Google CloudOverview
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for Service Account.
Rationale
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling Service Account with Admin rights gives full access to assigned application or a VM. A Service Account Access holder can perform critical actions like delete, update change settings etc. without the intervention of user. For this reason, it is recommended not to have Admin rights.
Impact
Removing *Admin or *admin or Editor or Owner role assignments from service accounts may break functionality that uses impacted service accounts. Required role(s) should be assigned to impacted service accounts in order to restore broken functionalities.
Remediation guidance
From Google Cloud Console
- Go to
IAM & admin, and thenIAMusing https://console.cloud.google.com/iam-admin/iam - Under
VIEW BY PRINCIPALS, identifyUser-Managed user createdservice accounts with roles containing*Adminor role matchingEditoror role matchingOwner - Click the
Deletebin icon to remove role from member (service account in this case)
From Google Cloud CLI
Retrieve details about the IAM policies:
gcloud projects get-iam-policy <projectID> --format json > iam.json
Using a text editor, remove the role which contains roles/*Admin or roles/*admin or matches roles/editor or matches roles/owner. Add a role to the bindings array that defines the group members and the role for those members.
Update the project's IAM policy:
gcloud projects set-iam-policy <projectID> iam.json
Default Value
By default, there are no roles assigned to User Managed User created service accounts.
References
- https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/
- https://cloud.google.com/iam/docs/understanding-roles
- https://cloud.google.com/iam/docs/understanding-service-accounts
Addititonal information
User Managed (and not user-created) default service accounts have the Editor (roles/editor) role assigned to them to support GCP services they offer.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Ensure Service Account has no Admin privileges
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: {
hasIAMRole_SOME: {
OR: [
{ name: "roles/owner" }
{ name: "roles/editor" }
{ name_CONTAINS: "admin" }
]
}
}
) {
...AssetFragment
}
}
