📝 Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level 🟢

• Contextual name: 📝 IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level 🟢
• ID: /ce/ca/google/project/iam-user-roles
• Located in: 📁 Google Project

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Check for IAM Members with Service Roles at the Project Level

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Project
  • 🔌 Google IAM Policy Binding - object.extracts.yaml
  • 🔌 Google Project - object.extracts.yaml
  • 🔌 Google IAM Role - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level.

Rationale

A service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end-user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.

Users with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/Service account.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the IAM page in the GCP Console by visiting: https://console.cloud.google.com/iam-admin/iam.
2. Click on the filter table text bar. Type Role: Service Account User
3. Click the Delete Bin icon in front of the role Service Account User for every user listed as a result of a filter.
4. Click on the filter table text bar. Type Role: Service Account Token Creator
5. Click the Delete Bin icon in front of the role Service Account Token Creator for every user listed as a result of a filter.

From Google Cloud CLI

1. Using a text editor, remove the bindings with the roles/iam.serviceAccountUser or roles/iam.serviceAccountTokenCreator.

   For example, you can use the iam.json file shown below as follows:

    { 
    "bindings": [ 
        { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", ], "role": "roles/appengine.appViewer" }, 
        { "members": [ "user:email1@gmail.com" ], "role": "roles/owner" }, 
        { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", "serviceAccount:123456789012-compute@developer.gserviceaccount.com" ], "role": "roles/editor" } 

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 1.6 Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level - Level 1 (Automated)			1
💼 Cloudaware Framework → 💼 Role-Based Access Control (RBAC) Management			9