app_engine_application_iap_enabledaudit_logging_configured_for_all_servicebigquery_dataset_encrypted_with_cmkbigquery_dataset_not_publicly_accessiblebigquery_dataset_restrict_gmailbigquery_dataset_restrict_googlegroupsbigquery_table_encrypted_with_cmkcloudfunction_function_no_deployments_manager_permissioncloudfunction_function_no_disrupt_logging_permissioncloudfunction_function_no_ingress_settings_allow_allcloudfunction_function_restrict_public_accesscloudfunction_function_restricted_permissioncloudfunction_function_vpc_connector_enabledcloudrun_service_restrict_public_accesscompute_backend_bucket_no_dangling_storage_bucketcompute_disk_encrypted_with_cskcompute_external_backend_service_iap_enabledcompute_firewall_allow_connections_proxied_by_iapcompute_firewall_allow_tcp_connections_proxied_by_iapcompute_firewall_default_rule_restrict_ingress_access_except_http_and_httpscompute_firewall_rule_ingress_access_restricted_to_dns_port_53compute_firewall_rule_ingress_access_restricted_to_ftp_port_21compute_firewall_rule_ingress_access_restricted_to_http_port_80compute_firewall_rule_ingress_access_restricted_to_microsoft_ds_port_445compute_firewall_rule_ingress_access_restricted_to_mongo_db_port_27017compute_firewall_rule_ingress_access_restricted_to_mysql_db_port_3306compute_firewall_rule_ingress_access_restricted_to_netbios_snn_port_139compute_firewall_rule_ingress_access_restricted_to_oracle_db_port_1521compute_firewall_rule_ingress_access_restricted_to_pop3_port_110compute_firewall_rule_ingress_access_restricted_to_postgresql_port_10250compute_firewall_rule_ingress_access_restricted_to_postgresql_port_10255compute_firewall_rule_ingress_access_restricted_to_postgresql_port_5432compute_firewall_rule_ingress_access_restricted_to_smtp_port_25compute_firewall_rule_ingress_access_restricted_to_telnet_port_23compute_firewall_rule_rdp_access_restrictedcompute_firewall_rule_restrict_ingress_allcompute_firewall_rule_restrict_ingress_all_with_no_specific_targetcompute_firewall_rule_ssh_access_restrictedcompute_https_load_balancer_logging_enabledcompute_instance_block_project_wide_ssh_enabledcompute_instance_confidential_computing_enabledcompute_instance_ip_forwarding_disabledcompute_instance_no_data_destruction_permissioncompute_instance_no_database_write_permissioncompute_instance_no_deployments_manager_permissioncompute_instance_no_disrupt_logging_permissioncompute_instance_no_iam_write_permissioncompute_instance_no_service_account_impersonate_permissioncompute_instance_no_write_permission_on_deny_policycompute_instance_oslogin_enabledcompute_instance_preemptible_termination_disabledcompute_instance_serial_port_connection_disabledcompute_instance_shielded_vm_enabledcompute_instance_template_ip_forwarding_disabledcompute_instance_with_custom_metadatacompute_instance_with_no_default_service_accountcompute_instance_with_no_default_service_account_with_full_accesscompute_instance_with_no_public_ip_addressescompute_instance_wth_no_high_level_basic_rolecompute_network_auto_create_subnetwork_enabledcompute_network_contains_no_default_networkcompute_network_contains_no_legacy_networkcompute_network_dns_logging_enabledcompute_ssl_policy_with_no_weak_ciphercompute_subnetwork_flow_log_enabledcompute_subnetwork_private_ip_google_accesscompute_target_https_proxy_quic_protocol_enabledcompute_target_https_proxy_quic_protocol_no_default_ssl_policycompute_target_https_uses_latest_tls_versiondataproc_cluster_encryption_with_cmekdns_managed_zone_dnssec_enableddns_managed_zone_key_signing_not_using_rsasha1dns_managed_zone_zone_signing_not_using_rsasha1iam_api_key_age_90iam_api_key_restricts_apisiam_api_key_restricts_websites_hosts_appsiam_service_account_gcp_managed_keyiam_service_account_key_age_100iam_service_account_key_age_90iam_service_account_without_admin_privilegeiam_user_denylist_publiciam_user_kms_separation_of_duty_enforcediam_user_not_assigned_service_account_user_role_project_leveliam_user_separation_of_duty_enforcediam_user_uses_corporate_login_credentialskms_key_not_publicly_accessiblekms_key_rotated_within_100_daykms_key_rotated_within_90_daykms_key_separation_of_duties_enforcedkubernetes_cluster_auto_repair_enabledkubernetes_cluster_auto_upgrade_enabledkubernetes_cluster_binary_authorization_enabledkubernetes_cluster_client_certificate_authentication_enabledkubernetes_cluster_dashboard_disabledkubernetes_cluster_database_encryption_enabledkubernetes_cluster_http_load_balancing_enabledkubernetes_cluster_incoming_traffic_open_to_allkubernetes_cluster_intra_node_visibility_enabledkubernetes_cluster_kubernetes_alpha_enabledkubernetes_cluster_legacy_abac_enabledkubernetes_cluster_legacy_endpoints_disabledkubernetes_cluster_logging_enabledkubernetes_cluster_master_authorized_networks_config_enabledkubernetes_cluster_monitoring_enabledkubernetes_cluster_network_policy_enabledkubernetes_cluster_network_policy_installedkubernetes_cluster_no_default_networkkubernetes_cluster_node_config_image_cos_containerdkubernetes_cluster_node_no_default_service_accountkubernetes_cluster_private_cluster_config_enabledkubernetes_cluster_private_nodes_configuredkubernetes_cluster_release_channel_configuredkubernetes_cluster_service_account_defaultkubernetes_cluster_shielded_instance_integrity_monitoring_enabledkubernetes_cluster_shielded_node_secure_boot_enabledkubernetes_cluster_shielded_nodes_enabledkubernetes_cluster_use_ip_aliaseskubernetes_cluster_with_less_than_three_node_auto_upgrade_enabledkubernetes_cluster_with_resource_labelskubernetes_cluster_zone_redundantlogging_bucket_retention_policy_enabledlogging_metric_alert_audit_configuration_changeslogging_metric_alert_custom_role_changeslogging_metric_alert_firewall_rule_changeslogging_metric_alert_network_changeslogging_metric_alert_network_route_changeslogging_metric_alert_project_ownership_assignmentlogging_metric_alert_sql_instance_configuration_changeslogging_metric_alert_storage_iam_permission_changeslogging_sink_configured_for_all_resourcemanual_controlorganization_essential_contacts_configuredproject_access_approval_settings_enabledproject_no_api_keyproject_service_cloudasset_api_enabledproject_service_container_scanning_api_enabledsql_instance_automated_backups_enabledsql_instance_mysql_binary_log_enabledsql_instance_mysql_local_infile_database_flag_offsql_instance_mysql_skip_show_database_flag_onsql_instance_not_open_to_internetsql_instance_not_publicly_accessiblesql_instance_postgresql_cloudsql_pgaudit_database_flag_enabledsql_instance_postgresql_log_checkpoints_database_flag_onsql_instance_postgresql_log_connections_database_flag_onsql_instance_postgresql_log_disconnections_database_flag_onsql_instance_postgresql_log_duration_database_flag_onsql_instance_postgresql_log_error_verbosity_database_flag_default_or_strictersql_instance_postgresql_log_executor_stats_database_flag_offsql_instance_postgresql_log_hostname_database_flag_configuredsql_instance_postgresql_log_lock_waits_database_flag_onsql_instance_postgresql_log_min_duration_statement_database_flag_disabledsql_instance_postgresql_log_min_error_statement_database_flag_configuredsql_instance_postgresql_log_min_messages_database_flag_errorsql_instance_postgresql_log_parser_stats_database_flag_offsql_instance_postgresql_log_planner_stats_database_flag_offsql_instance_postgresql_log_statement_database_flag_ddlsql_instance_postgresql_log_statement_stats_database_flag_offsql_instance_postgresql_log_temp_files_database_flag_0sql_instance_require_ssl_enabledsql_instance_sql_3625_trace_database_flag_offsql_instance_sql_3625_trace_database_flag_onsql_instance_sql_contained_database_authentication_database_flag_offsql_instance_sql_cross_db_ownership_chaining_database_flag_offsql_instance_sql_external_scripts_enabled_database_flag_offsql_instance_sql_remote_access_database_flag_offsql_instance_sql_user_connections_database_flag_configuredsql_instance_sql_user_options_database_flag_not_configuredsql_instance_with_labelssql_instance_with_no_public_ipsstorage_bucket_bucket_policy_only_enabledstorage_bucket_log_retention_policy_enabledstorage_bucket_log_retention_policy_lock_enabledstorage_bucket_not_publicly_accessiblestorage_bucket_uniform_access_enabled
Query: iam_user_not_assigned_service_account_user_role_project_level
Usage
powerpipe query gcp_compliance.query.iam_user_not_assigned_service_account_user_role_project_levelSteampipe Tables
SQL
with unapproved_bindings as ( select project, p, entity from gcp_iam_policy, jsonb_array_elements(bindings) as p, jsonb_array_elements_text(p -> 'members') as entity where p ->> 'role' in ( 'roles/iam.serviceAccountTokenCreator', 'roles/iam.serviceAccountUser' ) and entity not like '%iam.gserviceaccount.com')select p.project as resource, case when entity is not null then 'alarm' else 'ok' end as status, case when entity is not null then 'IAM users associated with iam.serviceAccountTokenCreator or iam.serviceAccountUser role.' else 'No IAM users associated with iam.serviceAccountTokenCreator or iam.serviceAccountUser role.' end as reason, p.project as projectfrom gcp_iam_policy as p left join unapproved_bindings as b on p.project = b.project;Controls
The query is being used by the following controls:
- 1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- 1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- 1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- 1.6 Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
- Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level