Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Implement Least Privilege for Eventarc Trigger Service Accounts

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the IAM service accounts associated with your Google Cloud Eventarc triggers are configured with least privilege access in order to minimize the potential impact of security breaches or misconfigurations by limiting the scope of unauthorized actions.

Security

Every Google Cloud Eventarc trigger is associated with an IAM service account at the time the trigger is deployed. Using IAM service accounts with least privilege access ensures that your Eventarc triggers only have the permissions necessary to perform their functions (i.e., adheres to the Principle of Least Privilege), reducing the risk of accidental or malicious actions and enhancing the overall security of your Google Cloud environment.

Audit

To determine if the associated IAM service accounts are configured with least privilege access, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Eventarc console available at https://console.cloud.google.com/eventarc/.

04 In the left navigation panel, under Standard, choose Triggers to access the list of Eventarc triggers available for the selected GCP project.

05 Click on the name (link) of the Eventarc trigger that you want to examine, listed in the Name column.

06 In the Details section, copy the email of the IAM service account associated with the selected Eventarc trigger, listed next to Service account.

07 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

08 In the left navigation panel, under IAM & Admin, select IAM.

09 Select the ALLOW tab and choose VIEW BY PRINCIPALS to list all the IAM members (principals) that have access to the selected GCP project.

10 Click inside the Filter box and perform the following actions:

  1. Select Type and choose Service account to return all the IAM service accounts configured as principals.
  2. Select Principal, paste the email of the service account copied in step no. 6, and press Enter to return the IAM service account associated with your Eventarc trigger.
  3. Check the Role column to determine the identity-based permissions configured for the returned IAM service account. If one or more of the following roles are listed in the Role column: Owner, Editor, Eventarc Developer, and/or any roles containing Admin or admin in their name, the IAM service account associated with your Eventarc trigger is not configured with least privilege access.

11 Repeat steps no. 5 - 10 for each Google Cloud Eventarc trigger available within the selected GCP project.

12 Repeat steps no. 2 - 11 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-ai-project-112233
cc-dev-project-112233

03 Run eventarc triggers list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID of each Eventarc trigger created for the selected project: 

gcloud eventarc triggers list
	--project=cc-web-project-123123
	--format="default(name)"

04 The command request should return the requested Eventarc trigger IDs (i.e., fully qualified identifiers): 

---
name: projects/cc-web-project-123123/locations/us-central1/triggers/cc-project5-trigger
---
name: projects/cc-web-project-123123/locations/us-central1/triggers/cc-cloud-ai-trigger

05 Run eventarc triggers describe command (Windows/macOS/Linux) with the ID of the Eventarc trigger that you want to examine as the identifier parameter and custom output filters to describe the email of the IAM service account associated with the selected trigger: 

gcloud eventarc triggers describe "projects/cc-web-project-123123/locations/us-central1/triggers/cc-project5-trigger"
	--format="value(serviceAccount)"

06 The command output should return the email of the requested service account: 

cc-eventarc-service-account@cc-web-project-123123.iam.gserviceaccount.com

07 Run projects get-iam-policy command (Windows/macOS/Linux) to determine the identity-based permissions configured for the IAM service account associated with your Eventarc trigger. Use the --filter command parameter as shown in the example below to specify the email of the IAM service account that you want to examine: 

gcloud projects get-iam-policy cc-web-project-123123
	--flatten="bindings[].members"
	--filter="bindings.members:serviceAccount:cc-eventarc-service-account@cc-web-project-123123.iam.gserviceaccount.com"
	--format="value(bindings.role)"

08 The command output should return the name of each IAM role assigned to the specified service account: 

roles/owner
roles/eventarc.developer
roles/eventarc.admin

Check the name of each IAM role returned by the get-iam-policy command output to determine the permissions granted to the specified principal. If one or more of the following roles are returned: roles/owner, roles/editor, roles/eventarc.developer, and/or roles/*admin (i.e., roles containing Admin or admin in their name), the IAM service account associated with your Eventarc trigger is not configured with least privilege access.

