Enforce Separation of Duties for Service-Account Related Roles

Risk Level: Medium (should be achieved)

Rule ID: CloudIAM-002

Ensure that separation of duties (also known as segregation of duties - SoD) is enforced for all Google Cloud Platform (GCP) service-account related roles. The security principle of separation of duties has as its primary objective the prevention of fraud and human error. This objective is achieved by disbanding the tasks and associated privileges for a specific business process among multiple users/members. To follow security best practices, your GCP service accounts should not have the Service Account Admin and Service Account User roles assigned at the same time.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

The principle of separation of duties should be enforced in order to eliminate the need for high-privileged IAM members, as the permissions granted to these members can allow them to perform malicious or unwanted actions.

Audit

To determine if there are any IAM members that have Service Account Admin and Service Account User roles assigned at the same time, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select PRINCIPALS to list all the IAM member accounts available for the selected GCP project.

06 Click in the Filter table box, select Role, type Service Account Admin and press Enter to return the project member(s) with the Service Account Admin role. Click again in the Filter table box, select Role, type Service Account User and press Enter to return the member(s) with the Service Account User role. Check the IAM members returned to determine if there are any users/members that have both the Service Account Admin and the Service Account User roles assigned. If one or more members have both these roles assigned, the principle of separation of duties was not implemented while assigning service-account related roles to IAM users.

07 Repeat steps no. 2 – 6 for each GCP project deployed within your Google cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your Google Cloud Platform (GCP) account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested project IDs:

PROJECT_ID
cc-main-app-123123
cc-internal-111222
cc-web-prod-123456

03 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the Identity and Access Management (IAM) policy created for the selected GCP project, in JSON format:

gcloud projects get-iam-policy cc-main-app-123123
	--format=json

04 The command output should return the requested IAM policy document:

{
  "bindings": [
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/iam.serviceAccountAdmin"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/iam.serviceAccountUser"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    }
  ],
  "etag": "abcd1234abcd",
  "version": 1
}

Check the name of each member role (i.e. "role" attribute) returned by the project's get-iam-policy command output. If one or more members have the "role" attribute set to both "roles/iam.serviceAccountAdmin" and "roles/iam.serviceAccountUser", as shown in the output example above, there are users/members that have both the Service Account Admin and the Service Account User roles assigned, therefore the principle of separation of duties was not enforced while assigning service-account related roles to IAM users.

05 Repeat step no. 3 and 4 for each Google Cloud Platform (GCP) project created within your account.

Remediation / Resolution

To implement the principle of separation of duties and secure the access to your GCP projects, revoke either Service Account Admin role or Service Account User role from the IAM user/member that is associated with both these roles, and attach one of the roles to another member according to your business requirements.

Step A: To revoke the Service Account User role from the required IAM user account, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select PRINCIPALS to list all the member accounts created for the selected GCP project.

06 Choose the IAM member that you want to reconfigure (see Audit section part I to identify the right account), then click on the edit (pencil) icon to access the member permissions.

07 On the Edit permissions panel, identify the service role that you want to remove from the selected member account, i.e. Service Account User, then click on the delete icon next to the role to remove it. Click SAVE to apply the changes.

08 Repeat step no. 6 and 7 for other IAM members that you want to reconfigure, created for the selected project.

09 Repeat steps no. 2 – 8 for each GCP project available within your Google cloud account.

Using GCP CLI

01 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to reconfigure as identifier parameter (see Audit section part II to identify the right project) and custom query filters to describe the IAM policy created for the selected project:

gcloud projects get-iam-policy cc-main-app-123123
	--format=json

02 The command output should return the requested IAM policy:

{
  "bindings": [
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/iam.serviceAccountAdmin"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/iam.serviceAccountUser"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    }
  ],
  "etag": "abcd1234abcd",
  "version": 1
}

