User-managed service accounts should not have admin privileges

Description

A service account is a special Google account that belongs to an application or a VM instead of to an individual end-user. Service accounts should not have admin privileges as they give full access to an assigned application or a VM, and a service account can perform critical actions like delete, update, etc. without user intervention.

Remediation Steps

Google Cloud Console

  • Navigate to IAM.

  • Select to view by Members.

  • Delete any roles that contain Admin, Editor, or Owner.

gcloud CLI

  • In a text editor, remove any roles that contain Admin, Editor, or Owner. Add a role to the bindings array that defines the group members and the role for those members. Below is an example where you change the ServiceAccount to have roles/editor permissions:

{
  "bindings": [
    {
      "members": [
        "serviceAccount:our-project-123@appspot.gserviceaccount.com"
      ],
      "role": "roles/appengine.appViewer"
    },
    {
      "members": [
        "user:email1@gmail.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "serviceAccount:our-project-123@appspot.gserviceaccount.com",
        "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
      ],
      "role": "roles/editor"
    }
  ],
  "etag": "BwUjMhCsNvY="
}
  • Update the project’s IAM policy:

    • gcloud projects set-iam-policy PROJECT_ID iam.json