Risk Level: High
Cloud Entity: GCP IAM Policy
CloudGuard Rule ID: D9.GCP.IAM.25
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

GcpIamPolicy should not have bindings contain-any [ role in ('roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ]

REMEDIATION

From Portal

Go to the IAM page in the GCP Console by visiting: https://console.cloud.google.com/iam-admin/iam.
Click on the filter table text bar. Type Role: Service Account User.
Click the Delete Bin icon in front of the role Service Account User for every user listed as a result of a filter.
Click on the filter table text bar. Type Role: Service Account Token Creator.
Click the Delete Bin icon in front of the role Service Account Token Creator for every user listed as a result of a filter.

From Command Line

To get IAM policy, use

gcloud projects get-iam-policy PROJECT_ID --format json > iam.json

Using a text editor, remove the bindings with the 'roles/iam.serviceAccountUser' or 'roles/iam.serviceAccountTokenCreator'.
Update the project's IAM policy-

gcloud projects set-iam-policy PROJECT_ID iam.json

From Terraform
Make sure you don't the values role= 'roles/iam.serviceAccountUser' and role='roles/iam.serviceAccountTokenCreator' in your template when member is 'user:' for the resources you have;
google_project_iam_binding
google_project_iam_member

for example;

resource "google_project_iam_binding" "project"{
	project = "your-project-id"
	role    = "roles/iam.serviceAccountUser"
	
	members = [
	"user:user@example.com", ]
}

Similarly for 'google_project_iam_member' as well.

resource "google_project_iam_member" "project" {
	project = "your-project-id"
	role    = "roles/iam.serviceAccountUser"
	member  = "user:user@example.com"
}

References

GCP IAM Policy

You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Controls V 8
GCP CIS Foundations v. 1.1.0
GCP CIS Foundations v. 1.2.0
GCP CIS Foundations v. 1.3.0
GCP CIS Foundations v. 2.0
GCP CloudGuard Best Practices
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5