More Info:

Minimize or restrict principals which can modify infrastructure.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Principals with Infrastructure modification capabilities” in GCP using the GCP console, follow these steps:
  1. Open the GCP console by visiting the GCP Console URL (console.cloud.google.com) and logging in with your GCP account credentials.
  2. In the GCP console, navigate to the IAM & Admin page by clicking on the navigation menu icon (☰) in the top-left corner and selecting “IAM & Admin” under the “IAM” section.
  3. On the IAM & Admin page, you will see a list of IAM roles and permissions. Review the existing roles and identify any roles that grant infrastructure modification capabilities (e.g., roles like “Editor” or “Owner”).
  4. Click on the role that you want to modify, such as the “Editor” role, to view its details.
  5. In the role details, click on the “Permissions” tab to see the list of permissions associated with the role.
  6. Review the permissions and identify any permissions that grant infrastructure modification capabilities. For example, permissions like “compute.instances.create” or “compute.instances.delete” allow the creation or deletion of instances.
  7. To remediate the misconfiguration, you have two options: a. Remove the problematic role from the user or service account: If you find a user or service account assigned to the role with infrastructure modification capabilities, click on the “Members” tab in the role details. Locate the user or service account and click on the “X” icon next to their name to remove the role assignment. b. Modify the role’s permissions: If you want to keep the role but remove specific infrastructure modification permissions, click on the “Edit” button at the top of the role details page. In the permissions list, uncheck the checkboxes next to the permissions that grant infrastructure modification capabilities. Click “Save” to apply the changes.
  8. Repeat steps 4-7 for any other roles that grant infrastructure modification capabilities.
  9. Once you have remediated all the roles, review the remaining roles to ensure that only necessary permissions are assigned to each role.
By following these steps, you can remediate the misconfiguration “Principals with Infrastructure modification capabilities” in GCP using the GCP console.

To remediate the misconfiguration of “Principals with Infrastructure modification capabilities” in GCP using the GCP CLI, follow these step-by-step instructions:
  1. Install and set up the GCP CLI by following the official documentation: https://cloud.google.com/sdk/docs/install
  2. Authenticate with your GCP account by running the following command in your terminal: 
    gcloud auth login
  3. Once authenticated, set your desired GCP project as the default project by executing the following command: 
    gcloud config set project PROJECT_ID
    Replace “PROJECT_ID” with the actual ID of your GCP project.
  4. List the IAM policies of your project to identify the principals with infrastructure modification capabilities. Run the following command: 
    gcloud projects get-iam-policy PROJECT_ID
    Replace “PROJECT_ID” with your GCP project’s ID.
  5. Review the output of the previous command and identify the principals that have excessive permissions for infrastructure modification. Note down the email addresses or service account names of these principals.
  6. Remove the infrastructure modification capabilities from the identified principals by updating the project’s IAM policy. Run the following command: 
    gcloud projects set-iam-policy PROJECT_ID /path/to/updated/iam-policy.json
    Replace “PROJECT_ID” with your GCP project’s ID. “/path/to/updated/iam-policy.json” should be the path to a JSON file that contains the updated IAM policy. You can create this file by modifying the existing IAM policy JSON and removing the excessive permissions from the identified principals.
  7. After executing the command, the IAM policy of your GCP project will be updated, removing the infrastructure modification capabilities from the identified principals.
  8. Verify the changes by running the following command to list the updated IAM policies: 
    gcloud projects get-iam-policy PROJECT_ID
    Ensure that the identified principals no longer have the excessive permissions for infrastructure modification.
By following these steps, you can remediate the misconfiguration of “Principals with Infrastructure modification capabilities” in GCP using the GCP CLI.
To remediate the misconfiguration of “Principals with Infrastructure modification capabilities” in GCP using Python, follow these step-by-step instructions:
  1. Install the necessary libraries:
    • Install the Google Cloud SDK by following the instructions provided in the official documentation: https://cloud.google.com/sdk/docs/install
    • Install the google-cloud-iam library by running the following command: 
      pip install google-cloud-iam
  2. Authenticate with your GCP account:
    • Run the following command and follow the instructions to authenticate with your GCP account: 
      gcloud auth login
  3. Create a Python script and import the required libraries: 
    from google.cloud import iam_v1
from google.oauth2 import service_account
  4. Define the necessary variables:
    • Replace [PROJECT_ID] with your GCP project ID.
    • Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account that has infrastructure modification capabilities.
    • Replace [NEW_ROLE] with the desired role that limits the infrastructure modification capabilities.
    project_id = '[PROJECT_ID]'
service_account_email = '[SERVICE_ACCOUNT_EMAIL]'
new_role = '[NEW_ROLE]'
  5. Create a function to update the IAM policy of the service account: 
    def update_service_account_policy(project_id, service_account_email, new_role):
    # Create the IAM client
    client = iam_v1.IAMClient()

    # Get the existing IAM policy for the service account
    policy_name = f'projects/{project_id}/serviceAccounts/{service_account_email}'
    policy = client.get_iam_policy(request={"resource": policy_name})

    # Remove the existing roles from the policy
    policy.bindings = [binding for binding in policy.bindings if binding.role != new_role]

    # Add the new role to the policy
    policy.bindings.append(iam_v1.Binding(role=new_role, members=[f'serviceAccount:{service_account_email}']))

    # Update the IAM policy
    client.set_iam_policy(request={"resource": policy_name, "policy": policy})
  6. Call the function to update the IAM policy: 
    update_service_account_policy(project_id, service_account_email, new_role)
  7. Save and run the Python script:
    • Save the script with a .py extension (e.g., remediate_iam.py).
    • Open a terminal or command prompt and navigate to the directory where the script is saved.
    • Run the following command to execute the script: 
      python remediate_iam.py
By following these steps, you will be able to remediate the misconfiguration of “Principals with Infrastructure modification capabilities” for a specific service account in GCP using Python.