Minimize the Use of Primitive Roles

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

For production and security-critical cloud environments, limit the use of primitive roles such as "Owner", "Editor", and "Viewer" for Cloud IAM members. Instead, grant predefined roles to these IAM members to allow the least-permissive access required to perform their tasks (i.e. Principle of Least Privilege – POLP).

Security

Cloud Identity and Access Management (IAM) service provides 3 types of roles: primitive, predefined and custom roles. Primitive roles, i.e. "Owner", "Editor" and "Viewer", are managed roles that existed prior to the introduction of Cloud IAM. Predefined roles are roles created and maintained by Google, that provide granular access to specific Google Cloud Platform (GCP) resources and deny unwanted access to other resources. Custom roles are user-defined roles that allow you to bundle one or more supported permissions to meet your specific needs. Google Cloud projects are often (and overly) using primitive roles. To implement the Principle of Least Privilege (POLP) and follow security best practices, grant predefined roles to IAM identities wherever possible, as these roles provide more granular access than the primitive roles. This eliminates over-privileged cloud identities from your Google Cloud projects and prevent any unwanted or unauthorized access to your GCP cloud resources.

The use of primitive roles should be limited to the following cases only:

When the Google Cloud service does not provide a predefined role.

When it is required to grant broader permissions for a GCP project (e.g. when granting permissions to development and/or test environments).

When it is required to allow an IAM member to modify permissions for a GCP project. In this case, it is necessary to grant the identity the "Owner" role, because only owners have the permission to grant access to other IAM users.

When the project is used within a small team where the team members do not need granular permissions.


Audit

To determine if there are any IAM identities that make use of Cloud IAM primitive roles, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select View by MEMBERS to list all IAM members (i.e. users and service accounts) created for the selected GCP project.

06 Click in the Filter table box, and perform the following actions:

  1. Select Role, type Owner, and press Enter to return the IAM member(s) with the Owner primitive role.
  2. Select Role, type Editor, and press Enter to return the member(s) with the Editor role.
  3. Select Role, type Viewer, and press Enter to return the IAM member(s) with the Viewer role.

07 If the filtering process performed at the previous step returns one or more IAM members, there are Google Cloud identities that make use of Cloud IAM primitive roles, available in the selected project.

08 Repeat steps no. 2 – 7 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your Google Cloud Platform (GCP) account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested project identifiers (IDs):

PROJECT_ID
cc-prod-app-123123
cc-project5-123456

03 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the Google Cloud project that you want to examine as identifier parameter and custom query filters to describe the Identity and Access Management (IAM) policy available for the selected project, in JSON format:

gcloud projects get-iam-policy cc-prod-app-123123
	--format=json

04 The command output should return the requested IAM policy (JSON format):

{
  "bindings": [
    {
      "members": [
        "user:admin@cloudconformity.com"
      ],
      "role": "roles/editor"
    },
    {
      "members": [
        "user:admin@cloudrealisation.com"
      ],
      "role": "roles/viewer"
    },
    {
      "members": [
        "user:admin@cloudrealisation.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
      ],
      "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

Check the name of each associated role (i.e. "role" property value) returned by the projects get-iam-policy command output. If one or more IAM members have the "role" property set to "roles/owner", "roles/editor" or "roles/viewer", as shown in the output example above, there are Google Cloud identities that make use of Cloud IAM primitive roles, available within the selected project.

05 Repeat step no. 3 and 4 for each GCP project created within your Google Cloud account.

Remediation / Resolution

To implement the Principle of Least Privilege (POLP) and secure the access to your Google Cloud Platform (GCP) projects, revoke primitive roles, i.e. the "Owner", "Editor" and "Viewer", for each IAM identity (member) and attach one or more Cloud IAM predefined roles according to the identity access requirements. To replace the primitive roles with the required predefined roles, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select View by MEMBERS to list all the IAM member accounts created for the selected GCP project.

06 Choose the IAM member that you want to reconfigure (see Audit section part I to identify the right IAM identity), then click on the edit (pencil) icon to access the member permissions.

