π Google User has both Service Account Admin and Service Account User roles assigned π’
- Contextual name: π User has both Service Account Admin and Service Account User roles assigned π’
- ID:
/ce/ca/google/iam/service-account-related-roles-to-users - Located in: π Google IAM
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.
Rationaleβ
The built-in/predefined IAM role
Service Account adminallows the user/identity to create, delete, and manage service account(s). The built-in/predefined IAM roleService Account Userallows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
No user should have
Service Account AdminandService Account Userroles assigned at the same time.... see more
Remediationβ
Remediationβ
From Google Cloud Consoleβ
- Go to
IAM & Admin/IAMusing https://console.cloud.google.com/iam-admin/iam.- For any member having both
Service Account AdminandService account Userroles granted/assigned, click theDelete Binicon to remove either role from the member. Removal of a role should be done based on the business requirements.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 1.8 Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users - Level 2 (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Role-Based Access Control (RBAC) Management | 9 |