Ensure that Service Account has no Admin privileges

Risk Level: High
Service Account
Rule ID: D9.GCP.IAM.05
Category: Security, Identity, & Compliance
A Service Account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved It's recommended not to use admin access for Service Account.

gsl logic

ServiceAccount should not have roles contain-any [ ($ like '%admin%') or $ in ('roles/owner', 'roles/editor') ]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation


From Portal:
1. Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
2. Go to the Principals
3. Identify the service account with over-permissive roles, click on the edit member icon.
4. Identify the over-permissive roles and click on the delete bin icon to remove role from the service account.



From Command Line:

1. Get the policy that you want to modify, and write it to a file:


gcloud projects get-iam-policy PROJECT_ID > PATH_TO_NEWLY_CREATED_FILE


2. In the created file, detect the overly permissive service account and delete any role containing 'admin', 'roles/owner' or 'roles/editor'
3. Set the new iam policy of the service account:


gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE



Reference:
1. https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
2. https://cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
3. https://cloud.google.com/iam/docs/understanding-roles
4. https://cloud.google.com/iam/docs/understanding-service-accounts

Service Account

A service account is an account that belongs to your application instead of an individual end user. When you run code that is hosted on GCP, you specify the account that the code should run as. You can create as many service accounts as needed to represent the different logical components of your application.

Compliance Frameworks

HIPAA GDPR BP_0318