Ensure that separation of duties (also known as segregation of duties - SoD) is enforced for all Google Cloud Platform (GCP) service-account related roles. The security principle of separation of duties has as its primary objective the prevention of fraud and human error. This objective is achieved by disbanding the tasks and associated privileges for a specific business process among multiple users/members. To follow security best practices, your GCP service accounts should not have the Service Account Admin and Service Account User roles assigned at the same time.
The principle of separation of duties should be enforced in order to eliminate the need for high-privileged IAM users, as the permissions granted to these users can allow them to perform malicious or unwanted actions.
To determine if there are any IAM users that have Service Account Admin and Service Account User roles assigned at the same time, perform the following operations:
Remediation / Resolution
To implement the principle of separation of duties and secure the access to your GCP projects, revoke either Service Account Admin role or Service Account User role from the IAM user/member that is associated with both these roles, and attach one of the roles to another member according to your business requirements.
Step A: To revoke the Service Account User role from the required IAM user account, perform the following actions:
Step B: Assign the removed service role, i.e. Service Account User, to another IAM user/member account created for your GCP project by performing the following actions:
- Google Cloud Platform (GCP) Documentation
- Cloud Identity and Access Management (IAM)
- Service accounts
- Understanding roles
- Granting, changing, and revoking access to resources
- CIS Security Documentation
- Securing Google Cloud Computing Platform
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Enforce Separation of Duties for Service-Account Related Roles
Risk level: Medium