09 Repeat steps no. 5 - 8 for each Google Cloud Eventarc trigger available in the selected GCP project.

10 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

An Eventarc trigger service account with excessive permissions can increase the attack surface, creating a larger window of opportunity for malicious actors. To ensure that Eventarc trigger service accounts are granted least privilege access, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, under IAM & Admin, select IAM.

05 Select the ALLOW tab and choose VIEW BY PRINCIPALS to list all the IAM members (principals) that have access to the selected GCP project.

06 Choose the IAM service account with excessive privileges, associated with your Eventarc trigger, and click on the Edit principal button (i.e., pencil icon) to modify the principal permissions. The panel with the permissions opens.

07 In the Assign roles section, perform the following actions:

  1. Identify the overly permissive access roles (i.e., Owner, Editor, Eventarc Developer, and *Admin or *admin) assigned to the selected principal and click on the Delete role button (i.e., bin icon) next to each admin role to remove the role bindings.
  2. (Optional) Choose ADD ANOTHER ROLE and select an IAM role that follows the Principle of Least Privilege (POLP) from the Select a role dropdown list to attach the appropriate role to the selected principal. Use ADD ANOTHER ROLE button to add as many roles as needed, according to the IAM service account access requirements.

08 Choose SAVE to apply the permission changes.

09 Repeat steps no. 6 - 8 for each Google Cloud Eventarc trigger that you want to configure, available within the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects remove-iam-policy-binding command (Windows/macOS/Linux) with the ID of the GCP project that contains your Eventarc resources as the identifier parameter, to remove the overly permissive role bindings from the IAM service account associated with your Eventarc trigger. Repeat this step for each non-compliant IAM role binding that you want to remove. An an example, the following command removes the Eventarc Developer role binding (i.e., "roles/eventarc.admin") from the specified IAM service account: 

gcloud projects remove-iam-policy-binding cc-web-project-123123
	--member='serviceAccount:cc-eventarc-service-account@cc-web-project-123123.iam.gserviceaccount.com'
	--role='roles/eventarc.admin'

02 The command output should return the modified IAM policy: 

bindings:
- members:
	- serviceAccount:cc-eventarc-service-account@cc-web-project-123123.iam.gserviceaccount.com
	- user:username@domain.com
	role: roles/owner
- members:
	- serviceAccount:cc-eventarc-service-account@cc-web-project-123123.iam.gserviceaccount.com
	role: roles/eventarc.developer
etag: ABCD1234ABCD
version: 1

03 (Optional) Run projects add-iam-policy-binding command (Windows/macOS/Linux) with the ID of the GCP project that contains your Eventarc resources as the identifier parameter, to add a new role binding to the IAM service account associated with your Eventarc trigger. Use the --role parameter to specify the IAM role required by the selected principal, that follows the Principle of Least Privilege (POLP). As an example, the following command assigns the Eventarc Event Receiver role (i.e., roles/eventarc.eventReceiver) to the specified service account. The Eventarc Event Receiver role can be used to receive events from event providers: 

gcloud projects add-iam-policy-binding cc-web-project-123123
	--member='serviceAccount:cc-eventarc-service-account@cc-web-project-123123.iam.gserviceaccount.com'
	--role='roles/eventarc.eventReceiver'

04 The command output should return the modified IAM policy: 

bindings:
- members:
	- user:username@domain.com
	role: roles/owner
- members:
	- serviceAccount:cc-eventarc-service-account@cc-web-project-123123.iam.gserviceaccount.com
	role: roles/eventarc.eventReceiver
etag: ABCD1234ABCD
version: 1

05 Repeat steps no. 1 - 4 for each Google Cloud Eventarc trigger that you want to configure, available in the selected GCP project.

06 Repeat steps no. 1 – 5 for each GCP project deployed in your Google Cloud account.

References

Publication date Apr 11, 2025

Related Eventarc rules