Profile Applicability:
Level 2
Description:
To maintain security best practices, the principle of Separation of Duties should be enforced when assigning service account-related roles. Users should not be granted both Service Account Admin and Service Account User roles simultaneously.
Rationale:
The Service Account Admin role allows users to create, delete, and manage service accounts, while the Service Account User role allows them to assign service accounts to applications or virtual machines. Assigning both roles to a single user violates the principle of Separation of Duties and creates a security risk, as one individual would have the ability to:
Create or modify service accounts.
Use those service accounts to access resources beyond their normal permissions.
This principle is essential to reduce the likelihood of malicious activity or errors by ensuring no single user has unchecked control over service accounts.
Impact:
To adhere to this principle, one of the roles (Admin or User) must be removed from affected users. The removed role should be assigned to another user based on business needs.
Default Value:
By default, users are not assigned both Service Account Admin and Service Account User roles simultaneously unless explicitly configured.
Audit Steps:
Using Google Cloud Console:
Navigate to IAM & Admin > IAM at GCP IAM Console.
Check for members who have both Service Account Admin and Service Account User roles assigned.
Using Google Cloud CLI:
List all users and their role assignments:
gcloud projects get-iam-policy <PROJECT_ID> --format json | \ jq -r '[ (["Service_Account_Admin_and_User"] | (., map(length*"-"))), ( [ .bindings[] | select(.role == "roles/iam.serviceAccountAdmin" or .role == "roles/iam.serviceAccountUser").members[] ] | group_by(.) | map({User: ., Count: length}) | .[] | select(.Count == 2).User | unique ) ] | .[] | @tsv'
Identify users who appear under both roles.
Remediation Steps:
Using Google Cloud Console:
Navigate to IAM & Admin > IAM at GCP IAM Console.
For any member with both Service Account Admin and Service Account User roles:
Click the Delete (Trash) icon next to one of the roles.
Determine which role to retain based on business requirements.
Using Google Cloud CLI:
Retrieve the IAM policy for the project and save it to a file:
gcloud projects get-iam-policy <PROJECT_ID> --format json > iam.json
Edit the iam.json file to remove one of the conflicting roles from affected users:
{ "bindings": [ { "members": [ "user:[email protected]" ], "role": "roles/iam.serviceAccountAdmin" } ], "etag": "BwUjMhCsNvY=" }
Update the project's IAM policy with the modified file:
gcloud projects set-iam-policy <PROJECT_ID> iam.json
References:
Additional Information:
Users with Owner or Editor roles inherit equivalent permissions to Service Account Admin and Service Account User roles. These elevated roles should be granted sparingly and only when absolutely necessary.