Ensure GCP IAM user does not have permissions to deploy all resources

A user with the 'deploymentmanager.deployments.create' permission can create almost any resource. Make sure this permission is only given to admin users

Risk Level: High
Cloud Entity: GCP IAM User
CloudGuard Rule ID: D9.GCP.IAM.30
Covered by Spectral: No
Category: Security, Identity, & Compliance


GcpIamUser should not have roles contain [includedPermissions contain ['deploymentmanager.deployments.create'] ]


From Portal

  1. Go to the Google Cloud Console.
  2. Navigate to IAM & Admin > IAM.
  3. Find the user with the undesired permission.
  4. Click the pencil icon to edit permissions.
  5. Remove the role granting this permission. Consider applying a custom/least privilege role.

From Command Line

gcloud projects remove-iam-policy-binding your-project-id --member=user:[email protected] --role=roles/deploymentmanager.editor


  1. https://cloud.google.com/iam/docs/overview
  2. https://cloud.google.com/deployment-manager/docs


An IAM user is an entity that you create in GCP to represent the person or service that uses it to interact with GCP.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset