User Managed Service Account Should Not Have Admin Priviledges

More Info:

Ensure that user managed service accounts do not have any admin, owner, or write privileges. Service accounts are primarily used for API access to Google. It is recommended to not use admin access for service accounts.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP, HIPAA, ISO27001, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “User Managed Service Account Should Not Have Admin Privileges” in GCP using GCP CLI, follow the below steps:

Identify the user-managed service account that has admin privileges using the following command:

gcloud iam service-accounts list

Once you have identified the service account, remove the admin role from the service account using the following command:

gcloud projects remove-iam-policy-binding [PROJECT_ID] --member=serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role=roles/owner

Replace [PROJECT_ID] with your project ID and [SERVICE_ACCOUNT_EMAIL] with the email address of the service account.

Verify that the admin role has been removed from the service account using the following command:

gcloud projects get-iam-policy [PROJECT_ID] --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:serviceAccount:[SERVICE_ACCOUNT_EMAIL]"

Replace [PROJECT_ID] with your project ID and [SERVICE_ACCOUNT_EMAIL] with the email address of the service account.This should remediate the misconfiguration “User Managed Service Account Should Not Have Admin Privileges” in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “User Managed Service Account Should Not Have Admin Privileges” in GCP using Python, you can follow the below steps:

First, you need to identify all the user-managed service accounts that have admin privileges. You can use the following code to do this:

from google.oauth2 import service_account
from googleapiclient.discovery import build

# Set the required scopes
SCOPES = ['https://www.googleapis.com/auth/cloud-platform']

# Set the credentials using the service account key file
credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account_key.json', scopes=SCOPES)

# Build the IAM Service client object
iam_service = build('iam', 'v1', credentials=credentials)

# Get all the IAM policies for the project
policy = iam_service.projects().getIamPolicy(resource='projects/PROJECT_ID').execute()

# Get all the user-managed service accounts with admin privileges
for binding in policy['bindings']:
    if 'roles/owner' in binding['role']:
        for member in binding['members']:
            if 'user-managed' in member:
                print(f"{member} has admin privileges")

Replace path/to/service_account_key.json with the path to your service account key file and PROJECT_ID with your GCP project ID.

Once you have identified the user-managed service accounts with admin privileges, you can remove the admin role from them using the following code:

from googleapiclient.errors import HttpError

# Set the user-managed service account email
user_managed_service_account = 'user-managed-service-account@PROJECT_ID.iam.gserviceaccount.com'

# Set the role to be removed
role = 'roles/owner'

# Build the IAM Service client object
iam_service = build('iam', 'v1', credentials=credentials)

# Get the current IAM policy for the project
policy = iam_service.projects().getIamPolicy(resource='projects/PROJECT_ID').execute()

# Remove the role from the user-managed service account
for binding in policy['bindings']:
    if role in binding['role'] and user_managed_service_account in binding['members']:
        binding['members'].remove(user_managed_service_account)

# Update the IAM policy for the project
try:
    updated_policy = iam_service.projects().setIamPolicy(resource='projects/PROJECT_ID', body={'policy': policy}).execute()
    print(f"{user_managed_service_account} no longer has admin privileges")
except HttpError as e:
    print(f"Error updating IAM policy: {e}")

Replace PROJECT_ID with your GCP project ID and set the user_managed_service_account variable to the email address of the user-managed service account that you want to remove the admin role from.These steps will remediate the misconfiguration “User Managed Service Account Should Not Have Admin Privileges” in GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

User Managed Service Account Should Not Have Admin Priviledges

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: