🛡️ Google Resource Manager Organization has a Redis IAM role assigned🟢

• Contextual name: 🛡️ Organization has a Redis IAM role assigned🟢
• ID: /ce/ca/google/iam/organization-assigned-redis-role
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Resource Manager Organization
  • 🔌 Google IAM Role - object.extracts.yaml
  • 🔌 Google IAM Policy Binding - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Google Resource Manager Organizations with any of the predefined Redis IAM roles (roles/redis.admin, roles/redis.editor, roles/redis.viewer) assigned to any principal (user, group, or service account).

Rationale

Assigning Redis roles at the organization level grants permissions across all projects within the organization, including projects that do not use Redis. Broad permissions increase the attack surface and the risk of accidental or malicious configuration changes to Redis instances in any project. Roles should be scoped to the specific projects where Redis instances are deployed and require management. Compromise of a principal with organization-level permissions could impact all Redis resources within the organization.

Impact

Requires careful planning to ensure the user retains the necessary permissions to perform their job functions without interruption.

Audit

This policy flags a Google Resource Manager Organization as INCOMPLIANT if its related Google IAM Policy Binding IAM Role Name is set to roles/redis.admin, roles/redis.editor, or roles/redis.viewer.

Remediation

Open File

Remediation

From Google Cloud Console

1. Navigate to IAM & Admin - IAM: https://console.cloud.google.com/iam-admin/iam
2. Identify any principals (users, groups, or service accounts) assigned the Redis roles (roles/redis.admin, roles/redis.editor, roles/redis.viewer) at the organization level.
3. Click the Delete Bin icon to remove the role from the principal.
4. Assign Redis roles scoped only to the projects where Redis instances exist and management is required.

Note: Changes should be guided by business requirements to ensure principals retain necessary permissions.

From gcloud CLI

1. Remove the organization-level Redis role from the principal:

   gcloud organizations remove-iam-policy-binding {{organization-id}} \
       --member="{{principal-type}}:{{principal-email}}" \
       --role="{{roles/redis.admin}}"

2. Assign a project-scoped Redis role appropriate for the principal’s responsibilities:

   gcloud projects add-iam-policy-binding {{project-id}} \

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 Role-Based Access Control (RBAC) Management			14		no data
💼 ISO/IEC 27001:2013 → 💼 A.9.2.3 Management of privileged access rights		3	12		no data
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes		19	34		no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			42		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 PCI DSS v3.2.1 → 💼 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.			5		no data
💼 PCI DSS v3.2.1 → 💼 7.1.3 Assign access based on individual personnel's job classification and function.			5		no data
💼 PCI DSS v4.0.1 → 💼 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.			5		no data
💼 PCI DSS v4.0 → 💼 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.			5		no data