Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level

It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level.

Risk Level: High
Cloud Entity: GCP IAM Policy
CloudGuard Rule ID: D9.GCP.IAM.25
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

GcpIamPolicy should not have bindings contain-any [ role in ('roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ]

REMEDIATION

From Portal

  1. Go to the IAM page in the GCP Console by visiting: https://console.cloud.google.com/iam-admin/iam.
  2. Click on the filter table text bar. Type Role: Service Account User.
  3. Click the Delete Bin icon in front of the role Service Account User for every user listed as a result of a filter.
  4. Click on the filter table text bar. Type Role: Service Account Token Creator.
  5. Click the Delete Bin icon in front of the role Service Account Token Creator for every user listed as a result of a filter.

From Command Line

  1. To get IAM policy, use
gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
  1. Using a text editor, remove the bindings with the 'roles/iam.serviceAccountUser' or 'roles/iam.serviceAccountTokenCreator'.
  2. Update the project's IAM policy-
gcloud projects set-iam-policy PROJECT_ID iam.json

From Terraform
Make sure you don't the values role= 'roles/iam.serviceAccountUser' and role='roles/iam.serviceAccountTokenCreator' in your template when member is 'user:' for the resources you have;
google_project_iam_binding
google_project_iam_member

for example;

resource "google_project_iam_binding" "project"{
	project = "your-project-id"
	role    = "roles/iam.serviceAccountUser"
	
	members = [
	"user:[email protected]", ]
}

Similarly for 'google_project_iam_member' as well.

resource "google_project_iam_member" "project" {
	project = "your-project-id"
	role    = "roles/iam.serviceAccountUser"
	member  = "user:[email protected]"
}

References

  1. https://cloud.google.com/iam/docs/service-accounts
  2. https://cloud.google.com/iam/docs/granting-roles-to-service-accounts
  3. https://cloud.google.com/iam/docs/understanding-roles
  4. https://cloud.google.com/iam/docs/granting-changing-revoking-access
  5. https://console.cloud.google.com/iam-admin/iam
  6. https://workbench.cisecurity.org/sections/507169/recommendations/827549
  7. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam

GCP IAM Policy

You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5