🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
14Dashboards
621Benchmarks
202Queries
2Variables
GitHub

Control: 1.8 Ensure that Separation of duties is enforced while assigning service account related roles to users

Description

It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users

The built-in/predefined IAM role Service Account admin allows the user/identity to create, delete, and manage service account(s). The built-in/predefined IAM role Service Account User allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.

Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.

Remediation

No user should have Service Account Admin and Service Account User roles assigned at the same time. Removal of a role should be done based on the business requirements.

From Console

  1. Login to GCP Admin/IAM.
  2. For any member having both Service Account Admin and Service account Userroles granted/assigned as shown in the Role column, remove either role from the member.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v130_1_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v130_1_8 --share

SQL

This control uses a named query:

with users_with_roles as (
  select
    distinct split_part(member_entity, ':', 2) as user_name,
    project,
    _ctx,
    p ->> 'role' as assigned_role
  from
    gcp_iam_policy,
    jsonb_array_elements(bindings) as p,
    jsonb_array_elements_text(p -> 'members') as member_entity
  where
    split_part(member_entity, ':', 1) = 'user'
),
account_admin_users as(
  select
    user_name,
    project
  from
    users_with_roles
  where assigned_role = 'roles/iam.serviceAccountAdmin'
),
account_users as(
  select
    user_name,
    project
  from
    users_with_roles
  where assigned_role = 'roles/iam.serviceAccountUser'
)
select
  distinct user_name as resource,
  case
    when user_name in (select user_name from account_users) and user_name in (select user_name from account_admin_users) then 'alarm'
    else 'ok'
  end as status,
  case
    when user_name in (select user_name from account_users) and user_name in (select user_name from account_admin_users)
      then  user_name || ' assigned with both Service Account Admin and Service Account User roles.'
    else user_name || ' not assigned with both Service Account Admin and Service Account User roles.'
  end as reason
  , project as project
from
  users_with_roles;

Tags

benchmark = cis
category = Compliance
cis_item_id = 1.8
cis_level = 2
cis_section_id = 1
cis_type = manual
cis_version = v1.3.0
plugin = gcp
service = GCP/IAM