Event Information

  • The google.iam.admin.v1.CreateServiceAccount event in GCP for GCPIAM refers to the creation of a service account within the Google Cloud Identity and Access Management (IAM) system.
  • This event indicates that a new service account has been created, which can be used to authenticate and authorize access to various GCP resources and services.
  • The event provides information about the service account, such as its name, email address, and the project in which it was created.

Examples

  1. Unauthorized creation of service accounts: If security is impacted with google.iam.admin.v1.CreateServiceAccount in GCP for GCPIAM, it could lead to unauthorized creation of service accounts. This can result in the creation of service accounts with excessive privileges or without proper access controls, potentially leading to unauthorized access to sensitive resources.

  2. Misconfiguration of service account permissions: The use of google.iam.admin.v1.CreateServiceAccount in GCP for GCPIAM can also impact security if service account permissions are misconfigured. Improperly configured service accounts may have excessive permissions, granting them access to resources they should not have access to. This can result in data breaches, unauthorized modifications, or other security incidents.

  3. Lack of visibility and control: Another security impact of google.iam.admin.v1.CreateServiceAccount in GCP for GCPIAM is the potential lack of visibility and control over service account creation. Without proper monitoring and governance, it becomes difficult to track and manage the creation of service accounts, making it easier for malicious actors to create and abuse them for unauthorized activities. This can lead to increased security risks and potential compliance violations.

Remediation

Using Console

  1. Example 1: Ensure that all users have a strong password policy in GCP IAM.
  • Step 1: Log in to the GCP Console.
  • Step 2: Navigate to the IAM & Admin section.
  • Step 3: Click on “IAM” to view the list of users.
  • Step 4: Select the user for whom you want to enforce a strong password policy.
  • Step 5: Click on the “Edit” button next to the user’s name.
  • Step 6: Scroll down to the “Password” section and enable the option for a strong password policy.
  • Step 7: Save the changes.
  1. Example 2: Ensure that multi-factor authentication (MFA) is enabled for all users in GCP IAM.
  • Step 1: Log in to the GCP Console.
  • Step 2: Navigate to the IAM & Admin section.
  • Step 3: Click on “IAM” to view the list of users.
  • Step 4: Select the user for whom you want to enable MFA.
  • Step 5: Click on the “Edit” button next to the user’s name.
  • Step 6: Scroll down to the “Multi-factor authentication” section and enable the option for MFA.
  • Step 7: Save the changes.
  1. Example 3: Ensure that unused service accounts are disabled in GCP IAM.
  • Step 1: Log in to the GCP Console.
  • Step 2: Navigate to the IAM & Admin section.
  • Step 3: Click on “Service accounts” to view the list of service accounts.
  • Step 4: Select the service account that you want to disable.
  • Step 5: Click on the “Disable” button next to the service account’s name.
  • Step 6: Confirm the action to disable the service account.
  • Step 7: Repeat steps 4-6 for any other unused service accounts that need to be disabled.

Using CLI

To remediate the issues related to GCP GCPIAM using GCP CLI, you can follow these steps:

  1. Enable multi-factor authentication (MFA) for IAM users:

    • Use the gcloud command to enable MFA for a specific user: 
      gcloud auth login
gcloud auth application-default login
    • Follow the prompts to complete the MFA setup.

  2. Implement least privilege access control:

    • Use the gcloud command to create a custom IAM role with the necessary permissions: 
      gcloud iam roles create <role_name> --project=<project_id> --title="<role_title>" --description="<role_description>" --permissions=<comma_separated_permissions>
    • Assign the custom IAM role to the appropriate users or service accounts: 
      gcloud projects add-iam-policy-binding <project_id> --member=<member> --role=<role_name>

  3. Regularly review and rotate access keys:

    • Use the gcloud command to list all the service accounts in a project: 
      gcloud iam service-accounts list --project=<project_id>
    • For each service account, use the gcloud command to create a new key and delete the old key: 
      gcloud iam service-accounts keys create <new_key_file> --iam-account=<service_account_email> --project=<project_id>
gcloud iam service-accounts keys delete <old_key_file> --iam-account=<service_account_email> --project=<project_id>

Please note that the actual commands may vary depending on your specific requirements and configurations. Make sure to replace the placeholders (<role_name>, <project_id>, <member>, <new_key_file>, <old_key_file>, etc.) with the appropriate values.

Using Python

To remediate GCP GCPIAM issues using Python, you can utilize the Google Cloud Identity and Access Management (IAM) API. Here are three examples of how you can approach the remediation process:

  1. Example 1: Granting missing IAM roles to a user:
from google.cloud import iam

def grant_iam_roles(project_id, user_email, roles):
    client = iam.IAMClient()
    policy = client.get_policy(request={"resource": f"projects/{project_id}"})
    
    for role in roles:
        policy.bindings.add(
            role=role,
            members=[f"user:{user_email}"]
        )
    
    client.set_policy(request={"resource": f"projects/{project_id}", "policy": policy})
  1. Example 2: Revoking excessive IAM roles from a user:
from google.cloud import iam

def revoke_iam_roles(project_id, user_email, roles):
    client = iam.IAMClient()
    policy = client.get_policy(request={"resource": f"projects/{project_id}"})
    
    for role in roles:
        binding = next(
            (b for b in policy.bindings if b.role == role and f"user:{user_email}" in b.members),
            None
        )
        
        if binding:
            binding.members.remove(f"user:{user_email}")
    
    client.set_policy(request={"resource": f"projects/{project_id}", "policy": policy})
  1. Example 3: Enforcing IAM policies on a resource:
from google.cloud import iam

def enforce_iam_policy(resource_name, policy):
    client = iam.IAMClient()
    client.set_iam_policy(request={"resource": resource_name, "policy": policy})

Please note that these examples assume you have the necessary authentication and authorization in place to interact with the GCP IAM API. You may need to set up appropriate service account credentials or use other authentication methods as per your environment.