03 Edit the IAM policy returned at the previous step and remove the role bindings with the name "roles/iam.serviceAccountUser" for the IAM member that have both "roles/iam.serviceAccountUser" and "roles/iam.serviceAccountAdmin" roles, then save the policy document to a JSON document named sod-iam-policy.json:

{
  "bindings": [
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/iam.serviceAccountAdmin"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    }
  ],
  "etag": "abcd1234abcd",
  "version": 1
}

04 Run projects set-iam-policy command (Windows/macOS/Linux) to update the IAM policy of the selected GCP project with the IAM policy reconfigured at the previous step (i.e. sod-iam-policy.json):

gcloud projects set-iam-policy cc-main-app-123123 sod-iam-policy.json

05 The command request should return the metadata for the updated IAM policy:

Updated IAM policy for project [cc-main-app-123123].
bindings:
- members:
  - user:cloud.realisation@gmail.com
  role: roles/editor
- members:
  - user:cloud.conformity@gmail.com
  role: roles/iam.serviceAccountAdmin
etag: abcd1234abcd
version: 1

06 If required, repeat steps no. 1 – 5 for other Google Cloud Platform (GCP) projects available in your account.

Step B: Assign the removed service role, i.e. Service Account User, to another IAM user/member account created for your GCP project by performing the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select PRINCIPALS to list all the member accounts created for the selected GCP project.

06 Choose the IAM user/member that you want to assign the Service Account User role, then click on the edit (pencil) icon to access the member permissions.

07 On the Edit permissions panel, click ADD ANOTHER ROLE and select the Service Account User role from the Select a role dropdown list to attach the Service Account User role to the selected IAM member account. Click SAVE to apply the changes.

08 If required, repeat step no. 6 and 7 to assign the necessary service role to other IAM members created for the selected project.

09 Repeat steps no. 2 – 8 for other GCP projects available within your Google cloud account.

Using GCP CLI

01 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to reconfigure as identifier parameter and custom query filters to describe the current IAM policy associated with the selected project:

gcloud projects get-iam-policy cc-main-app-123123
	--format=json

02 The command output should return the requested IAM policy:

{
  "bindings": [
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/iam.serviceAccountAdmin"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    }
  ],
  "etag": "abcd1234abcd",
  "version": 1
}

03 Edit the IAM policy returned at the previous step and add a role binding with the name "roles/iam.serviceAccountUser" to another IAM user/member (e.g. cloud.realisation@gmail.com) in order to assign the Service Account User role, then save the policy document to a JSON document named new-sod-iam-policy.json:

{
  "bindings": [
    {
      "members": [
        "user:cloud.conformity@gmail.com"
      ],
      "role": "roles/iam.serviceAccountAdmin"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/iam.serviceAccountUser"
    }
  ],
  "etag": "abcd1234abcd",
  "version": 1
}

04 Run projects set-iam-policy command (Windows/macOS/Linux) to update the IAM policy of the selected GCP project with the IAM policy reconfigured at the previous step (i.e. new-sod-iam-policy.json):

gcloud projects set-iam-policy cc-main-app-123123 new-sod-iam-policy.json

05 The command request should return the metadata for the updated IAM policy:

Updated IAM policy for project [cc-main-app-123123].
bindings:
- members:
  - user:cloud.realisation@gmail.com
  role: roles/editor
  - user:cloud.realisation@gmail.com
  role: roles/iam.serviceAccountUser
- members:
  - user:cloud.conformity@gmail.com
  role: roles/iam.serviceAccountAdmin
etag: abcd1234abcd
version: 1

06 If required, repeat steps no. 1 – 5 for other Google Cloud Platform (GCP) projects available within your account.

References

Google Cloud Platform (GCP) Documentation
Cloud Identity and Access Management (IAM)
Service accounts
Understanding roles
Granting, changing, and revoking access to resources

CIS Security Documentation
Securing Google Cloud Computing Platform

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud projects get-iam-policy
gcloud projects set-iam-policy

Publication date Feb 4, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

Using GCP Console

Using GCP CLI

References

Related CloudIAM rules