GCP IAM User With Service Account Privileges

Checks to ensure that IAM users don't have service account privileges. Adding any user as service account actor will enable these users to have service account privileges. Adding only authorized corporate IAM users as service account actors will make sure that your information is secure.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP IAM user with service account privileges.
JSON Query:
$.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:"
Recommendation:
Recommended solution to ensure that GCP IAM Service does not have service account privileges.
Ensure that GCP IAM Service does not have service account privileges. Please make sure that in the template "members" doesn't start with "user:" when the "role" is either if these: "roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator" or "roles/iam.serviceAccountActor".
For example:
"google_iam_policy": [ { "<iam_policy_name>": [ { "binding": [ { "members": ["admin:c@d.com"], "role": "roles/iam.serviceAccountUser" } ] } ] } ]

Run Rule Recommendation

  1. Login to GCP Portal.
  2. Go to IAM & Admin (Left Panel).
  3. Select IAM.
  4. From the list of users, identify the users with Service Account Actor, Service Account User or Service Account Token Creator roles.
  5. Remove these user roles by clicking on Delete icon for any unauthorized user.

Compliance

There are 11 standards that are applicable to this policy:
  • HIPAA
  • MITRE ATT&CK [Beta]
  • CIS v1.0.0 (GCP)
  • NIST 800-53 Rev4
  • HITRUST CSF v9.3
  • ISO 27001:2013
  • CSA CCM v3.0.1
  • SOC 2
  • PIPEDA
  • PCI DSS v3.2
  • CCPA 2018

Recommended For You