Ensure GCP IAM user does not have permissions to deploy all resources
A user with the 'deploymentmanager.deployments.create' permission can create almost any resource. Make sure this permission is only given to admin users
Risk Level: High
Cloud Entity: GCP IAM User
CloudGuard Rule ID: D9.GCP.IAM.30
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
GcpIamUser should not have roles contain [includedPermissions contain ['deploymentmanager.deployments.create'] ]
REMEDIATION
From Portal
- Go to the Google Cloud Console.
- Navigate to IAM & Admin > IAM.
- Find the user with the undesired permission.
- Click the pencil icon to edit permissions.
- Remove the role granting this permission. Consider applying a custom/least privilege role.
From Command Line
gcloud projects remove-iam-policy-binding your-project-id --member=user:[email protected] --role=roles/deploymentmanager.editor
References
GCP IAM User
An IAM user is an entity that you create in GCP to represent the person or service that uses it to interact with GCP.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
Updated over 1 year ago