Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Prevent Service Account Creation for Google Cloud Organizations

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the creation of Cloud IAM service accounts is prevented within your Google Cloud organization through the "Disable Service Account Creation" organization policy. This allows you to easily centralize the management of your service accounts while not restricting the other permissions that your developers and administrators have on the projects within the organization. A Cloud IAM service account is a special account that can be used by services and applications running on your Compute Engine instances to interact with other Google Cloud APIs. Applications can use service account credentials to authorize themselves to a set of APIs and perform actions within the permissions granted to the service account.

Security

By default, the Cloud IAM service accounts can be created by users based on their IAM roles and permissions. Through Google Cloud organization policies, you have centralized and programmatic control over your organization's cloud resources. As a Google Cloud organization administrator, you will be able to configure restrictions across your entire resource hierarchy. To define and establish constraints for your development teams in order to stay within the compliance boundaries set for your organization, you may want to use the "iam.disableServiceAccountCreation" boolean constraint to disable the creation of new service accounts. Preventing the creation of Cloud IAM service accounts for certain projects within your organization can will significantly reduce the chances that a compromised service account can be used without your knowledge to access certain Google Cloud components and resources.

Audit

To determine if the creation of service accounts is disabled within your Google Cloud organizations, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your organization.

05 Click inside the Filter by policy name or ID filter box, select Name and Disable Service Account Creation to return only the "Disable Service Account Creation" organization policy.

06 Click on the name of the "Disable Service Account Creation" organization policy.

07 On the Policy details page, under Effective policy, check the Enforcement configuration attribute status. If the attribute status is set to Not enforced, the policy is not enforced at the organization level, therefore the Cloud IAM service account creation is not disabled for the selected Google Cloud organization.

08 Repeat steps no. 2 – 7 for each organization available in in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each Google Cloud Platform (GCP) organization available in your Google Cloud account: 

gcloud organizations list
	--format="table(name)"

02 The command output should return the requested organization identifiers (IDs): 

ID
123412341234
111122223333

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to reconfigure as identifier parameter, to describe the enforcement status of the "Disable Service Account Creation" policy (i.e. "iam.disableServiceAccountCreation"), available for the selected organization: 

gcloud alpha resource-manager org-policies describe "iam.disableServiceAccountCreation"
	--effective
	--organization=123412341234
	--format="table(booleanPolicy)"

04 The command request should return the requested policy information: 

BOOLEAN_POLICY
{}

If the resource-manager org-policies describe command output returns an empty object for the BOOLEAN_POLICY configuration attribute, as shown in the example above, the "Disable Service Account Creation" policy is not enforced at the organization level, therefore the Cloud IAM service account creation is not disabled for the selected Google Cloud organization.

05 Repeat step no. 3 and 4 for each organization created within in your Google Cloud account.

Remediation / Resolution

To ensure that Cloud IAM service account creation is disabled at your Google Cloud organization level, enable the "Disable Service Account Creation" organization policy, by performing the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your organization.

05 Click inside the Filter by policy name or ID box, select Name and Disable Service Account Creation to display only the "Disable Service Account Creation" organization policy.

06 Click on the name of the "Disable Service Account Creation" organization policy.

07 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

08 On the Edit policy configuration page, perform the following actions:

  1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized).
  2. Under Enforcement, select On to enforce policy constraint. This constraint disables the creation of new Cloud IAM service accounts inside the selected GCP organization.
  3. Click SAVE to apply the changes and enforce the "Disable Service Account Creation" policy constraints.

09 If required, repeat steps no. 2 – 8 to enable the policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) using the ID of the GCP organization that you want to reconfigure as identifier parameter (see Audit section part II to identify the organization ID), to enforce the "Disable Service Account Creation" policy (i.e. "iam.disableServiceAccountCreation") for the selected organization: 

gcloud alpha resource-manager org-policies enable-enforce "iam.disableServiceAccountCreation"
	--organization=123412341234

02 The command request should return the reconfigured organization policy metadata: 

booleanPolicy:
  enforced: true
constraint: constraints/iam.disableServiceAccountCreation
etag: abcdabcdabcd
updateTime: '2020-06-20T10:00:00.000Z'

03 If required, repeat step no. 1 and 2 to enforce the policy for other organizations created within your Google Cloud account.

References

Publication date Apr 21, 2021

Related ResourceManager rules