Benchmark: 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities
Description
GCP Customers are responsible for managing access to all GCP products (GCE, VPC, GCS) that are included in their CDE. GCP provides various mechanisms for controlling access to the services including IAM for integration with corporate directories and granular access controls to the GCP Management Console.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.pci_dss_v321_requirement_7_1_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.pci_dss_v321_requirement_7_1_2 --share
Controls
- Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
- Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- Only allow members from my domain to be added to IAM roles