Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Roles with Administrative Permissions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that IAM roles with privileged administrative permissions are not assigned to IAM identities (users, groups, and service accounts) to promote least privilege and provide your members (principals) the minimal access required to perform their tasks.

Security

In Google Cloud, roles with administrative permissions can incorporate positions that provide elevated access privileges. To minimize security risks, these roles should not be assigned to IAM members (principals) on a regular basis. When IAM members have administrator privileges (Owner and Editor roles, or roles containing "Admin" or "admin" in their names), they can access, create, and manage cloud resources. To adhere to the Principle of Least Privilege (POLP), assign IAM members the minimal set of permissions required for their operations, and remove any administrator roles that grant overly permissive access.

Audit

To determine if your IAM members are using roles with administrative permissions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, select IAM.

05 Choose the PERMISSIONS tab and select VIEW BY PRINCIPALS to list all the IAM members (principals) associated with the selected GCP project.

06 Click inside the Filter box, and perform the following actions:

  1. Select Role, type Owner, and press Enter to return the IAM member(s) with the Owner role.
  2. Select OR, choose Role, type Editor, and press Enter to return the member(s) with the Editor role.
  3. Select OR, choose Role, type Admin or admin, and press Enter to return the IAM member(s) with administrator-based roles (i.e. roles containing Admin or admin in their name).

07 If the filtering process performed at the previous step returns one or more IAM members, there are principals that make use of roles with administrative permissions, available in the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your Google Cloud Platform (GCP) account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested project identifiers (IDs): 

PROJECT_ID
cc-prod-app-123123
cc-project5-123456

03 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the Google Cloud project that you want to examine as the identifier parameter and custom query filters to describe the Identity and Access Management (IAM) policy available for the selected project, in JSON format: 

gcloud projects get-iam-policy cc-prod-app-123123 
  --format=json

04 The command output should return the requested IAM policy (JSON format): 

{
	"bindings": [
		{
			"members": [
				"user:member@domain.com"
			],
			"role": "roles/owner"
		},
		{
			"members": [
				"serviceAccount:123456789012-compute@developer.gserviceaccount.com",
				"user:member@domain.com"
			],
			"role": "roles/editor"
		},
		{
			"members": [
				"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
			],
			"role": "roles/cloudfunctions.admin"
		 },
		{
			"members": [
				"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
			],
			"role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
		}
	],
	"etag": "abcdabcdabcd",
	"version": 1
}

Check the name of each associated role (i.e. "role" property value) returned by the projects get-iam-policy command output. If one or more IAM members have the "role" property set to "roles/owner", "roles/editor", and/or "roles/*admin", as shown in the output example above, there are principals that make use of roles with administrative permissions, available in the selected GCP project.

05 Repeat steps no. 3 and 4 for each GCP project created within your Google Cloud account.

Remediation / Resolution

To remove any administrator role assignments from your IAM role members (principals), perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, select IAM.

05 Choose the PERMISSIONS tab and select VIEW BY PRINCIPALS to list all the IAM members (principals) associated with the selected GCP project.

06 Choose the IAM member (principal) that you want to configure and click on the Edit principal button (pencil icon) to modify the member permissions.

07 In the Assign roles section, perform the following actions:

  1. Identify the administrator-based roles (i.e. *Admin, *admin, Editor, and Owner) assigned to the selected principal and click on the Delete button (bin icon) next to each admin role to remove the role binding.
  2. Choose ADD ANOTHER ROLE and select an IAM role that follows the Principle of Least Privilege (POLP) from the Select a role dropdown list to attach the appropriate role to the selected principal. Use ADD ANOTHER ROLE button to add as many roles as needed, according to the selected IAM identity access requirements.

08 Choose SAVE to apply the permission changes.

09 Repeat steps no. 6 - 8 for each IAM member that you want to configure, created for the selected project.

10 Repeat steps no. 2 – 9 for each GCP project available within your Google cloud account.

Using GCP CLI

01 Run projects get-iam-policy command (Windows/macOS/Linux) to describe the IAM policy defined for your GCP project: 

gcloud projects get-iam-policy cc-prod-app-123123
  --format=json

02 The command output should return the requested IAM policy: 

{
	"bindings": [
		{
			"members": [
				"user:member@domain.com"
			],
			"role": "roles/owner"
		},
		{
			"members": [
				"serviceAccount:123456789012-compute@developer.gserviceaccount.com",
				"user:member@domain.com"
			],
			"role": "roles/editor"
		},
		{
			"members": [
				"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
			],
			"role": "roles/cloudfunctions.admin"
		 },
		{
			"members": [
				"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
			],
			"role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
		}
	],
	"etag": "abcdabcdabcd",
	"version": 1
}

03 Edit the IAM policy returned at the previous step and replace (or remove) the role bindings with the name "roles/owner", "roles/editor", and/or "roles/*admin" with relevant IAM roles that follow the Principle of Least Privilege (POLP), then save the policy document to a JSON file named non-admin-iam-policy.json. For example, the "roles/owner" and the "roles/editor" bindings have been removed from the IAM policy listed above, and the "roles/cloudfunctions.admin" role binding has been replaced with the "roles/cloudfunctions.developer" binding: 

{
	"bindings": [
		{
			"members": [
				"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
			],
			"role": "roles/cloudfunctions.developer"
		 },
		{
			"members": [
				"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
			],
			"role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
		}
	],
	"etag": "abcdabcdabcd",
	"version": 1
}

04 Run projects set-iam-policy command (Windows/macOS/Linux) to update your IAM policy using the policy document modified at the previous step (i.e. non-admin-iam-policy.json): 

gcloud projects set-iam-policy cc-prod-app-123123 non-admin-iam-policy.json

05 The command request should return the information for the modified IAM policy: 

Updated IAM policy for project [cc-prod-app-123123].
	bindings:
	- members:
		- serviceAccount:123456789012-compute@developer.gserviceaccount.com
		role: roles/cloudfunctions.developer
	- members:
		- serviceAccount:123456789012-compute@developer.gserviceaccount.com
		role: roles/cloudkms.cryptoKeyEncrypterDecrypter
	etag: abcdabcdabcd
	version: 1

06 Repeat steps no. 1 – 5 for other Google Cloud Platform (GCP) projects available within your cloud account.

References

Publication date May 6, 2024

Related IAM rules