07 On the Edit permissions panel, perform the following actions:

  1. Identify the primitive role(s) that you want to remove from the selected IAM member account, then click on the delete icon next to each primitive role to remove the role binding.
  2. Click ADD ANOTHER ROLE and select a predefined role that follows the Principle of Least Privilege from the Select a role dropdown list to attach the appropriate role to the selected IAM member account. For example, an appropriate predefined role could be the "Compute Storage Admin" role, which has permissions to create, modify, and delete Compute Engine storage resources such as disks, images, and snapshots. Specifically, if your organization has someone who manages project images and you don't want to provide this user the Editor role on the project, grant him/her the "Compute Storage Admin" predefined role. Use ADD ANOTHER ROLE button to add as many predefined roles as needed, according to the selected IAM identity access requirements.
  3. Click SAVE to apply the changes.

08 Repeat step no. 6 and 7 for other IAM identities (members) that you want to reconfigure, created for the selected project.

09 Repeat steps no. 2 – 8 for each GCP project available within your Google cloud account.

Using GCP CLI

01 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) project that you want to reconfigure as identifier parameter (see Audit section part II to identify the right project) and custom query filters, to describe the IAM policy created for the selected project:

gcloud projects get-iam-policy cc-prod-app-123123
	--format=json

02 The command output should return the requested IAM policy:

{
  "bindings": [
    {
      "members": [
        "user:admin@cloudconformity.com"
      ],
      "role": "roles/editor"
    },
    {
      "members": [
        "user:admin@cloudrealisation.com"
      ],
      "role": "roles/viewer"
    },
    {
      "members": [
        "user:admin@cloudrealisation.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
      ],
      "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

03 Edit the Cloud IAM policy returned at the previous step and replace (or remove) the role bindings with the name "roles/owner", "roles/editor", and "roles/viewer" with predefined, relevant roles that follow the Principle of Least Privilege (POLP), then save the policy document to a JSON file named secure-iam-policy.json. For example, a relevant predefined role could be the "Compute Storage Admin" role (i.e. roles/compute.storageAdmin), which has permissions to create, modify, and delete Compute Engine storage resources such as disks, images, and snapshots. Specifically, if your company has someone who manages GCP project images and you don't want to provide this user the Editor role on your project, grant him/her the "Compute Storage Admin" predefined role. Another relevant role could be the "Compute Admin" role (i.e. roles/compute.admin), which has full control over the Compute Engine resources such as virtual machine (VM) instances. As example, in the following IAM policy, the "Owner" primitive role has been replaced with the "Compute Admin" role and the "Editor" role has been replaced with the "Compute Storage Admin" predefine role:

{
  "bindings": [
    {
      "members": [
        "user:admin@cloudconformity.com"
      ],
      "role": "roles/compute.storageAdmin"
    },
    {
      "members": [
        "user:admin@cloudrealisation.com"
      ],
      "role": "roles/compute.admin"
    },
    {
      "members": [
        "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
      ],
      "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

04 Run projects set-iam-policy command (Windows/macOS/Linux) to update the Cloud IAM policy associated with the selected Google Cloud project with the IAM policy reconfigured at the previous step (i.e. secure-iam-policy.json):

gcloud projects set-iam-policy cc-prod-app-123123 secure-iam-policy.json

05 The command request should return the metadata for the updated IAM policy:

Updated IAM policy for project [cc-prod-app-123123].
bindings:
- members:
  - user:admin@cloudconformity.com
  role: roles/compute.storageAdmin
- members:
  - user:admin@cloudrealisation.com
  role: roles/compute.admin
- members:
  - serviceAccount:123456789012-compute@developer.gserviceaccount.com
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: abcdabcdabcd
version: 1

06 Repeat steps no. 1 – 5 for other Google Cloud Platform (GCP) projects available within your cloud account.

References

Publication date Apr 21, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Minimize the Use of Primitive Roles

Risk level: Medium