🛡️ Google Super Admin Account is used for Google Cloud administration🟢⚪
- Contextual name: 🛡️ Super Admin Account is used for Google Cloud administration🟢⚪
- ID:
/ce/ca/google/iam/super-admin-not-used-for-gcp-administration - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Description
Description
Super Admin accounts should be used only for Google Workspace or Cloud Identity identity administration. Google Cloud administration should be performed with separate user accounts that have appropriate Google Cloud IAM roles.
Rationale
The Super Admin role can manage users, groups, domains, and many identity settings. Combining that role with Google Cloud IAM permissions expands the blast radius of a compromised account. Separating identity administration from cloud resource administration enforces least privilege and provides clearer operational accountability.
Impact
Organizations may need to create separate Google Cloud administrator accounts and remove IAM bindings from existing Super Admin users. Validate that administrators retain the required access through non-Super Admin accounts before removing existing IAM roles.
Audit
From Google Admin Console and Google Cloud Console
- In the Google Admin Console, go to
Account>Admin roles.- Open the
Super Adminrole and note all assigned user accounts.... see more
Remediation
Remediation
From Google Admin Console and Google Cloud Console
- Create separate regular user accounts for Google Cloud administration.
- Grant those accounts only the Google Cloud IAM roles required for their responsibilities.
- Review IAM bindings at the organization, folder, and project levels.
- Remove Super Admin accounts from Google Cloud IAM bindings.
- Confirm that Super Admin accounts remain reserved for Google Workspace or Cloud Identity administration.
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS GCP v5.0.0 → 💼 1.1.2 Ensure Super Admin Account Is Not Used For Google Cloud Administration - Level 1 (Manual) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 General Access Controls | 23 | no data |