More Info:

Ensure that the Cloud Function users do not have administrative priveleges

Risk Level

Critical

Address

Security

Compliance Standards

PCIDSS, HIPAA

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration in GCP where a Cloud Function has admin access, you can follow the below steps:
  1. Open the Google Cloud Console and navigate to the Cloud Functions page.
  2. Select the Cloud Function that has admin access.
  3. Click on the “Edit” button on the top of the page.
  4. Scroll down to the “Roles” section and click on the “Add Member” button.
  5. In the “New Member” field, enter the email address of the service account that you want to use to run the Cloud Function.
  6. In the “Role” field, select the “Cloud Functions Invoker” role from the drop-down menu.
  7. Click on the “Save” button to save the changes.
  8. Verify that the service account has the “Cloud Functions Invoker” role by navigating to the “IAM & Admin” page and selecting the “IAM” tab.
  9. Find the service account that you added and verify that it has the “Cloud Functions Invoker” role assigned to it.
By following these steps, you can remediate the misconfiguration in GCP where a Cloud Function has admin access.

To remediate the misconfiguration of a GCP Cloud Function having admin access, you can follow the below steps using GCP CLI:
  1. Open the Cloud Console and navigate to the Cloud Functions section.
  2. Identify the Cloud Function that has admin access.
  3. Determine the IAM policy bindings for the Cloud Function: 
gcloud functions describe FUNCTION_NAME --format="value(iamPolicy)"
Replace FUNCTION_NAME with the name of your Cloud Function.
  1. Review the IAM policy bindings to identify any roles with admin access.
  2. Remove the admin role from the IAM policy bindings: 
gcloud functions remove-iam-policy-binding FUNCTION_NAME \
    --member=MEMBER \
    --role=ROLE
Replace FUNCTION_NAME with the name of your Cloud Function, MEMBER with the email address of the user or service account that has admin access, and ROLE with the admin role (e.g., roles/cloudfunctions.admin).
  1. Verify that the admin role has been removed from the IAM policy bindings:
gcloud functions describe FUNCTION_NAME --format="value(iamPolicy)"
  1. Once the changes are saved, verify that the user or service account no longer has admin access by testing the function.
By following these steps, you can remediate the misconfiguration of a GCP Cloud Function having admin access using the GCP CLI, ensuring that the function has the appropriate access level to perform its intended function.
To remediate the issue of a GCP Cloud Function having admin access, follow these steps:
  1. Open the Cloud Functions page in the GCP console.
  2. Select the Cloud Function that has admin access.
  3. Click on the “Edit” button to modify the function.
  4. In the “Permissions” section, click on “Add Member”.
  5. Enter the email address of the user or service account that you want to grant access to the function.
  6. In the “Role” dropdown menu, select a role that does not have admin access, such as “Cloud Functions Developer” or “Cloud Functions Viewer”.
  7. Click “Save” to apply the changes.
Here is an example Python script that can be used to remove admin access from a GCP Cloud Function:
import google.auth
from google.cloud import functions_v1
from google.auth.transport.requests import Request
from google.oauth2.credentials import Credentials

# Authenticate using the default credentials
creds, project_id = google.auth.default(scopes=["https://www.googleapis.com/auth/cloud-platform"])
creds.refresh(Request())

# Initialize the Cloud Functions client
client = functions_v1.CloudFunctionsServiceClient(credentials=creds)

# Set the name of the Cloud Function that needs to be updated
function_name = "my-function"

# Get the current IAM policy for the function
resource = f"projects/{project_id}/locations/us-central1/functions/{function_name}"
policy = client.get_iam_policy(request={"resource": resource})

# Remove the "roles/cloudfunctions.admin" role from all members
for binding in policy.bindings:
    if binding.role == "roles/cloudfunctions.admin":
        binding.members.remove("allUsers")
        binding.members.remove("allAuthenticatedUsers")
        binding.members = [m for m in binding.members if not m.startswith("user:") and not m.startswith("serviceAccount:")]
        
# Update the IAM policy for the function
client.set_iam_policy(request={"resource": resource, "policy": policy})
This script uses the google-cloud-functions library to authenticate using the default credentials and update the IAM policy for the specified Cloud Function. It removes the “roles/cloudfunctions.admin” role from all members and updates the policy accordingly.

Additional Reading: