GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time
More Info:
Ensuring that no service accounts have admin privileges.
Risk Level
Critical
Address
Security
Compliance Standards
CISGCP, CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time” for GCP using GCP console, follow the below steps:
- Login to the GCP console (https://console.cloud.google.com/).
- Navigate to the IAM & Admin page by clicking on the hamburger menu on the top left corner and selecting “IAM & Admin” from the menu.
- Select “Service accounts” from the left-hand menu.
- Locate the service account that has both admin and user permissions assigned to it.
- Click on the service account to view its details.
- Click on the “Permissions” tab to view the permissions assigned to the service account.
- Remove the admin permissions from the service account by clicking on the “Edit” button next to the role that has admin permissions assigned to it.
- Deselect the admin role and click “Save” to remove the admin permissions.
- Verify that the service account now only has user permissions assigned to it.
By following these steps, the misconfiguration “Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time” will be remediated for GCP.
To remediate the misconfiguration of assigning both Service Accounts Admin and User permissions at the same time in GCP using GCP CLI, follow these steps:
-
Open the Google Cloud Shell from the GCP console.
-
Run the following command to list all the IAM policies of the project:
gcloud projects get-iam-policy <PROJECT_ID>
Replace <PROJECT_ID> with the actual project ID.
-
Identify the service account that has both Service Accounts Admin and User permissions assigned to it.
-
Run the following command to remove the Service Accounts Admin role from the service account:
gcloud projects remove-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<SERVICE_ACCOUNT_EMAIL> --role=roles/iam.serviceAccountAdmin
Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.
- Verify that the Service Accounts Admin role has been removed from the service account by running the following command:
gcloud projects get-iam-policy <PROJECT_ID> --flatten="bindings[].members" --format="table(bindings.role, bindings.members)" --filter="bindings.members:<SERVICE_ACCOUNT_EMAIL>"
Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.
- If the User role is still assigned to the service account, run the following command to remove it:
gcloud projects remove-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<SERVICE_ACCOUNT_EMAIL> --role=roles/iam.serviceAccountUser
Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.
- Verify that the User role has been removed from the service account by running the following command:
gcloud projects get-iam-policy <PROJECT_ID> --flatten="bindings[].members" --format="table(bindings.role, bindings.members)" --filter="bindings.members:<SERVICE_ACCOUNT_EMAIL>"
Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.
- Repeat steps 3-7 for any other service accounts that have both Service Accounts Admin and User permissions assigned to them.
By following these steps, you will successfully remediate the misconfiguration of assigning both Service Accounts Admin and User permissions at the same time for GCP using GCP CLI.
To remediate the misconfiguration “Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time” in GCP using Python, follow these steps:
- Create a list of all the service accounts in your GCP project using the following code:
from google.oauth2 import service_account
from googleapiclient.discovery import build
credentials = service_account.Credentials.from_service_account_file(
'path/to/your/credentials.json'
)
service = build('iam', 'v1', credentials=credentials)
response = service.projects().serviceAccounts().list(name='projects/your-project-id').execute()
service_account_emails = [account['email'] for account in response['accounts']]
- For each service account in the list, check if it has both admin and user permissions assigned to it using the following code:
for email in service_account_emails:
response = service.projects().serviceAccounts().get(name=f'projects/your-project-id/serviceAccounts/{email}').execute()
for role in response['iam_roles']:
if 'admin' in role.lower() and 'user' in role.lower():
print(f'Service account {email} has both admin and user permissions assigned to it.')
- If any service account has both admin and user permissions assigned to it, remove the user permissions using the following code:
for email in service_account_emails:
response = service.projects().serviceAccounts().get(name=f'projects/your-project-id/serviceAccounts/{email}').execute()
roles_to_remove = []
for role in response['iam_roles']:
if 'admin' in role.lower() and 'user' in role.lower():
roles_to_remove.append(role)
if roles_to_remove:
body = {
'updateMask': 'iam_roles',
'iam_roles': [role for role in response['iam_roles'] if role not in roles_to_remove]
}
service.projects().serviceAccounts().patch(name=f'projects/your-project-id/serviceAccounts/{email}', body=body).execute()
print(f'Removed user permissions from service account {email}.')
Note: Replace “your-project-id” with the ID of your GCP project and “path/to/your/credentials.json” with the path to your GCP service account credentials file. Also, make sure that the credentials have the necessary permissions to manage service accounts in your GCP project.