lacework-global-294
Enforce Separation of Duties While Assigning Service Account Related Roles to Users (Manual)
This rule has been changed to manual, see Manual Policies for CIS GCP 2.0.0 for details.
Profile Applicability
• Level 2
Description
Best practices recommend enforcing the principle of 'Separation of Duties' while assigning service-account related roles to users.
Rationale
The built-in/predefined IAM role Service Account admin
allows the user/identity to create, delete, and manage service account(s).
The built-in/predefined IAM role Service Account User
allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.
Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
No user should have Service Account Admin
and Service Account User
roles assigned at the same time.
Impact
The removed role should be assigned to a different user based on business needs.
Audit
From Console:
Go to
IAM & Admin/IAM
usinghttps://console.cloud.google.com/iam-admin/iam
.Ensure no member has the roles
Service Account Admin
andService account User
assigned together.
From Command Line:
- List all users and role assignments:
gcloud projects get-iam-policy [Project_ID] --format json | \
jq -r '[
(["Service_Account_Admin_and_User"] | (., map(length*"-"))),
(
[
.bindings[] |
select(.role == "roles/iam.serviceAccountAdmin" or .role == "roles/iam.serviceAccountUser").members[]
] |
group_by(.) |
map({User: ., Count: length}) |
.[] |
select(.Count == 2).User |
unique
)
] |
.[] |
@tsv'
- All common users listed under
Service_Account_Admin_and_User
are assigned both theroles/iam.serviceAccountAdmin
androles/iam.serviceAccountUser
roles.
Remediation
From Console:
- Go to
Identity and Access Management (IAM) & Admin/IAM
using: https://console.cloud.google.com/iam-admin/iam. - For any member having both
Service Account Admin
andService account User
roles granted/assigned, click theDelete Bin
icon to remove either role from the member. Use business requirements to guide removal of a role.
References
https://cloud.google.com/iam/docs/service-accounts
https://cloud.google.com/iam/docs/understanding-roles
https://cloud.google.com/iam/docs/granting-roles-to-service-accounts
Additional Information
Users granted with Owner (roles/owner) and Editor (roles/editor) have privileges equivalent to Service Account Admin
and Service Account User
. To avoid the misuse, grant Owner and Editor roles to very limited users and Use of these primitive privileges should be minimal. Separate recommendations address these requirements.