Risk Level: Critical
Cloud Entity: GCP IAM Policy
CloudGuard Rule ID: D9.GCP.IAM.15
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

GcpIamPolicy should not have bindings contain-any [ role in ('roles/iam.workloadIdentityUser', 'roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ]

REMEDIATION

From Portal
In order to add permissions for an identity to use a specific service account, follow these instructions:

Go to IAM - Service accounts using https://console.cloud.google.com/iam-admin/serviceaccounts
Select the service account that you want to allow to impersonate, click Permissions
Under Members click Grant access
Enter the user's / service account email and select the role to allow impersonating.
Click Save to apply changes

From Command Line

Get the policy that you want to modify, and write it to a yaml file:

gcloud iam service-accounts get-iam-policy SERVICE_ACCOUNT_ID PATH_TO_NEW_FILE

In the created yaml, add new biding with the role and the member that should be granted with it.
Set the new iam policy of the service account:

gcloud iam service-accounts set-iam-policy SERVICE_ACCOUNT_ID PATH_TO_NEW_FILE

In order to remove the project level permissions:

Get the policy that you want to modify, and write it to a yaml file:

gcloud projects get-iam-policy PROJECT_ID PATH_TO_NEW_FILE

In the created yaml, detect the member with the overly permissive roles and delete these roles.
Set the new iam policy of the project:

gcloud projects set-iam-policy PROJECT_ID PATH_TO_NEW_FILE

References

https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/get-iam-policy
https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/set-iam-policy
https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
https://cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
https://cloud.google.com/iam/docs/impersonating-service-accounts#impersonate-sa-level
https://cloud.google.com/iam/docs/impersonating-service-accounts#allow-impersonation

GCP IAM Policy

You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CloudGuard Best Practices
GCP CloudGuard CheckUp
GCP GDPR Readiness
GCP HIPAA
GCP LGPD regulation
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5
GCP PCI-DSS 4.0