Check for IAM Members with Service Roles at the Project Level

Risk Level: Medium (should be achieved)

Rule ID: CloudIAM-003

Ensure that the Service Account User and Service Account Token Creator roles are assigned to a user for a specific GCP service account rather than to a user at the GCP project level, in order to implement the principle of least privilege (POLP). The principle of least privilege (also known as the principle of minimal privilege) is the practice of providing every user the minimal amount of access required to perform its tasks. The Service Account User (iam.serviceAccountUser) role allows an IAM user to attach a service account to a long-running job service such as an App Engine App or Dataflow Job, whereas the Service Account Token Creator (iam.serviceAccountTokenCreator) role allows a user to directly impersonate the identity of a service account.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

To follow Google Cloud security best practices, Google Cloud Platform (GCP) IAM users should not have assigned the Service Account User or Service Account Token Creator roles at the GCP project level. Instead, these roles should be allocated to a user associated with a specific service account, providing that user access to the service account only.

Audit

To determine if there are IAM users/members associated with Service Account User and/or Service Account Token Creator roles at the GCP project level, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select View by MEMBERS to list all the member accounts available for the selected GCP project.

06 Click in the Filter table box, select Role, type Service Account User and press Enter to return the project members with the Service Account User role. Now choose OR, select Role, type Service Account Token Creator, then press Enter to return the members with the Service Account Token Creator role. If the IAM console returns one or more results, there are IAM members associated with Service Account User and/or Service Account Token Creator roles at the selected GCP project level.

07 Repeat steps no. 2 – 6 for each GCP project deployed within your Google cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your Google Cloud Platform (GCP) account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested project IDs:

PROJECT_ID
cc-project5-123123
cc-internal-111222
cc-web-prod-123456

03 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the Access Management (IAM) policy created for the selected GCP project, in JSON format:

gcloud projects get-iam-policy cc-project5-123123
	--format=json

04 The command output should return the requested project IAM policy:

{
  "bindings": [
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "serviceAccount:cc-project5-service-account@cc-project5-123123.iam.gserviceaccount.com"
      ],
      "role": "roles/iam.serviceAccountTokenCreator"
    },
    {
      "members": [
        "serviceAccount:cc-project5-service-account@cc-project5-123123.iam.gserviceaccount.com"
      ],
      "role": "roles/iam.serviceAccountUser"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

Check the name of each member role (i.e. "role" attribute) returned by the projects get-iam-policy command output. If one or more members have the "role" set to "roles/iam.serviceAccountUser" or "roles/iam.serviceAccountTokenCreator", as shown in the example above, there are IAM members associated with Service Account User and/or Service Account Token Creator roles at the selected GCP project level.

05 Repeat step no. 3 and 4 for each Google Cloud Platform (GCP) project created within your account.

Remediation / Resolution

To implement the principle of least privilege and secure the access to your GCP projects, revoke Service Account User and Service Account Token Creator roles applied at the project level from all IAM user/member accounts and assign these roles to specific service account(s) according to your business requirements.

Step A: To revoke the Service Account User and/or Service Account Token Creator roles applied at the GCP project level, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select View by MEMBERS to list all the member accounts created for the selected GCP project.

06 Choose the IAM member that you want to reconfigure (see Audit section part I to identify the right account), then click on the edit (pencil) icon to access the member permissions.

07 On the Edit permissions panel, identify the service role(s) that you want to remove from the selected member account, i.e. Service Account User and/or Service Account Token Creator, then click on the delete icon next to each role to remove it. Click SAVE to save the changes.

08 Repeat step no. 6 and 7 for other IAM members that you want to reconfigure, created for the selected project.

09 Repeat steps no. 2 – 8 for each GCP project available within your Google cloud account.

Using GCP CLI

01 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to reconfigure as identifier parameter (see Audit section part II to identify the right project) and custom query filters to list the IAM policy created for the selected GCP project:

gcloud projects get-iam-policy cc-project5-123123
	--format=json

02 The command output should return the requested IAM policy:

{
  "bindings": [
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "serviceAccount:cc-project5-service-account@cc-project5-123123.iam.gserviceaccount.com"
      ],
      "role": "roles/iam.serviceAccountTokenCreator"
    },
    {
      "members": [
        "serviceAccount:cc-project5-service-account@cc-project5-123123.iam.gserviceaccount.com"
      ],
      "role": "roles/iam.serviceAccountUser"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

03 Edit the IAM policy returned at the previous step and remove the role bindings with the name "roles/iam.serviceAccountUser" and "roles/iam.serviceAccountTokenCreator" for all members created for the selected GCP project, then save the policy document to a JSON document named new-gcp-iam-policy.json:

{
  "bindings": [
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/owner"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

