GCP-IAM-Users-have-overly-permissive-service-account-privileges

Owned by naveen
Nov 02, 2021
1 min read

Severity: Medium

Description: This control identifies IAM users which have overly permissive service account privileges. Any user should not have Service Account Admin and Service Account User, both roles assigned at a time. Built-in/Predefined IAM role Service Account admin allows the user to create, delete, manage service accounts. Built-in/Predefined IAM role Service Account User allows the user to assign service accounts to Apps/Compute Instances.

Remediation Steps:

Perform following steps to correct the IAM user privileges :

  1. Login to GCP Portal.

  2. In the left panel, Go to IAM & Admin.

  3. Select IAM.

  4. From the list of users, choose the reported IAM user.

  5. Click on Edit permissions pencil icon.

  6. For member having 'Service Account admin' and 'Service Account User' roles granted/assigned, Click on the Delete Bin icon to remove the role from a member.

Important:

It is recommended to follow the principle of 'Separation of Duties' ensuring that one individual does not have all the necessary permissions to be able to complete a malicious action or meant to help avoid security or privacy incidents and errors.

Reference:

 

Blue Hexagon Proprietary