Control: 1.5 Ensure that Service Account has no Admin privileges
A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount.
Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc. without user intervention. For this reason, it's recommended that service accounts not have Admin rights.
- Go to IAM & admin/IAM console
- Go to the
- Identify User-Managed user created service account with roles containing
*adminor role matching
Editoror role matching
- Click the
pencilat the end of the service account row, click on Delete bin icon to remove the role from the member (service account in this case)
From Command Line
- Get the associated IAM policygcloud projects get-iam-policy PROJECT_ID --format json > iam.json
- Using a text editor, Remove Role which contains roles/*Admin or roles/*admin or matched roles/editor or matches roles/owner. Add a role to the bindings array that defines the group members and the role for those members.
- Update the project's IAM policygcloud projects set-iam-policy PROJECT_ID iam.json
steampipe check gcp_compliance.control.cis_v120_1_5
This control uses a named query:iam_service_account_without_admin_privilege