Control: 1.8 Ensure that Separation of duties is enforced while assigning service account related roles to users
Description
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users
The built-in/predefined IAM role Service Account admin
allows the user/identity to create, delete, and manage service account(s). The built-in/predefined IAM role Service Account User
allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.
Remediation
No user should have Service Account Admin
and Service Account User
roles assigned at the same time. Removal of a role should be done based on the business requirements.
From Console
- Login to GCP Admin/IAM.
- For any member having both
Service Account Admin
andService account User
roles granted/assigned as shown in theRole
column, remove either role from the member.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v130_1_8
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v130_1_8 --share
SQL
This control uses a named query:
iam_user_separation_of_duty_enforced