Prevent Service Account Creation for Google Cloud Organizations
More Info:
Ensure that the creation of Cloud IAM service accounts is prevented within your Google Cloud organization through the “Disable Service Account Creation” organization policy. This allows you to easily centralize the management of your service accounts while not restricting the other permissions that your developers and administrators have on the projects within the organization. A Cloud IAM service account is a special account that can be used by services and applications running on your Compute Engine instances to interact with other Google Cloud APIs. Applications can use service account credentials to authorize themselves to a set of APIs and perform actions within the permissions granted to the service account.Risk Level
MediumAddress
Security, Operational MaturityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of preventing service account creation for Google Cloud Organizations, you can follow the below steps in the GCP console:
- Open the Google Cloud Console and select the organization for which you want to remediate the misconfiguration.
- Click on the “IAM & Admin” option from the left-hand menu.
- From the IAM dashboard, click on the “Roles” tab.
- Search for the “Service Account Admin” role and click on it.
- Click on the “Edit” button to edit the role.
- In the “Permissions” tab, search for the “iam.serviceAccounts.create” permission and remove it from the role.
- Click on the “Save” button to save the changes.
- Repeat the above steps for the “Service Account User” role.
Using CLI
Using CLI
To remediate the misconfiguration “Prevent Service Account Creation for Google Cloud Organizations” in GCP using GCP CLI, follow the below steps:Step 1: Open the Cloud Shell in your GCP console.Step 2: Run the following command to list the current IAM organization policy constraints:Note: Replace [ORGANIZATION_ID] with your actual organization ID.Step 3: Check if the constraint “constraints/iam.disableServiceAccountCreation” is set to “true”. If it is set to “true”, then the service account creation is already prevented for the organization.Step 4: If the constraint is not set or set to “false”, then run the following command to update the constraint and prevent service account creation:Note: Replace [ORGANIZATION_ID] with your actual organization ID.Step 5: Verify the constraint update by running the command in step 2 again.By following these steps, you can remediate the misconfiguration “Prevent Service Account Creation for Google Cloud Organizations” in GCP using GCP CLI.
Using Python
Using Python
To prevent Service Account creation for Google Cloud Organizations, you can follow the steps below:
- First, you need to enable the “Constraint API” in your GCP project. You can do this by going to the “APIs & Services” section in the Cloud Console and searching for “Constraint API”. Once you find it, enable it.
- Next, you need to create a new constraint that prevents Service Account creation. You can do this using the following Python code:
- This code creates a new constraint that prevents Service Account creation in your GCP organization. You can verify that the constraint has been created by going to the “Constraints” section in the Cloud Console.
- Once the constraint is in place, any attempt to create a Service Account in your GCP organization will fail.