Principals with Infrastructure modification capabilities

Using Console

Using CLI

To remediate the misconfiguration of “Principals with Infrastructure modification capabilities” in GCP using the GCP CLI, follow these step-by-step instructions:

Install and set up the GCP CLI by following the official documentation: https://cloud.google.com/sdk/docs/install
Authenticate with your GCP account by running the following command in your terminal:
```
gcloud auth login
```
Once authenticated, set your desired GCP project as the default project by executing the following command:
```
gcloud config set project PROJECT_ID
```
Replace “PROJECT_ID” with the actual ID of your GCP project.
List the IAM policies of your project to identify the principals with infrastructure modification capabilities. Run the following command:
```
gcloud projects get-iam-policy PROJECT_ID
```
Replace “PROJECT_ID” with your GCP project’s ID.
Review the output of the previous command and identify the principals that have excessive permissions for infrastructure modification. Note down the email addresses or service account names of these principals.
Remove the infrastructure modification capabilities from the identified principals by updating the project’s IAM policy. Run the following command:
```
gcloud projects set-iam-policy PROJECT_ID /path/to/updated/iam-policy.json
```
Replace “PROJECT_ID” with your GCP project’s ID. “/path/to/updated/iam-policy.json” should be the path to a JSON file that contains the updated IAM policy. You can create this file by modifying the existing IAM policy JSON and removing the excessive permissions from the identified principals.
After executing the command, the IAM policy of your GCP project will be updated, removing the infrastructure modification capabilities from the identified principals.
Verify the changes by running the following command to list the updated IAM policies:
```
gcloud projects get-iam-policy PROJECT_ID
```
Ensure that the identified principals no longer have the excessive permissions for infrastructure modification.

By following these steps, you can remediate the misconfiguration of “Principals with Infrastructure modification capabilities” in GCP using the GCP CLI.

Using Python

To remediate the misconfiguration of “Principals with Infrastructure modification capabilities” in GCP using Python, follow these step-by-step instructions:

Install the necessary libraries:
- Install the Google Cloud SDK by following the instructions provided in the official documentation: https://cloud.google.com/sdk/docs/install
- Install the google-cloud-iam library by running the following command:
  pip install google-cloud-iam
Authenticate with your GCP account:
- Run the following command and follow the instructions to authenticate with your GCP account:
  gcloud auth login

Create a Python script and import the required libraries:

from google.cloud import iam_v1
from google.oauth2 import service_account

Define the necessary variables:
- Replace [PROJECT_ID] with your GCP project ID.
- Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account that has infrastructure modification capabilities.
- Replace [NEW_ROLE] with the desired role that limits the infrastructure modification capabilities.
```
project_id = '[PROJECT_ID]'
service_account_email = '[SERVICE_ACCOUNT_EMAIL]'
new_role = '[NEW_ROLE]'
```

Create a function to update the IAM policy of the service account:

def update_service_account_policy(project_id, service_account_email, new_role):
    # Create the IAM client
    client = iam_v1.IAMClient()

    # Get the existing IAM policy for the service account
    policy_name = f'projects/{project_id}/serviceAccounts/{service_account_email}'
    policy = client.get_iam_policy(request={"resource": policy_name})

    # Remove the existing roles from the policy
    policy.bindings = [binding for binding in policy.bindings if binding.role != new_role]

    # Add the new role to the policy
    policy.bindings.append(iam_v1.Binding(role=new_role, members=[f'serviceAccount:{service_account_email}']))

    # Update the IAM policy
    client.set_iam_policy(request={"resource": policy_name, "policy": policy})

Call the function to update the IAM policy:

update_service_account_policy(project_id, service_account_email, new_role)

Save and run the Python script:
- Save the script with a .py extension (e.g., remediate_iam.py).
- Open a terminal or command prompt and navigate to the directory where the script is saved.
- Run the following command to execute the script:
  python remediate_iam.py

By following these steps, you will be able to remediate the misconfiguration of “Principals with Infrastructure modification capabilities” for a specific service account in GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Principals with Infrastructure modification capabilities

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation