIamPolicy should not have bindings contain-any [ role like 'roles/owner' or role like 'roles/editor' ]
REMEDIATION
From Portal
- Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
- Go to the Principals
- Identify the member with the owner/basic roles, add the roles that each member needs while following the principle of least privilege, then remove any owner/editor roles.
From Command Line
- Get the projects policy and write it to a yaml file,Run:
gcloud projects get-iam-policy PROJECT_ID PATH_TO_NEWLY_CREATED_FILE
- In the created yaml add the roles that each member needs while following the principle of least privilege, then remove owner/editor roles.
- Set the new iam policy:
gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE
References
- https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
- https://cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
- https://cloud.google.com/iam/docs/understanding-roles
- https://cloud.google.com/iam/docs/permissions-reference
GCP IAM Policy
You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CloudGuard Best Practices
- GCP GDPR Readiness
- GCP LGPD regulation
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago