Ensure that your Google Cloud user-managed service accounts are not using privileged (administrator) roles, in order to implement the principle of least privilege and prevent any accidental or intentional modifications that may lead to data leaks and/or data loss. A user-managed service account is an identity that a virtual machine (VM) instance or an application can use to run API requests on your behalf. GCP service accounts can create, modify or delete resources only if you grant the necessary IAM permissions, at the project or resource level.
When your Google Cloud Platform (GCP) service accounts have administrator privileges (i.e. are using Owner and Editor roles, as well as roles containing *Admin or *admin in their names), these service accounts can access, create, and manage VM instances and other resources. To adhere to the principle of least privilege, give your GCP service accounts the minimal set of actions required to perform successfully their tasks and remove any administrator-based roles that allows them overly permissive access.
To determine if your GCP user-managed service accounts have administrator privileges, perform the following actions:
Remediation / Resolution
To remove administrator role assignments from your GCP user-managed service accounts, perform the following actions:IMPORTANT: Removing *Admin, *admin, Editor or Owner role assignments from certain service accounts may break functionality associated with the impacted service accounts. Make sure that you review your user-managed service accounts before you delete their admin role assignments in order to determine the required access permissions and decide whether or not to proceed with the removal process.
- Google Cloud Platform (GCP) Documentation
- Cloud Identity and Access Management (IAM)
- Service accounts
- Service accounts
- Understanding service accounts
- Understanding roles
- Granting, changing, and revoking access to resources
- CIS Security Documentation
- Securing Google Cloud Computing Platform
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Restrict Administrator Access for Service Accounts
Risk level: Medium