---
names: 
  full: "Google IAM Service Account has admin privileges"
  contextual: "Service Account has admin privileges"
description: "A service account is a special Google account that belongs to an application or a VM, \
   instead of to an individual end-user. The application uses the service account to call the \
   service's Google API so that users aren't directly involved. It's recommended not to use \
   admin access for ServiceAccount."
type: COMPLIANCE_POLICY
categories:
  - "SECURITY"
frameworkMappings:
  - /frameworks/cis-gcp-v4.0.0/01/05
  - /frameworks/cloudaware/identity-and-access-governance/rbac-management
  - /frameworks/nist-sp-800-53-r5/ac/06
  - /frameworks/iso-iec-27001-2022/05/15
  - /frameworks/iso-iec-27001-2022/08/02
  - /frameworks/nist-csf-v1.1/pr-ac/04
  - /frameworks/soc-2/cc6/01/03
  - /frameworks/soc-2/cc6/01/04
  - /frameworks/soc-2/cc6/01/07
  - /frameworks/soc-2/cc6/01/08
  - /frameworks/soc-2/cc6/03/01
  - /frameworks/soc-2/cc6/03/02
  - /frameworks/soc-2/cc6/03/03
similarPolicies:
  cloudConformity:
    - url: "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/gcp/CloudIAM/restrict-admin-access-for-service-accounts.html"
      name: "Restrict Administrator Access for Service Accounts"