Ensure permissions to impersonate a service account are not granted at project level

Risk Level: Critical
GCP IAM Policy
Rule ID: D9.GCP.IAM.15
Category: Security, Identity, & Compliance
Granting users or service accounts with one of the roles: roles/iam.workloadIdentityUser / roles/iam.serviceAccountUser / roles/iam.serviceAccountTokenCreator will in practice grant them with all of the permissions of the service accounts in the project, which violates the principle of least privilege. These roles needs to be granted at the service account level and not project level.

gsl logic

GcpIamPolicy should not have bindings contain-any [ role in ('roles/iam.workloadIdentityUser', 'roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation


From Portal:
In order to add permissions for an identity to use a specific service account, follow these instructions:

1. Go to IAM - Service accounts using https://console.cloud.google.com/iam-admin/serviceaccounts
2. Select the service account that you want to allow to impersonate, click Permissions
3. Under Members click Grant access
4. Enter the user's / service account email and select the role to allow impersonating.
5. Click Save to apply changes



From Command Line:

1. Get the policy that you want to modify, and write it to a yaml file:


gcloud iam service-accounts get-iam-policy SERVICE_ACCOUNT_ID PATH_TO_NEW_FILE


2. In the created yaml, add new biding with the role and the member that should be granted with it.
3. Set the new iam policy of the service account:


gcloud iam service-accounts set-iam-policy SERVICE_ACCOUNT_ID PATH_TO_NEW_FILE



In order to remove the project level permissions:
1. Get the policy that you want to modify, and write it to a yaml file:


gcloud projects get-iam-policy PROJECT_ID PATH_TO_NEW_FILE


2. In the created yaml, detect the member with the overly permissive roles and delete these roles.
3. Set the new iam policy of the project:


gcloud projects set-iam-policy PROJECT_ID PATH_TO_NEW_FILE



Reference:
1. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/get-iam-policy
2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/set-iam-policy
3. https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
4. https://cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
5. https://cloud.google.com/iam/docs/impersonating-service-accounts#impersonate-sa-level
6. https://cloud.google.com/iam/docs/impersonating-service-accounts#allow-impersonation

GCP IAM Policy

You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

Compliance Frameworks

HIPAA GDPR BP_0318