Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Automatic IAM Role Grants for Default Service Accounts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ResourceManager-002

Ensure that "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced for your Google Cloud Platform (GCP) organizations and projects in order to deactivate the automatic IAM role grant for default service accounts.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

There are Google Cloud services that require you to create default service accounts for your GCP projects. When a default service account is created, it is automatically granted the Editor role ("roles/editor") on your project. To enhance access security and meet compliance requirements, it is strongly recommended to disable the automatic IAM role grant. Use the "Disable Automatic IAM Grants for Default Service Accounts" (i.e. "iam.automaticIamGrantsForDefaultServiceAccounts") constraint to disable the automatic role grant for all the projects created within your organization.

Audit

To determine if "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced for your organizations and projects, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Disable Automatic IAM Grants for Default Service Accounts to return only the “Disable Automatic IAM Grants for Default Service Accounts” organization policy.

06 Click on the name of the GCP organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Enforcement configuration attribute status. If the Enforcement attribute status is set to Not enforced, the policy is not enforced within your organization, therefore the restriction of auto enabling IAM role grant for default service accounts is not enabled for the selected Google Cloud organization.

08 While viewing the Disable Automatic IAM Grants for Default Service Accounts policy details page, click on the deployment selector from the top navigation bar and select the relevant project you wish to inspect.

09 On the Policy details page, under Effective policy, check the Enforcement configuration attribute status. If the Enforcement attribute status is set to Not enforced, the policy is not enabled for the chosen project.

10 Repeat steps no. 2 – 9 for each organization available in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each GCP organization created within your Google Cloud account: 

gcloud organizations list
  --format="table(name)"

02 The command output should return the requested organization identifiers (IDs): 

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to reconfigure as identifier parameter, to describe the enforcement configuration of the “Disable Automatic IAM Grants for Default Service Accounts” policy (i.e. "iam.automaticIamGrantsForDefaultServiceAccounts"), available for the selected organization: 

gcloud alpha resource-manager org-policies describe
  "iam.automaticIamGrantsForDefaultServiceAccounts"
  --effective
  --organization=112233441122
  --format="table(booleanPolicy)"

04 The command request should return the requested configuration information: 

BOOLEAN_POLICY
{}

If the resource-manager org-policies describe command output returns an empty object for the BOOLEAN_POLICY configuration attribute, as shown in the example above, the “Disable Automatic IAM Grants for Default Service Accounts” policy is not enforced at the organization level, therefore the restriction of auto enabling IAM role grant for default service accounts is not enabled for the selected Google Cloud organization.

05 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP project that you want to inspect: 

gcloud alpha resource-manager org-policies describe
  "iam.automaticIamGrantsForDefaultServiceAccounts"
  --effective
  --project=myProject123
  --format="table(booleanPolicy)"

06 The command request should return the requested configuration information: 

BOOLEAN_POLICY
{}

If the resource-manager org-policies describe command output returns an empty object for the BOOLEAN_POLICY configuration attribute, i.e. {}, the “Disable Automatic IAM Grants for Default Service Accounts” policy is not enforced at the project level.

07 Repeat step no. 3 - 6 for each organization created within your Google Cloud account.

Remediation / Resolution

To ensure that the automatic IAM role grant for default service accounts is disabled within your Google Cloud organization, enable the “Disable Automatic IAM Grants for Default Service Accounts” organization policy by performing the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID box, select Name and Disable Automatic IAM Grants for Default Service Accounts to list only the “Disable Automatic IAM Grants for Default Service Accounts” policy.

06 Click on the name of the GCP organization policy listed at the previous step.

07 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

08 On the Edit policy configuration page, perform the following actions:

  1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
  2. Under Enforcement, select On to enforce the "iam.automaticIamGrantsForDefaultServiceAccounts" constraint. This policy constraint disables the automatic IAM role grant for default service accounts in the selected Google Cloud organization.
  3. Click SAVE to apply the changes and enforce the “Disable Automatic IAM Grants for Default Service Accounts” policy constraints.

09 Click on the deployment selector from the top navigation bar, select the project that you want to reconfigure and return to the same Edit policy configuration page. If required, follow the same navigation steps mentioned from steps 3 -7.

10 On the Edit policy configuration page, under Applies to select Inherit parent's policy and click save to apply policy to the individual project.

11 If required, repeat steps no. 2 – 10 to enable the policy for other organizations and projects available in your Google Cloud environment.

Using GCP CLI

01 Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the “Disable Automatic IAM Grants for Default Service Accounts” policy (i.e. "iam.automaticIamGrantsForDefaultServiceAccounts") for the selected GCP organization: 

gcloud alpha resource-manager org-policies enable-enforce
  "iam.automaticIamGrantsForDefaultServiceAccounts"
  --organization=112233441122

02 The command request should return the reconfigured organization policy metadata: 

booleanPolicy:
  enforced: true
constraint: constraints/iam.automaticIamGrantsForDefaultServiceAccounts
etag: aabbccddabcd
updateTime: '2020-07-14T12:00:00.000Z'

03 Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) project that you want to reconfigure.: 

gcloud alpha resource-manager org-policies enable-enforce
  "iam.automaticIamGrantsForDefaultServiceAccounts"
  --project=myproject123

04 The command request should return the reconfigured organization policy metadata: 

booleanPolicy:
  enforced: true
constraint: constraints/storage.uniformBucketLevelAccess
etag: aabbccddabcd
updateTime: '2020-07-15T20:00:00.000Z'

05 If required, repeat step no. 1 - 4 to enforce the policy for other GCP organizations and projects created within your Google Cloud environment.

References

Publication date May 4, 2021

Related ResourceManager rules