04 Run projects set-iam-policy command (Windows/macOS/Linux) to update the IAM policy of the selected GCP project with the IAM policy reconfigured at the previous step (i.e. new-gcp-iam-policy.json):

gcloud projects set-iam-policy cc-project5-123123 new-gcp-iam-policy.json

05 The command request should return the IAM policy metadata for the reconfigured project:

Updated IAM policy for project [cc-project5-123123].
bindings:
- members:
  - user:cloud.realisation@gmail.com
  role: roles/editor
- members:
  - user:cloud.conformity@gmail.com
  role: roles/owner
etag: abcdabcdabcd
version: 1

06 If required, repeat steps no. 1 – 5 for other Google Cloud Platform (GCP) projects available in your account.

Step B: To assign the Service Account User and/or Service Account Token Creator roles to a service account instead of a GCP project, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Service Accounts.

05 Select the user-managed service account that you want to assign the Service Account User and/or Service Account Token Creator role(s), then click on the SHOW INFO PANEL button to show the account permissions.

06 On the information panel, under Permissions, click ADD MEMBER to add members and roles to the selected account.

07 On the Add members to "<service-account-name>" panel, type the name/email address of the member that you want to add to the account into the New members text box, then select Service Account User and/or Service Account Token Creator role(s) from the Select a role dropdown list, based on your business requirements. Select Send notification email checkbox, to send an email that will inform the account members that you've granted them access to these service roles. Click SAVE to apply the changes.

08 If required, repeat steps no. 5 – 7 to assign service roles to other service accounts that you have created for the selected project.

09 Repeat steps no. 2 – 8 for other GCP projects available within your Google cloud account.

Using GCP CLI

01 Run iam service-accounts get-iam-policy command (Windows/macOS/Linux) using the email address of the user-managed service account that you want to reconfigure as identifier parameter and custom query filters to describe the IAM policy applied to the selected GCP service account:

gcloud iam service-accounts get-iam-policy cc-project5-service-account@cc-project5-123123.iam.gserviceaccount.com
	--format=json

02 The command output should return the requested service account IAM policy:

{
  "bindings": [
    {
      "members": [
        "user:service.manager@cloudconformity.com"
      ],
      "role": "roles/viewer"
    }
  ],
  "etag": "abcd1234abcd",
  "version": 1
}

03 Edit the IAM policy returned at the previous step and attach the role bindings with the name "roles/iam.serviceAccountUser" and "roles/iam.serviceAccountTokenCreator" to an IAM member that has access to your GCP project (e.g. "service.manager@cloudconformity.com"), then save the policy document to a JSON document named service-account-iam-policy.json:

{
  "bindings": [
    {
      "members": [
        "user:service.manager@cloudconformity.com"
      ],
      "role": "roles/iam.serviceAccountTokenCreator"
    },
    {
      "members": [
        "user:service.manager@cloudconformity.com"
      ],
      "role": "roles/iam.serviceAccountUser"
    },
    {
      "members": [
        "user:service.manager@cloudconformity.com"
      ],
      "role": "roles/viewer"
    }
  ]
}

04 Run iam service-accounts set-iam-policy command (Windows/macOS/Linux) to update the IAM policy of the selected service account with the IAM policy reconfigured at the previous step (i.e. service-account-iam-policy.json):

gcloud iam service-accounts set-iam-policy cc-project5-service-account@cc-project5-123123.iam.gserviceaccount.com service-account-iam-policy.json

05 The command request should return the IAM policy metadata for the reconfigured service account:

Updated IAM policy for service account [cc-project5-service-account@cc-project5-123123.iam.gserviceaccount.com].
bindings:
- members:
  - user:service.manager@cloudconformity.com
  role: roles/iam.serviceAccountTokenCreator
- members:
  - user:service.manager@cloudconformity.com
  role: roles/iam.serviceAccountUser
- members:
  - user:service.manager@cloudconformity.com
  role: roles/viewer
etag: 1234abcd1234
version: 1

06 If required, repeat steps no. 1 – 5 to assign service roles to other service accounts available for the selected project.

07 Repeat steps no. 1 – 6 for other GCP projects available in your Google cloud account.

References

Google Cloud Platform (GCP) Documentation
Cloud Identity and Access Management (IAM)
Service accounts
Granting, changing, and revoking access to resources
Understanding roles
Understanding service accounts
Granting, changing, and revoking access to resources

CIS Security Documentation
Securing Google Cloud Computing Platform

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud projects get-iam-policy
gcloud projects set-iam-policy
gcloud iam service-accounts get-iam-policy
gcloud iam service-accounts set-iam-policy

Publication date Feb 4, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

Using GCP Console

Using GCP CLI

References

Related CloudIAM rules