Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users

Separation of duties means that an individual should not have enough permissions that will enable him to complete a malicious action. Users should not have both the abilities to create and to use a service account. This might lead them to access resources that they should not have in the first place.

Risk Level: High
Cloud Entity: GCP IAM User
CloudGuard Rule ID: D9.GCP.IAM.18
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

GcpIamUser should not have roleNames contain [ $ like 'roles/iam.serviceAccountAdmin' ] and roleNames contain [ $ in ('roles/iam.serviceAccountTokenCreator', 'roles/iam.serviceAccountUser', 'roles/iam.workloadIdentityUser') ]

REMEDIATION

From Portal

  1. Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
  2. Go to the Principals
  3. Identify the Principal with both admin and user roles and remove one of: 'roles/iam.serviceAccountAdmin' or ('roles/iam.serviceAccountTokenCreator', 'roles/iam.serviceAccountUser', 'roles/iam.workloadIdentityUser').

From Command Line

  1. Get the policy that you want to modify, and write it to a file:
gcloud projects get-iam-policy PROJECT_ID > PATH_TO_NEWLY_CREATED_FILE
  1. In the created file, remove one of: 'roles/iam.serviceAccountAdmin' or ('roles/iam.serviceAccountTokenCreator', 'roles/iam.serviceAccountUser', 'roles/iam.workloadIdentityUser') of the member that contain both roles.
  2. Set the new iam policy:
gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE

References

  1. https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
  2. https://cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
  3. https://cloud.google.com/iam/docs/understanding-roles
  4. https://cloud.google.com/iam/docs/permissions-reference

GCP IAM User

An IAM user is an entity that you create in GCP to represent the person or service that uses it to interact with GCP.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP GDPR Readiness
  • GCP LGPD regulation
  • GCP NIST 800-53 Rev 5