Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Implement Least Privilege Access for Eventarc Resources

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that IAM roles with administrative permissions are not assigned to IAM identities (users, groups, and service accounts) working with Google Cloud Eventarc resources. This helps enforce the Principle of Least Privilege (POLP) by granting members (principals) only the minimum access necessary to complete their tasks.

Security

One of the most prevalent security vulnerabilities in Google Cloud is misconfigured access permissions. To minimize security risks, avoid assigning IAM roles with admin privileges to IAM members (principals) on a regular basis. IAM members with administrator roles (Owner, Editor, Eventarc Developer, or roles containing Admin or admin in their name) can create, modify, or delete Google Cloud Eventarc resources. To adhere to the Principle of Least Privilege (POLP), assign IAM members only the minimal permissions required for their tasks and remove any overly permissive administrator roles.

Audit

To determine whether the IAM identities working with Eventarc resources are using roles with administrative permissions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that contains your Eventarc resources from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, under IAM & Admin, select IAM.

05 Select the ALLOW tab and choose VIEW BY PRINCIPALS to list all the IAM members (principals) that have access to the selected GCP project.

06 Click inside the Filter box and perform the following actions:

  1. Select Role, type Owner, and press Enter to return the principals with the Owner role.
  2. Select OR, choose Role, type Editor, and press Enter to return the members with the Editor role.
  3. Select OR, choose Role, type Eventarc Developer, and press Enter to return the principals with the Eventarc Developer role (includes the permissions for managing Eventarc resources).
  4. Select OR, choose Role, type Admin or admin, and press Enter to return the principals with administrator-based roles (i.e., roles containing Admin or admin in their name).

07 If the filtering process in the previous step identifies one or more IAM members, it indicates that there are principals using IAM roles with administrative permissions in the selected GCP project. Therefore, least privilege access is not implemented for Google Cloud Eventarc resources.

08 Repeat steps no. 2 – 7 for each GCP project with Eventarc resources, available in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-web-project-123123
s

03 Run projects get-iam-policy command (Windows/macOS/Linux) with the ID of the GCP project that contains your Eventarc resources as the identifier parameter, to describe the Identity and Access Management (IAM) policy defined for the selected project: 

gcloud projects get-iam-policy cc-web-project-123123
	--format="default(bindings)"

04 The command output should return the IAM policy bindings: 

bindings:
- members:
	- serviceAccount:123456789012-compute@developer.gserviceaccount.com
	- user:username1@domain.com
	role: roles/editor
- members:
	- user:username2@domain.com
	role: roles/owner
- members:
	- user:username3@domain.com
	role: roles/eventarc.developer
- members:
	- user:username4@domain.com
	role: roles/eventarc.admin

Check the name of each IAM role (i.e., role property value) returned by the get-iam-policy command output to determine the permissions granted to the principals (members) defined for the associated IAM policy. If one or more principals have the role property set to roles/owner, roles/editor, roles/eventarc.developer, and/or roles/*admin (i.e., roles containing Admin or admin in their name), as shown in the example above, the IAM policy associated with the selected Google Cloud Platform (GCP) project is configured with administrative permissions. Therefore, least privilege access is not implemented for Google Cloud Eventarc resources.

05 Repeat steps no. 3 and 4 for each GCP project with Eventarc resources, created within your Google Cloud account.

Remediation / Resolution

To ensure that IAM roles with administrative permissions are not used for Google Cloud Eventarc resources, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that contains your Eventarc resources from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, under IAM & Admin, select IAM.

05 Select the ALLOW tab and choose VIEW BY PRINCIPALS to list all the IAM members (principals) that have access to the selected GCP project.

06 Choose the IAM principal with admin permissions that you want to configure and click on the Edit principal button (i.e., pencil icon) to modify the member permissions. The panel with the principal permissions opens.

07 In the Assign roles section, perform the following actions:

  1. Identify the administrator-based roles (i.e., Owner, Editor, Eventarc Developer, and *Admin, *admin roles) assigned to the selected principal and click on the Delete role button (i.e., bin icon) next to each admin role to remove the role binding.
  2. Choose ADD ANOTHER ROLE and select an IAM role that follows the Principle of Least Privilege (POLP) from the Select a role dropdown list to attach the appropriate role to the selected principal. Use ADD ANOTHER ROLE button to add as many roles as needed, according to the selected identity access requirements.

08 Choose SAVE to apply the permission changes.

09 Repeat steps no. 3 – 8 for each GCP project with Eventarc resources, deployed in your Google Cloud account.

Using GCP CLI

01 Run projects remove-iam-policy-binding command (Windows/macOS/Linux) with the ID of the GCP project that contains your Eventarc resources as the identifier parameter, to remove an administrator-based binding (e.g., "roles/owner") from the IAM policy associated with selected project. Repeat this step for each administrator-based binding configured for your policy: 

gcloud projects remove-iam-policy-binding cc-web-project-123123
	--member='user:username2@domain.com'
	--role='roles/owner'

02 The command output should return the modified IAM policy: 

bindings:
- members:
	- serviceAccount:123456789012-compute@developer.gserviceaccount.com
	- user:username1@domain.com
	role: roles/editor
- members:
	- user:username3@domain.com
	role: roles/eventarc.developer
- members:
	- user:username4@domain.com
	role: roles/eventarc.admin
etag: abcd1234abcd
version: 1

03 Run projects add-iam-policy-binding command (Windows/macOS/Linux) with the ID of the GCP project that contains your Eventarc resources as the identifier parameter, to add a new binding to the IAM policy associated with selected project. Use the --role parameter to specify the IAM role required by the selected principal, that follows the Principle of Least Privilege (POLP). As an example, the following command assigns the Eventarc Viewer (i.e., roles/eventarc.viewer) to the specified principal. The Eventarc Viewer role can view the state of all Eventarc resources: 

gcloud projects add-iam-policy-binding cc-web-project-123123
	--member='user:username2@domain.com'
	--role='roles/eventarc.viewer'

04 The command output should return the modified IAM policy: 

bindings:
- members:
	- user:username2@domain.com
	role: roles/eventarc.viewer
- members:
	- serviceAccount:123456789012-compute@developer.gserviceaccount.com
	- user:username1@domain.com
	role: roles/editor
- members:
	- user:username3@domain.com
	role: roles/eventarc.developer
- members:
	- user:username4@domain.com
	role: roles/eventarc.admin
etag: abcd1234abcd
version: 1

05 Repeat steps no. 1 - 4 for each GCP project with Eventarc resources, available within your Google Cloud account.

References

Publication date Apr 11, 2025

Related Eventarc rules