GCP IAM Service Account Has Admin Privileges

This policy identifies service accounts which have admin privileges. Application uses the service account to make requests to the Google API of a service so that the users aren't directly involved. It is recommended not to use admin access for ServiceAccount.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP IAM Service account has admin privileges.
JSON Query:
$.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com"
Recommendation:
Recommended solution to ensure that GCP IAM Service account does not have admin privileges.
Ensure that GCP IAM Service account does not have admin privileges. Please make sure that in the template "member" doesn't have nay email address ending with ".gserviceaccount.com" if the role is either owner or editor.
For example:
"google_organization_iam_member": [ { "binding": [ { "member": "user:alice@gmail.com", "org_id": "0123456789", "role": "roles/editor" } ] } ]

Run Rule Recommendation

  1. Login to GCP Portal.
  2. Goto IAM & admin (Left panel).
  3. Choose the reported member and click on the edit icon.
  4. Delete the Admin role and provide appropriate role according to requirement.
  5. Click Save.

Compliance

There are 5 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • CIS v1.0.0 (GCP)
  • ISO 27001:2013
  • PIPEDA
  • CCPA 2018

Recommended For You