Benchmark: IAM
Description
This benchmark provides a set of controls that detect Terraform GCP Identity and Access Management(IAM) resources deviating from security best practices.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-terraform-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select IAM.
Run this benchmark in your terminal:
powerpipe benchmark run terraform_gcp_compliance.benchmark.iamSnapshot and share results via Turbot Pipes:
powerpipe benchmark run terraform_gcp_compliance.benchmark.iam --shareControls
- Ensure roles do not impersonate or manage Service Accounts used at folder level
- Ensure basic roles are not used at folder level
- Ensure Default Service account is not used at a folder level
- Ensure roles do not impersonate or manage Service Accounts used at organization level
- Ensure basic roles are not used at organization level
- Ensure Default Service account is not used at a organization level
- Ensure roles do not impersonate or manage Service Accounts used at project level
- Ensure that users are not assigned the Service Account User or Service Account Token Creator roles at project level
- Ensure basic roles are not used at project level
- Ensure Default Service account is not used at a project level
- Ensure that there are only GCP-managed service account keys for each service account
- Ensure that Service Account has no admin privileges
- IAM workload identity pool provider should be restricted