Profile Applicability:

Level 1

Description:

Service accounts are special Google accounts assigned to applications or virtual machines (VMs) to interact with Google Cloud services. These accounts should not have administrative privileges such as Owner, Editor, or Admin roles to minimize the risk of unauthorized changes or critical actions being performed without user intervention.

Rationale:

Granting admin privileges to service accounts can:

  1. Provide excessive access to resources, which may lead to unintended modifications or deletions.

  2. Increase the risk of misuse or exploitation in case the service account credentials are compromised.

To enhance security, service accounts should only be assigned the minimum roles necessary for their tasks.

Impact:

Removing admin or elevated roles (e.g., Owner, Editor, Admin) from service accounts may disrupt the functionality of applications or VMs that rely on these roles. Ensure required roles are assigned to maintain functionality.

Default Value:

By default:

  • Default user-managed service accounts (e.g., PROJECT_NUMBER [email protected], [email protected]) are assigned the Editor role to support specific GCP services.

  • User-created service accounts have no roles assigned by default.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to IAM & Admin > IAM at GCP IAM Console.

                                         

  1. Use the "View by Principals" filter to display Service Accounts.

             

  1. Identify service accounts with roles such as *Admin, Editor, or Owner.

Using Google Cloud CLI:

Retrieve the IAM policy for the project: 

gcloud projects get-iam-policy <PROJECT_ID> --format json > iam.json
  1. Review the bindings section in the output JSON. Check the roles assigned to service accounts.

    • Ensure no roles include *Admin, Editor, or Owner.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to IAM & Admin > IAM at GCP IAM Console.

                                                             

  1. Filter by Service Accounts to identify accounts with elevated roles.

           

  1. For each service account:

    • Click the Edit (Pencil) icon next to the account.

 

  • Remove roles containing *Admin, Editor, or Owner by clicking the Delete (Trash) icon.

Using Google Cloud CLI:

Retrieve the current IAM policy: 

gcloud projects get-iam-policy <PROJECT_ID> --format json > iam.json

Edit the iam.json file to replace elevated roles with appropriate least-privilege roles.
Example: Replace 
roles/editor with roles/appengine.appViewer.

{

  "bindings": [

    {

      "members": [

        "serviceAccount:[email protected]"

      ],

      "role": "roles/appengine.appViewer"

    }

  ],

  "etag": "BwUjMhCsNvY="

}

Update the IAM policy with the modified file: 

gcloud projects set-iam-policy <PROJECT_ID> iam.json


References:

  1. Managing Service Accounts

  2. Understanding IAM Roles

  3. Service Account Best Practices

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

5.4 Restrict Administrator Privileges

Ensure admin privileges are restricted to dedicated accounts, avoiding over-permissive service accounts.

4.3 Use Dedicated Administrative Accounts

Require administrative activities to be performed using dedicated accounts, reducing the risk of misuse.