Risk Level: High
Cloud Entity: GCP IAM Policy
CloudGuard Rule ID: D9.GCP.IAM.12
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

GcpIamPolicy should not have bindings contain-any [ role like 'roles/owner' or role like 'roles/editor' ]

REMEDIATION

From Portal

Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
Go to the Principals
Identify the member with the owner/basic roles, add the roles that each member needs while following the principle of least privilege, then remove any owner/editor roles.

From Command Line

Get the projects policy and write it to a yaml file,Run:

gcloud projects get-iam-policy PROJECT_ID PATH_TO_NEWLY_CREATED_FILE

In the created yaml add the roles that each member needs while following the principle of least privilege, then remove owner/editor roles.
Set the new iam policy:

gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE

References

GCP IAM Policy

You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CloudGuard Best Practices
GCP GDPR Readiness
GCP LGPD regulation
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5