Avoid using pre-IAM basic (primitive) roles

Risk Level: High
GCP IAM Policy
Rule ID: D9.GCP.IAM.12
Category: Security, Identity, & Compliance
Basic roles include many permissions across all GCP services. Using them will result violation of the principle of least privilege. You should avoid using basic roles, and use predefined roles or custom roles instead.

gsl logic

GcpIamPolicy should not have bindings contain-any [ role like 'roles/owner' or role like 'roles/editor' ]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation


From Portal:
1. Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
2. Go to the Principals
3. Identify the member with the owner/basic roles, add the roles that each member needs while following the principle of least privilege, then remove any owner/editor roles.



From Command Line:
1. Get the projects policy and write it to a yaml file,Run:


gcloud projects get-iam-policy PROJECT_ID PATH_TO_NEWLY_CREATED_FILE


2. In the created yaml add the roles that each member needs while following the principle of least privilege, then remove owner/editor roles.
3. Set the new iam policy:


gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE



Reference:
1. https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
2. https://cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
3. https://cloud.google.com/iam/docs/understanding-roles
4. https://cloud.google.com/iam/docs/permissions-reference

GCP IAM Policy

You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

Compliance Frameworks

GDPR BP_0318