Restrict Administrator Access for Service Accounts

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your Google Cloud user-managed service accounts are not using privileged (administrator) roles, in order to implement the principle of least privilege and prevent any accidental or intentional modifications that may lead to data leaks and/or data loss. A user-managed service account is an identity that a virtual machine (VM) instance or an application can use to run API requests on your behalf. GCP service accounts can create, modify or delete resources only if you grant the necessary IAM permissions, at the project or resource level.

Security

When your Google Cloud Platform (GCP) service accounts have administrator privileges (i.e. are using Owner and Editor roles, as well as roles containing *Admin or *admin in their names), these service accounts can access, create, and manage VM instances and other resources. To adhere to the principle of least privilege, give your GCP service accounts the minimal set of actions required to perform successfully their tasks and remove any administrator-based roles that allows them overly permissive access.


Audit

To determine if your GCP user-managed service accounts have administrator privileges, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select View by MEMBERS to list all the member accounts available for the selected GCP project.

06 Click on the Filter table and select Service account from Type list to show only the service accounts created for the selected project.

07 Choose the user-managed service account that you want to examine. A user-managed service account has the following format: <service-account-name>@<project-id>.iam.gserviceaccount.com (e.g. cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com). Check the account role(s) available in the Role column. If the account has one or more roles containing *Admin or *admin, as well as the role matching Editor or role matching Owner, the selected user-managed service account has administrator privileges.

08 Repeat step no. 7 for each user-managed service account that you want to examine, created for the selected GCP project.

09 Repeat steps no. 2 – 8 for each Google Cloud Platform (GCP) project deployed in your account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your GCP account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested project IDs:

PROJECT_ID
cc-internal-app-123123
cc-web-app-prod-123123
cc-project5-app-123123

03 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the Access Management (IAM) policy created for the selected GCP project, in JSON format:

gcloud projects get-iam-policy cc-internal-app-123123
	--format=json

04 The command output should return the requested IAM policy:

{
  "bindings": [
    {
      "members": [
        "serviceAccount:cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com"
      ],
      "role": "roles/appengine.codeViewer"
    },
    {
      "members": [
        "serviceAccount:cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com"
      ],
      "role": "roles/editor"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com",
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/owner"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

The IAM policy returned by the projects get-iam-policy command output should contain the member accounts available for the selected GCP project. Choose the user-managed service account that you want to examine. A user-managed service account has the following format: <service-account-name>@<project-id>.iam.gserviceaccount.com (e.g. cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com). Once the service account is selected, check the associated role(s) available as value for the "role" property (highlighted). If the account has one or more roles containing *Admin or *admin, as well as the role matching Editor (i.e. "roles/editor") or role matching Owner (i.e. "roles/owner"), the selected GCP user-managed service account has administrator privileges.

05 Repeat step no. 3 and 4 for each Google Cloud Platform (GCP) project created within your account.

Remediation / Resolution

To remove administrator role assignments from your GCP user-managed service accounts, perform the following actions:

IMPORTANT: Removing *Admin, *admin, Editor or Owner role assignments from certain service accounts may break functionality associated with the impacted service accounts. Make sure that you review your user-managed service accounts before you delete their admin role assignments in order to determine the required access permissions and decide whether or not to proceed with the removal process.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select View by MEMBERS to list all the member accounts available for the selected GCP project.

06 Click on the Filter table and select Service account from Type list to display only the service accounts created for the selected project.

07 Choose the user-managed service account that you want to reconfigure (see Audit section part I to identify the right resource), then click on the edit (pencil) icon to access the account permissions.

08 On the Edit permissions panel, perform the following:

  1. Choose the administrator role (i.e. *Admin, *admin, Editor or Owner) that you want to remove from the selected service account, then click on the delete icon to remove it.
  2. (Optional) To assign a new role that will provide the service account the minimal amount of access required to perform its tasks, click ADD ANOTHER ROLE and select the required role from the Select a role dropdown list.
  3. Click SAVE to save the changes.

09 Repeat step no. 7 and 8 for other user-managed service accounts that you want to reconfigure, created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each Google Cloud Platform (GCP) project available within your account.

Using GCP CLI

01 Remove the administrator role (i.e. *Admin, *admin, Editor or Owner) from the user-managed service account that you want to reconfigure (see Audit section part II to identify the right account) or replace it with a new role that will provide the service account the minimal amount of access required to perform its tasks. Save your account IAM policy to a JSON document named iam-policy.json. The following example, replaces the Editor role with the App Engine Code Viewer role (i.e. "roles/appengine.codeViewer") for a service account identified by the ID "cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com". The new role assignment follows the principle of least privilege (POLP) and provides the selected service account the ability to view App Engine app status and deployed source code:

{
  "bindings": [
    {
      "members": [
        "serviceAccount:cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com"
      ],
      "role": "roles/appengine.codeViewer"
    },
    {
      "members": [
        "user:cloud.conformity@gmail.com",
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/owner"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

02 Run projects set-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to reconfigure as identifier parameter, to update the IAM policy of the selected project with the policy defined at the previous step (i.e. iam-policy.json):

gcloud projects set-iam-policy cc-internal-app-123123 iam-policy.json

03 The command request should return the IAM policy metadata for the reconfigured GCP project:

Updated IAM policy for project [cc-internal-app-123123].
bindings:
- members:
  - serviceAccount:cc-app-dev-account@cc-internal-app-123123.iam.gserviceaccount.com
  role: roles/appengine.codeViewer
- members:
  - user:cloud.conformity@gmail.com
  - user:cloud.realisation@gmail.com
  role: roles/owner
etag: abcdabcdabcd
version: 1

04 If required, repeat steps no. 1 – 3 for other Google Cloud Platform (GCP) projects available within your account.

References

Publication date Feb 4, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Restrict Administrator Access for Service Accounts

Risk level: Medium