🛡️ Google IAM Policy Binding Member (User) is assigned a basic role🟢

• Contextual name: 🛡️ User is assigned a basic role🟢
• ID: /ce/ca/google/iam/user-assigned-basic-role
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google IAM Policy Binding Member (User)
  • 🔌 Google IAM Role - object.extracts.yaml
  • 🔌 Google IAM Policy Binding - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Google IAM Users (Google Accounts as principal identifiers) assigned one of the following basic IAM roles: Owner, Editor, or Viewer.

Rationale

Basic roles are highly permissive, granting extensive permissions across all Google Cloud services. This approach violates the principle of least privilege and increases the risk of security breaches, accidental data loss, or service disruptions if a user’s credentials are compromised or misused. Adopting more granular predefined roles, or creating custom roles tailored to specific tasks, helps ensure users have only the permissions necessary to perform their job functions.

Impact

Requires careful planning to ensure the user retains the necessary permissions to perform their job functions without interruption.

Audit

This policy flags a Google IAM Policy Binding Member (User) as INCOMPLIANT if its related Google IAM Policy Binding IAM Role Name is set to roles/owner, roles/editor, or roles/viewer.

Remediation

Open File

Remediation

From Google Cloud Console

1. Navigate to IAM & Admin → IAM: https://console.cloud.google.com/iam-admin/iam
2. Locate any members assigned the Owner, Editor, or Viewer roles.
3. Click the Delete Bin icon to remove the role from the member.
4. Assign a more granular role based on the user’s job responsibilities.

Note: Role removal should be guided by business requirements to ensure users retain necessary access.

From gcloud CLI

1. Remove the basic role from the user:

   gcloud {{projects | organizations | resource-manager folders}} remove-iam-policy-binding {{resource-id}} \
       --member="user:{{user-email}}" \
       --role="{{roles/owner}}"

2. Assign a least-privilege role appropriate for the user’s responsibilities:

   gcloud {{projects | organizations | resource-manager folders}} add-iam-policy-binding {{resource-id}} \
       --member="user:{{user-email}}" \
       --role="{{least-privilege-role}}"

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 User Account Management			19		no data
💼 ISO/IEC 27001:2013 → 💼 A.9.2.3 Management of privileged access rights		3	12		no data
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes		19	34		no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			42		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-6 LEAST PRIVILEGE	10	2	7		no data
💼 PCI DSS v3.2.1 → 💼 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.			5		no data
💼 PCI DSS v3.2.1 → 💼 7.1.3 Assign access based on individual personnel's job classification and function.			5		no data
💼 PCI DSS v4.0.1 → 💼 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.			5		no data
💼 PCI DSS v4.0 → 💼 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.			5		no data