Control: 1.5 Ensure that Service Account has no Admin privileges
Description
A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount.
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc. without user intervention. For this reason, it's recommended that service accounts not have Admin rights.
Remediation
From Console
- Go to
IAM & admin/IAM
using https://console.cloud.google.com/iam-admin/iam - Go to the
Members
- Identify
User-Managed user created
service account with roles containing*Admin
or*admin
or role matchingEditor
or role matchingOwner
- Click the
Delete bin
icon to remove the role from the member (service account in this case)
From Command Line
gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
- Using a text editor, Remove
Role
which containsroles/*Admin
orroles/*admin
or matched=roles/editor
or matchesroles/owner
. Add a role to the bindings array that defines the group members and the role for those members.
For example, to grant the role roles/appengine.appViewer to the ServiceAccount
which is roles/editor, you would change the example shown below as follows:
{ "bindings": [ { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", ], "role": "roles/appengine.appViewer" }, { "members": [ "user:email1@gmail.com" ], "role": "roles/owner" }, { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", "serviceAccount:123456789012-compute@developer.gserviceaccount.com" ], "role": "roles/editor" } ], "etag": "BwUjMhCsNvY=" }
- Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json
Default Value
User Managed (and not user-created) default service accounts have the Editor (roles/editor)
role assigned to them to support GCP services they offer.
By default, there are no roles assigned to User Managed User created
service accounts.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v200_1_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v200_1_5 --share
SQL
This control uses a named query:
iam_service_account_without_admin_privilege