lacework-global-235
1.5 Ensure That Service Account Has No Admin Privileges (Automated)
Profile Applicability
• Level 1
Description
A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount.
Rationale
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc. without user intervention. For this reason, it's recommended that service accounts not have Admin rights.
Impact
Removing *Admin or *admin or Editor or Owner role assignments from service accounts may break functionality that uses impacted service accounts. Required role(s) should be assigned to impacted service accounts in order to restore broken functionalities.
Audit
From Console:
- Go to
IAM & admin/IAMusinghttps://console.cloud.google.com/iam-admin/iam - Go to the
Members - Ensure that there are no
User-Managed user created service account(s)with roles containing*Adminor*adminor role matchingEditoror role matchingOwner
From Command Line:
Get the policy that you want to modify, and write it to a JSON file:
gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
The contents of the JSON file will look similar to the following. Note that
roleof members group associated with eachserviceaccountdoes not contain*Adminor*adminor does not matchroles/editoror does not matchroles/owner.
This recommendation is only applicable to User-Managed user-created service accounts. These accounts have the nomenclature: SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com. Note that some Google-managed, Google-created service accounts have the same naming format, and should be excluded (e.g., appsdev-apps-dev-script-auth@system.gserviceaccount.com which needs the Owner role).
Sample Json output:
{
"bindings": [
{
"members": [
"serviceAccount:our-project-123@appspot.gserviceaccount.com",
],
"role": "roles/appengine.appAdmin"
},
{
"members": [
"user:email1@gmail.com"
],
"role": "roles/owner"
},
{
"members": [
"serviceAccount:our-project-123@appspot.gserviceaccount.com",
"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
],
"role": "roles/editor"
}
],
"etag": "BwUjMhCsNvY=",
"version": 1
}
Remediation
From Console:
- Go to
IAM & admin/IAMusinghttps://console.cloud.google.com/iam-admin/iam - Go to the
Members - Identify
User-Managed user createdservice account with roles containing*Adminor*adminor role matchingEditoror role matchingOwner - Click the
Delete binicon to remove the role from the member (service account in this case)
From Command Line:
gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
- Using a text editor, Remove
Rolewhich containsroles/*Adminorroles/*adminor matchedroles/editoror matches 'roles/owner`. Add a role to the bindings array that defines the group members and the role for those members.
For example, to grant the role roles/appengine.appViewer to the ServiceAccount which is roles/editor, you would change the example shown below as follows:
{
"bindings": [
{
"members": [
"serviceAccount:our-project-123@appspot.gserviceaccount.com",
],
"role": "roles/appengine.appViewer"
},
{
"members": [
"user:email1@gmail.com"
],
"role": "roles/owner"
},
{
"members": [
"serviceAccount:our-project-123@appspot.gserviceaccount.com",
"serviceAccount:123456789012-compute@developer.gserviceaccount.com"
],
"role": "roles/editor"
}
],
"etag": "BwUjMhCsNvY="
}
Update the project's IAM policy:
gcloud projects set-iam-policy PROJECT_ID iam.json
References
https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/
https://cloud.google.com/iam/docs/understanding-roles
https://cloud.google.com/iam/docs/understanding-service-accounts
Additional Information
Default (user-managed but not user-created) service accounts have the Editor (roles/editor) role assigned to them to support GCP services they offer.
Such Service accounts are: PROJECT_NUMBER-compute@developer.gserviceaccount.com, PROJECT_ID@appspot.gserviceaccount.com.