Skip to main content

πŸ“ Google IAM Service Account has admin privileges 🟒

  • Contextual name: πŸ“ Service Account has admin privileges 🟒
  • ID: /ce/ca/google/iam/service-account-admin-privileges
  • Located in: πŸ“ Google IAM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount.

Rationale​

Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc. without user intervention. For this reason, it's recommended that service accounts not have Admin rights.

Impact​

Removing *Admin or *admin or Editor or Owner role assignments from service accounts may break functionality that uses impacted service accounts. Required role(s) should be assigned to impacted service accounts in order to restore broken functionalities.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
  2. Under the IAM Tab look for VIEW BY PRINCIPALS
  3. Filter PRINCIPALS using type : Service account
  4. Look for the Service Account with the Principal nomenclature: SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
  5. Identify User-Managed user created service account with roles containing *Admin or *admin or role matching Editor or role matching Owner under Role Column.
  6. Click on Edit (Pencil Icon) for the Service Account, it will open all the roles which are assigned to the Service Account.
  7. Click the Delete bin icon to remove the role from the Principal (service account in this case)

From Google Cloud CLI​

gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
  1. Using a text editor, Remove Role which contains roles/*Admin or roles/*admin or matched roles/editor or matches 'roles/owner`. Add a role to the bindings array that defines the group members and the role for those members.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 1.5 Ensure that Service Account has no Admin privileges - Level 1 (Automated)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 1.5 Ensure That Service Account Has No Admin Privileges - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 1.5 Ensure That Service Account Has No Admin Privileges - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 1.5 Ensure That Service Account Has No Admin Privileges - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Role-Based Access Control (RBAC) Management11
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81149
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)649
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1430
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.2 Privileged access rights710
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1551
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties85
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102242
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-3 Restricts Logical Access121
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-4 Identifies and Authenticates Users46
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-7 Restricts Access to Information Assets1225
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-8 Manages Identification and Authentication1824
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.3-1 Creates or Modifies Access to Protected Information Assets3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.3-2 Removes Access to Protected Information Assets3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.3-3 Uses Access Control Structures14