Ensure Service Account does not have admin privileges

Error: Service Account has admin privileges

Bridgecrew Policy ID: BC_GCP_IAM_4
Checkov Check ID: CKV_GCP_42
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

Service Account has admin privileges

Description

A service account is a special Google account that belongs to an application or a VM, not to an individual end-user. The application uses the service account to call the service's Google API so that users are not directly involved.

Service accounts represent service-level security of application or VM Resources, determined by the roles assigned to them. Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions, such as delete and update change settings, without user intervention.

We recommend you do not grant Admin privileges for ServiceAccount.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to IAM Admin.
  3. Navigate to Members.
  4. Identify User-Managed user created service account with roles containing *Admin
    or *admin or roles matching Editor or Owner.
  5. Click the Trash icon to remove the role from the member. In this case service account.

CLI Command

  1. Using a text editor, remove Role that contains roles/*Admin or roles/*admin or matches roles/editor or roles/owner. Add a role to the bindings array that defines the group members and the role for those members.
  2. Update the project's IAM policy:
    gcloud projects set-iam-policy PROJECT_ID iam.json

Fix - Buildtime

Terraform

  • Resource: google_project_iam_member
  • Argument: role + member
resource "google_project_iam_member" "project" {
  project = "your-project-id"
-  role    = "roles/owner"
-  member  = "user:[email protected]"
}