/
GCP-IAM-Users-have-overly-permissive-service-account-privileges

GCP-IAM-Users-have-overly-permissive-service-account-privileges

Severity: Medium

Description: This control identifies IAM users which have overly permissive service account privileges. Any user should not have Service Account Admin and Service Account User, both roles assigned at a time. Built-in/Predefined IAM role Service Account admin allows the user to create, delete, manage service accounts. Built-in/Predefined IAM role Service Account User allows the user to assign service accounts to Apps/Compute Instances.

Remediation Steps:

Perform following steps to correct the IAM user privileges :

  1. Login to GCP Portal.

  2. In the left panel, Go to IAM & Admin.

  3. Select IAM.

  4. From the list of users, choose the reported IAM user.

  5. Click on Edit permissions pencil icon.

  6. For member having 'Service Account admin' and 'Service Account User' roles granted/assigned, Click on the Delete Bin icon to remove the role from a member.

Important:

It is recommended to follow the principle of 'Separation of Duties' ensuring that one individual does not have all the necessary permissions to be able to complete a malicious action or meant to help avoid security or privacy incidents and errors.

Reference:

 

Related content

GCP-IAM-Service-Limits
GCP-IAM-Service-Limits
More like this
AWS-IAM-IAM-Role-Policies
AWS-IAM-IAM-Role-Policies
More like this
AWS-IAM-Unexpected-Admin-Privilege-Principal
AWS-IAM-Unexpected-Admin-Privilege-Principal
More like this
AWS-IAM-Known-Bad-Policy
AWS-IAM-Known-Bad-Policy
More like this
GCP-Projects-have-OS-Login-disabled
GCP-Projects-have-OS-Login-disabled
More like this
AWS-IAM-No-User-IAM-Policies
AWS-IAM-No-User-IAM-Policies
More like this

Blue Hexagon Proprietary