Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Organization Administration Role in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)

Ensure that the Organization Administrator role (i.e. roles/resourcemanager.organizationAdmin) is not used for everyday tasks. The role provides access to manage IAM policies and view organization policies for organizations, folders, and projects.

Security

The Organization Administrator role grants excessive permissions across the entire organization, posing significant security risks. Assigning it to users for everyday tasks creates a security risk because it allows them to perform actions which could be accidental or malicious. For managing resources within your Google Cloud organization, it's best to follow the Principle of Least Privilege (POLP) and assign more granular roles based on specific needs.

Audit

To determine if the Organization Administrator role is assigned to users within your organization, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console with the organizational unit credentials.

02 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

03 Click on the deployment selector from the top navigation bar, select the ALL tab to list all the existing deployments, then select the GCP organization that you want to examine.

04 In the left navigation panel, select IAM.

05 Choose the PERMISSIONS tab and select VIEW BY PRINCIPALS to list all the IAM members (principals) associated with the selected organization.

06 Click inside the Filter box, select Role, type Organization Administrator, and press Enter to return the IAM member(s) with the Organization Administrator role.

07 If the filtering process performed at the previous step returns one or more IAM members, there are principals that make use of the Organization Administrator role (i.e. roles/resourcemanager.organizationAdmin) within your organization.

08 Repeat steps no. 1 – 7 for each organization created with Google Cloud Platform (GCP).

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) with custom query filters to list the ID of each organization created with Google Cloud Platform (GCP): 

gcloud organizations list --format="table(name)"

02 The command output should return the GCP organization identifiers: 

ID
123412341234
111122223333

03 Run organizations get-iam-policy command (Windows/macOS/Linux) with the ID of the GCP organization that you want to examine as the identifier parameter, to describe the IAM policy defined for the selected organization, in JSON format: 

gcloud organizations get-iam-policy 123412341234 --format=json

04 The command output should return the organization's IAM policy: 

{
	"bindings": [
		{
			"members": [
				"user:developer@trendmicro.com"
			],
			"role": "roles/resourcemanager.organizationAdmin"
		},
		{
			"members": [
				"domain:trendmicro.com"
			],
			"role": "roles/billing.creator"
		},
		{
			"members": [
				"domain:trendmicro.com"
			],
			"role": "roles/resourcemanager.projectCreator"
		},
		{
			"members": [
				"user:admin@trendmicro.com"
			],
			"role": "roles/owner"
		}
	],
	"etag": "abcdabcdabcd",
	"version": 1
}

Check the name of each associated role (i.e. "role" property value) returned by the organizations get-iam-policy command output. If one or more IAM members (principals) have the "role" property set to "roles/resourcemanager.organizationAdmin", as shown in the output example above, there are principals that make use of the Organization Administrator role within your organization.

05 Repeat steps no. 1 – 4 for each organization created with Google Cloud Platform (GCP).

Remediation / Resolution

To remove the Organization Administrator role (roles/resourcemanager.organizationAdmin) binding from your IAM members (principals), perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console with the organizational unit credentials.

02 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

03 Click on the deployment selector from the top navigation bar, select the ALL tab to list all the existing deployments, then select the GCP organization that you want to access.

04 In the left navigation panel, select IAM.

05 Choose the PERMISSIONS tab and select VIEW BY PRINCIPALS to list all the IAM members (principals) associated with the selected organization.

06 Click inside the Filter box, select Role, type Organization Administrator, and press Enter to return the IAM member(s) with the Organization Administrator role.

07 Choose the IAM member (principal) that you want to configure and click on the Edit principal button (pencil icon) to modify the member permissions.

08 In the Assign roles section, perform the following actions:

  1. Identify the Organization Administrator role assigned to the selected principal and click on the Delete button (bin icon) to remove the role binding.
  2. (Optional) Choose ADD ANOTHER ROLE and select an IAM role that follows the Principle of Least Privilege (POLP) from the Select a role dropdown list to attach the appropriate role to the selected principal. Use ADD ANOTHER ROLE button to add as many roles as needed, according to the selected IAM identity access requirements.

09 Choose SAVE to apply the permission changes.

10 Repeat steps no. 7 - 9 for each IAM member that you want to configure, available for the selected organization.

11 Repeat steps no. 1 – 10 for each organization created with Google Cloud Platform (GCP).

Using GCP CLI

01 Run organizations remove-iam-policy-binding command (OSX/Linux/UNIX) with the ID of the GCP organization that you want to configure as the identifier parameter, to remove the Organization Administrator role (roles/resourcemanager.organizationAdmin) binding from the IAM policy defined for the selected organization: 

gcloud organizations remove-iam-policy-binding 123412341234 
  --member='user:developer@trendmicro.com'  
  --role='roles/resourcemanager.organizationAdmin'

02 The command output should return the information available for the modified policy: 

Updated IAM policy for organization [741929605805].
bindings:
- members:
	- domain:trendmicro.com
	role: roles/billing.creator
- members:
	- user:admin@trendmicro.com
	role: roles/owner
- members:
	- domain:trendmicro.com
	role: roles/resourcemanager.projectCreator
etag: ABCD1234ABCD
version: 1

03 (Optional) Run organizations add-iam-policy-binding command (OSX/Linux/UNIX) to add a new role binding to the IAM policy associated with your organization, given the organization ID and the binding. The following command example adds the Organization Viewer role (roles/resourcemanager.organizationViewer) binding for the specified IAM member: 

gcloud organizations add-iam-policy-binding 123412341234 
  --member='user:developer@trendmicro.com'  
  --role='roles/resourcemanager.organizationViewer'

04 The command output should return the information available for the modified policy: 

Updated IAM policy for organization [741929605805].
bindings:
- members:
	- user:developer@trendmicro.com
	role: roles/resourcemanager.organizationViewer
- members:
	- domain:trendmicro.com
	role: roles/billing.creator
- members:
	- user:admin@trendmicro.com
	role: roles/owner
- members:
	- domain:trendmicro.com
	role: roles/resourcemanager.projectCreator
etag: ABCD1234ABCD
version: 1

05 Repeat steps no. 1 - 4 for each IAM member that you want to configure, available for the selected organization.

06 Repeat steps no. 1 – 5 for each organization created with Google Cloud Platform (GCP).

References

Publication date May 3, 2024

Related IAM rules