Skip to main content

Remediation

From Google Cloud Console

Navigate to IAM & Admin → IAM: https://console.cloud.google.com/iam-admin/iam
Locate any members assigned the Owner, Editor, or Viewer roles.
Click the Delete Bin icon to remove the role from the member.
Assign a more granular role based on the user’s job responsibilities.

Note: Role removal should be guided by business requirements to ensure users retain necessary access.

From gcloud CLI

Remove the basic role from the user:

gcloud {{projects | organizations | resource-manager folders}} remove-iam-policy-binding {{resource-id}} \
    --member="user:{{user-email}}" \
    --role="{{roles/owner}}"

Assign a least-privilege role appropriate for the user’s responsibilities:

gcloud {{projects | organizations | resource-manager folders}} add-iam-policy-binding {{resource-id}} \
    --member="user:{{user-email}}" \
    --role="{{least-privilege-role}}"

From Google Cloud Console
From gcloud CLI