Skip to main content

lacework-global-235

1.5 Ensure That Service Account Has No Admin Privileges (Automated)

Profile Applicability

• Level 1

Description

A service account is a special Google Account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users are not directly involved. Best practices recommend not using administrator access for service accounts. This includes the Editor role, the Owner role and any role which grants administrator access to a particular service (such as Security Admin). This policy considers user created and default (user-managed but not user-created) service accounts. Though default service accounts are not created by the user, you can associate them with administrative privileges like any other service account.

Rationale

Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc. without user intervention. For this reason, it's recommended that service accounts not have Admin rights.

Impact

Removing *Admin or *admin or Editor or Owner role assignments from service accounts may break functionality that uses impacted service accounts. Required role(s) should be assigned to impacted service accounts in order to restore broken functionalities.

Audit

From Console:

  1. Navigate to the IAM section of the IAM & Admin console: https://console.cloud.google.com/iam-admin/iam.
  2. Ensure the VIEW BY PRINCIPALS tab is active.
  3. Check the box to "Include Google-provided role grants".
  4. Add the following four filters to the table of principals:
    • Type: Service account
    • Role:admin
    • Role:Editor
    • Role:Owner
  5. Ensure that there are no service accounts with roles assigned the Editor role, Owner role, or roles containing the word Admin or admin.

From Command Line:

  1. Run the following command - replacing <PROJECT_ID> with the target project - to return all IAM policy bindings in the specified project:
 gcloud projects get-iam-policy <PROJECT_ID> --format json

  1. Ensure that the output of the command does not include any policies which bind the Editor role, Owner role, or roles containing the word Admin or admin to a service account, noting that service accounts are identifiable bound members with the prefix serviceAccount:. The following example shows a service account that is bound to an admin role:

    {
       "bindings": [
           {
               "members": [
                   "serviceAccount:project-foo@appspot.gserviceaccount.com",
               ],
               "role": "roles/appengine.appAdmin"
            }
       ]
    }

Remediation

From Console:

  1. Navigate to the Identity and Access Management (IAM) section of the IAM & Admin console: https://console.cloud.google.com/iam-admin/iam.
  2. Ensure the View By Principals tab is active.
  3. Check the box to "Include Google-provided role grants".
  4. Add the following four filters to the table of principals:
    • Type: Service account
    • Role: *Admin
    • Role: Editor
    • Role: Owner
  5. In the resulting list of principals, click the pencil icon next to a service account to open the edit drawer.
  6. Edit the role to remove excess administrator privileges:
    • If the offending administrator role is not required, remove it by clicking the Delete bin/trash icon.
    • Alternatively, assign a lesser privileged role to the service account.
    • The lesser privileged role should contain only the exact permissions required by the service account. If an appropriate role does not exist, create a custom role at https://console.cloud.google.com/iam-admin/roles.
  7. Validate the changes in the summary to the right.
  8. Click the save icon to confirm the role removal.
  9. Repeat steps 5-8 for each service account in the filtered list created in step 4.

From Command Line:

  1. Running the following command to retrieve all IAM policies and write them to a file on disk in JSON format:
gcloud projects get-iam-policy <PROJECT_ID> --format json > iam.json

  1. Using a text editor, open iam.json and remove or update service account bindings to the editor role (roles/editor), owner role (roles/owner) or roles which contain the word admin. You can remove bindings by deleting the offending service account member from the bindings. Alternatively, you can update bindings to associate the offending service account with a role which contains only the permissions it requires (this may be a custom role if required). The following example binds a service account to a custom role:

    {
       bindings": [
           {
             "members": [
               "serviceAccount:project-foo@appspot.gserviceaccount.com"
             ],
             "role": "projects/project-foo/roles/CustomFooRole"
           },
       ]
     }

  2. Save iam.json.

  3. Write the IAM policy updates back to the GCP project with the following command:

    gcloud projects set-iam-policy PROJECT_ID iam.json

References

https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/
https://cloud.google.com/iam/docs/understanding-roles
https://cloud.google.com/iam/docs/understanding-service-accounts

Last updated on