Ensure roles do not impersonate or manage Service Accounts used at folder level

Error: Roles impersonate or manage Service Accounts used at folder level

Bridgecrew Policy ID: BC_GCP_IAM_5
Checkov Check ID: CKV_GCP_44
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

Roles impersonate or manage Service Accounts used at folder level

Description

The IAM role is an identity with specific permissions. An IAM role is similar to an IAM user: it has a Google identity with permission policies that determine what the identity can and cannot do in Google Cloud. Certain IAM roles contain permissions that enable a user with the role to impersonate or manage service accounts in a GCP folder through IAM inheritance from a higher resource, i.e., folder binding.

We recommend you do not set IAM role bindings with known dangerous roles that enable impersonation at the folder level.

The following roles enable identities to impersonate all service account identities within a project if the identity is granted the role at the project, folder, or organization level. The following list includes our current recommendations for dangerous roles, however, it is not exhaustive as permissions and roles change frequently.

Primitive Roles:

  • roles/owner
  • roles/editor

Predefined Roles:

  • roles/iam.securityAdmin
  • roles/iam.serviceAccountAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/iam.serviceAccountUser
  • roles/iam.serviceAccountTokenCreator
  • roles/iam.workloadIdentityUser
  • roles/dataproc.editor
  • roles/dataproc.admin
  • roles/dataflow.developer
  • roles/resourcemanager.folderAdmin
  • roles/resourcemanager.folderIamAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/resourcemanager.organizationAdmin
  • roles/cloudasset.viewer
  • roles/cloudasset.owner

Service Agent Roles:
Service agent roles should not be used for any identities other than the Google managed service account they are associated with.

  • roles/serverless.serviceAgent
  • roles/dataproc.serviceAgent

Fix - Buildtime

Terraform

  • Resources:
    google_folder_iam_member
    google_folder_iam_binding
  • Argument: role
resource "google_folder_iam_member" "example" {
  folder  = "folders/1234567"
- role    =  <ANY OF THE ROLES LISTED ABOVE>
  member  = "user:[email protected]"
}
resource "google_folder_iam_binding" "example" {
  folder  = "folders/1234567"
- role    =  <ANY OF THE ROLES LISTED ABOVE>
  members  = [
  "user:[email protected]",
  ]
}