More Info:

Multiple Cloud Functions should not have same IAM roles.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Multiple Cloud Functions Should Not Use Same IAM Role” for GCP using the GCP console, follow these steps:
  1. Login to the GCP console: https://console.cloud.google.com/
  2. Navigate to the Cloud Functions page by clicking on the hamburger menu on the top left corner and selecting “Cloud Functions” under the “Compute” section.
  3. Select the function that is using the same IAM role as another function.
  4. Click on the “Edit” button on the top of the Cloud Function page.
  5. Scroll down to the “Cloud Function Details” section and click on the “Show Advanced Settings” button.
  6. Under the “Cloud Function IAM” section, click on the “Change” button next to the “Service account” field.
  7. In the “Select a service account” dialog box, select “Create a new service account” and give it a name.
  8. Click on the “Create” button and wait for the service account to be created.
  9. Select the newly created service account from the drop-down list and click on the “Save” button at the bottom of the page.
  10. Repeat the above steps for all the other functions that are using the same IAM role.
By following the above steps, you have successfully remediated the misconfiguration “Multiple Cloud Functions Should Not Use Same IAM Role” for GCP using the GCP console.

To remediate the misconfiguration “Multiple Cloud Functions Should Not Use Same IAM Role” for GCP using GCP CLI, follow the below steps:
  1. Open the Google Cloud Console and navigate to the Cloud Functions page.
  2. Identify the Cloud Functions that are using the same IAM role.
  3. Create a new IAM role for each Cloud Function that is currently sharing a role.
  4. Assign the newly created IAM role to the respective Cloud Function.
  5. Remove the old IAM role from the Cloud Function.
To perform these steps using GCP CLI, follow the below instructions:
  1. Open the GCP CLI and run the command below to list all the Cloud Functions:
gcloud functions list
  1. Identify the Cloud Functions that are using the same IAM role.
  2. Create a new IAM role for each Cloud Function that is currently sharing a role using the command below: 
gcloud iam roles create [ROLE_NAME] --project [PROJECT_ID] --file [ROLE_DEFINITION_FILE_PATH]
Replace [ROLE_NAME] with the name of the new IAM role, [PROJECT_ID] with the ID of the project, and [ROLE_DEFINITION_FILE_PATH] with the path to the JSON file that defines the new role.
  1. Assign the newly created IAM role to the respective Cloud Function using the command below:
gcloud functions add-iam-policy-binding [FUNCTION_NAME] --member [MEMBER] --role [ROLE_NAME]
Replace [FUNCTION_NAME] with the name of the Cloud Function, [MEMBER] with the email address or service account of the member that you want to grant access to, and [ROLE_NAME] with the name of the new IAM role.
  1. Remove the old IAM role from the Cloud Function using the command below:
gcloud functions remove-iam-policy-binding [FUNCTION_NAME] --member [MEMBER] --role [OLD_ROLE_NAME]
Replace [FUNCTION_NAME] with the name of the Cloud Function, [MEMBER] with the email address or service account of the member that you want to revoke access from, and [OLD_ROLE_NAME] with the name of the old IAM role.Repeat these steps for all the Cloud Functions that are sharing the same IAM role.
To remediate the misconfiguration “Multiple Cloud Functions Should Not Use Same IAM Role” for GCP using python, you can follow the below steps:
  1. Create a new IAM role for each cloud function that needs to be deployed.
  2. Assign the appropriate permissions to the IAM role based on the requirements of the cloud function.
  3. Update the cloud function deployment script to include the newly created IAM role for each function.
  4. Update the cloud function configuration to use the newly created IAM role for each function.
Here’s a sample python code that can be used to create a new IAM role in GCP:
from google.cloud import iam

# Create a new IAM client
client = iam.IAMClient()

# Define the IAM role name and description
role_name = 'my-function-role'
role_title = 'My Cloud Function Role'
role_description = 'This role is used by my cloud function.'

# Define the IAM role permissions
permissions = [{'service': 'cloudfunctions.googleapis.com', 'method': 'cloudfunctions.functions.create'}, {'service': 'cloudfunctions.googleapis.com', 'method': 'cloudfunctions.functions.delete'}, {'service': 'cloudfunctions.googleapis.com', 'method': 'cloudfunctions.functions.get'}, {'service': 'cloudfunctions.googleapis.com', 'method': 'cloudfunctions.functions.list'}, {'service': 'cloudfunctions.googleapis.com', 'method': 'cloudfunctions.functions.update'}]

# Create the new IAM role
new_role = client.create_role(role_name, title=role_title, description=role_description, included_permissions=permissions)

# Print the newly created IAM role
print(new_role)
Note: You will need to authenticate with GCP before running the above code. You can refer to the GCP documentation for more information on how to authenticate with GCP using python.

Additional Reading: