Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict Administrator Access for Service Accounts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudIAM-001

Ensure that your Google Cloud user-managed service accounts are not using privileged (administrator) roles, in order to implement the principle of least privilege and prevent any accidental or intentional modifications that may lead to data leaks and/or data loss. A user-managed service account is an identity that a virtual machine (VM) instance or an application can use to run API requests on your behalf. GCP service accounts can create, modify or delete resources only if you grant the necessary IAM permissions, at the project or resource level.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

When your Google Cloud Platform (GCP) service accounts have administrator privileges (i.e. are using Owner and Editor roles, as well as roles containing `*Admin` or `*admin` in their names), these service accounts can access, create, and manage VM instances and other resources. To adhere to the principle of least privilege, give your GCP service accounts the minimal set of actions required to perform successfully their tasks and remove any administrator-based roles that allows them overly permissive access.

Audit

To determine if your GCP user-managed service accounts have administrator privileges, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to IAM & Admin console at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select VIEW BY PRINCIPALS to list all the member accounts available for the selected GCP project.

06 Click inside the Filter box, select Type, and choose Service account to show only the service accounts created for the selected GCP project.

07 Choose the user-managed service account that you want to examine. A user-managed service account has the following format: <service-account-name>@<project-id>.iam.gserviceaccount.com (e.g. cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com). Check the roles listed in the Role column. If the service account has one or more roles containing *Admin or *admin, as well as the role matching Editor or role matching Owner, the selected user-managed service account has administrator privileges.

08 Repeat step no. 7 for each user-managed service account that you want to examine, created for the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your GCP account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested project IDs: 

PROJECT_ID
cc-internal-app-123123
cc-web-app-prod-123123
cc-project5-app-123123

03 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the Access Management (IAM) policy created for the selected GCP project, in JSON format: 

gcloud projects get-iam-policy cc-internal-app-123123
  --format=json

04 The command output should return the requested IAM policy: 

{
	"bindings": [
		{
			"members": [
				"serviceAccount:cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com"
			],
			"role": "roles/appengine.codeViewer"
		},
		{
			"members": [
				"serviceAccount:cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com"
			],
			"role": "roles/editor"
		},
		{
			"members": [
				"user:manager@domain.com",
				"user:admin@domain.com"
			],
			"role": "roles/owner"
		}
	],
	"etag": "abcdabcdabcd",
	"version": 1
}

The IAM policy returned by the projects get-iam-policy command output should contain the member accounts available for the selected GCP project. Choose the user-managed service account that you want to examine. A user-managed service account has the following format: <service-account-name>@<project-id>.iam.gserviceaccount.com (e.g. cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com). Once the service account is selected, check the associated roles available as value for the "role" property. If the service account has one or more roles containing *Admin or *admin, as well as the role matching Editor (i.e. "roles/editor") or role matching Owner (i.e. "roles/owner"), the selected GCP user-managed service account has administrator privileges.

05 Repeat steps no. 3 and 4 for each GCP project created within your Google Cloud account.

Remediation / Resolution

To remove administrator role assignments from your Google Cloud user-managed service accounts, perform the following actions:

IMPORTANT: Removing *Admin, *admin, Editor or Owner role assignments from certain service accounts may break functionality associated with the impacted service accounts. Make sure that you review your user-managed service accounts before you delete their admin role assignments in order to determine the required access permissions and decide whether or not to proceed with the removal process.

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to IAM & Admin console at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select VIEW BY PRINCIPALS to list all the member accounts available for the selected GCP project.

06 Click inside the Filter box, select Type, and choose Service account to list only the service accounts created for the selected GCP project.

07 Choose the user-managed service account that you want to reconfigure and click on the edit button (pencil icon) to access the account permissions.

08 On the permissions panel, in the Assign roles section, perform the following operations:

  1. Choose the administrator role (i.e. *Admin, *admin, Editor or Owner) that you want to remove from the selected service account, then click on the delete button (bin icon) to remove it.
  2. (Optional) To assign a new role that will provide the service account the minimal amount of access required to perform its tasks (i.e. implement the Principle of Least Privilege), choose ADD ANOTHER ROLE and select the required role from the Select a role dropdown list.
  3. Choose SAVE to apply the permission changes.

09 Repeat steps no. 7 and 8 for other user-managed service accounts that you want to reconfigure, created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Remove the administrator role (i.e. *Admin, *admin, Editor or Owner) from the user-managed service account that you want to reconfigure or replace it with a new role that will provide the service account the minimal amount of access required to perform its tasks. Save your account IAM policy to a JSON document named iam-policy.json. The following example, replaces the Editor role with the App Engine Code Viewer role (i.e. "roles/appengine.codeViewer") for a service account identified by the ID "cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com". The new role assignment follows the Principle of Least Privilege (POLP) and provides the selected service account the ability to view App Engine app status and deployed source code: 

{
	"bindings": [
		{
			"members": [
				"serviceAccount:cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com"
			],
			"role": "roles/appengine.codeViewer"
		},
		{
			"members": [
				"user:manager@domain.com",
				"user:admin@domain.com"
			],
			"role": "roles/owner"
		}
	],
	"etag": "abcdabcdabcd",
	"version": 1
}

02 Run projects set-iam-policy command (Windows/macOS/Linux) using the ID of the Google Cloud project that you want to reconfigure as the identifier parameter, to update the IAM policy of the selected project with the policy defined at the previous step (i.e. iam-policy.json): 

gcloud projects set-iam-policy cc-internal-app-123123 iam-policy.json

03 The command request should return the new IAM policy for the selected GCP project: 

Updated IAM policy for project [cc-internal-app-123123].
	bindings:
	- members:
		- serviceAccount:cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com
		role: roles/appengine.codeViewer
	- members:
		- user:manager@domain.com
		- user:admin@domain.com
		role: roles/owner
	etag: abcdabcdabcd
	version: 1

04 Repeat steps no. 1 – 3 for other GCP projects available within your Google Cloud account.

References

Publication date Feb 4, 2021

Related CloudIAM rules