Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Implement Least Privilege Access for Cloud Tasks Queues

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Cloud IAM roles with administrative permissions are not assigned to IAM identities managing Google Cloud Tasks queues. This helps enforce the Principle of Least Privilege (POLP) by granting members (principals) only the minimum access necessary to complete their tasks.

Security

One of the most prevalent security vulnerabilities in Google Cloud is misconfigured access permissions. To minimize security risks, avoid assigning IAM roles with admin privileges to IAM members (principals) on a regular basis. IAM members with administrator roles (Owner, Editor or roles containing Admin or admin in their name) can create, modify, or delete Cloud Tasks queues. To adhere to the Principle of Least Privilege (POLP), assign IAM members only the minimal permissions required for their tasks and remove any overly permissive administrator roles.

Audit

To determine if your Google Cloud Tasks queues are configured with admin permissions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Tasks Queues console available at https://console.cloud.google.com/cloudtasks to access the list of Cloud Tasks queues available for the selected GCP project.

04 Select the queue that you want to examine and choose SHOW INFO PANEL from the top-right menu to access the permissions defined for selected resource. The panel with the queue permissions opens.

05 Click inside the Filter box and perform the following actions:

  1. Select Role / Principal, type Owner, and press Enter to return the principals with the Owner role.
  2. Select OR, choose Role / Principal, type Editor, and press Enter to return the members with the Editor role.
  3. Select OR, choose Role / Principal, type Admin or admin, and press Enter to return the principals with administrator-based roles (i.e., roles containing Admin or admin in their name).
  4. Choose Show inherited roles in table to switch off the feature and return the principals that have non-inherited roles.

06 If the filtering process performed at the previous step returns one or more principals, the IAM policy associated with the selected Cloud Tasks queue is configured with administrative permissions.

07 Repeat steps no. 4 - 6 for each Cloud Tasks queue available within the selected GCP project.

08 Repeat steps no. 2 - 7 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-project-123123
cc-iot-project-112233

03 Run tasks queues list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID (i.e., fully qualified identifier) of each Cloud Tasks queue created for the selected project, in the specified region: 

gcloud tasks queues list
	--project="cc-web-project-123123"
	--location="us-central1"
	--format="default(name)"

04 The command output should return the requested queue IDs: 

---
name: projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue
---
name: projects/cc-web-project-123123/locations/us-central1/queues/cc-invoice-generation-queue

05 Run tasks queues get-iam-policy command (Windows/macOS/Linux) with the ID of the Cloud Tasks queue that you want to examine as the identifier parameter, to describe the IAM policy configured for the selected queue: 

gcloud tasks queues get-iam-policy projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue
	--format="default(bindings)"

06 The command output should return the requested IAM policy bindings: 

bindings:
- members:
	- user:username1@domain.com
	role: roles/cloudtasks.admin
- members:
	- user:username2@domain.com
	role: roles/editor
- members:
	- user:username3@domain.com
	- serviceAccount:123456789012@cloudservices.gserviceaccount.com
	role: roles/owner

Check the name of each IAM role (i.e., role property value) returned by the get-iam-policy command output to determine the permissions granted to the principals (members) defined for the associated IAM policy. If one or more principals have the role property set to roles/owner, roles/editor, and/or roles/*admin (i.e., roles containing Admin or admin in their name), as shown in the example above, the IAM policy associated with the selected Cloud Tasks queue is configured with administrative permissions.

07 Repeat steps no. 5 and 6 for each Cloud Tasks queue available in the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that your Google Cloud Tasks queues are not configured with admin permissions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud Tasks Queues console available at https://console.cloud.google.com/cloudtasks to access the list of Cloud Tasks queues available for the selected GCP project.

04 Select the queue that you want to configure and choose SHOW INFO PANEL from the top-right menu to access the permissions defined for selected resource. The panel with the queue permissions opens.

05 Choose the principal with admin privileges that you want to configure and click on the Edit principal button (i.e., pencil icon) to modify the member permissions. The panel with the principal permissions opens.

06 In the Assign roles section, perform the following actions:

  1. Identify the administrator-based roles (i.e. *Admin, *admin, Editor, and Owner) assigned to the selected principal and click on the Delete role button (i.e., bin icon) next to each admin role to remove the role bindings.
  2. Choose ADD ANOTHER ROLE and select an IAM role that follows the Principle of Least Privilege (POLP) from the Select a role dropdown list to attach the appropriate role to the selected principal. Use ADD ANOTHER ROLE button to add as many roles as needed, according to the selected identity access requirements.

07 Choose SAVE to apply the permission changes.

08 Repeat steps no. 4 - 7 for each Cloud Tasks queue that you want to configure, available within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run tasks queues remove-iam-policy-binding command (OSX/Linux/UNIX) with the ID of the Cloud Tasks queue that you want to configure as the identifier parameter, to remove the administrator-based binding from the IAM policy associated with selected queue: 

gcloud tasks queues remove-iam-policy-binding projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue
	--location="us-central1"
	--member="user:username2@domain.com"
	--role="roles/editor"

02 The command output should return the modified IAM policy: 

Updated IAM policy for queue [cc-user-notification-queue].
bindings:
- members:
	- user:username1@domain.com
	role: roles/cloudtasks.admin
- members:
	- user:username3@domain.com
	role: roles/owner
etag: ABCD1234ABCD
version: 1

03 Run tasks queues add-iam-policy-binding command (Windows/macOS/Linux) with the ID of the Cloud Tasks queue that you want to configure as the identifier parameter, to add a new binding to the IAM policy associated with selected queue. Use the --role parameter to specify the IAM role required by the selected principal, that follows the Principle of Least Privilege (POLP). As an example, the following command assigns the Cloud Tasks Viewer role (i.e., roles/cloudtasks.viewer) to the specified principal. The Cloud Tasks Viewer role lists and facilitates access to tasks, queues, and locations: 

gcloud tasks queues add-iam-policy-binding projects/cc-web-project-123123/locations/us-central1/queues/cc-user-notification-queue
	--location="us-central1"
	--member="user:username2@domain.com"
	--role="roles/cloudtasks.viewer"

04 The command output should return the modified IAM policy: 

bindings:
- members:
	- user:username2@domain.com
	role: roles/cloudtasks.viewer
- members:
	- user:username1@domain.com
	role: roles/cloudtasks.admin
- members:
	- user:username3@domain.com
	- serviceAccount:123456789012@cloudservices.gserviceaccount.com
	role: roles/owner
etag: 1234ABCD1234
version: 1

05 Repeat steps no. 1 - 4 for each Cloud Tasks queue that you want to configure, available in the selected GCP project.

06 Repeat steps no. 1 – 5 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 27, 2025

Related CloudTasks rules