Google Cloud IAM

IAM Users With Both Service Account User And Service Account Admin Role

RISK LEVEL

Medium


DESCRIPTION

This plugin of GCP Identity and Access Management (IAM) ensures that no users have both the Service Account User and Service Account Admin roles. Ensuring that no users have both roles follows the separation of duties. This can be simply interpreted as to guarantee that no clients play the two parts follows the partition of obligations. This also guarantees that no user should have access to resources out of the scope of duty.


ABOUT THE SERVICE


Google Cloud IAM:

IAM, which is an acronym for Identity and Access Management, is the Google Cloud policy. This policy is responsible for specifying access controls for Google Cloud resources. Basically, IAM allows heads to approve who can make a move on explicit assets, giving you full control and permeability to oversee Google Cloud assets halfway. For undertakings with complex hierarchical designs, many workgroups, and many activities, IAM gives a bound together view into security strategy across your whole association, with worked in evaluating to ease consistency processes. For more information, click here.


IMPACT

There is a need to impose a principle of separation of duties. This carries more importance to minimize or even eliminate the requirement of IAM users carrying high privileges, such as the permissions held by admins. Hence, this will prevent future malicious or unhealthy actions, practises, or operations, etc. The plugin will guarantee that separation of duties is implemented for all Google Cloud Platform (GCP) administration account related jobs. The security guideline of partition of obligations has as its essential objective the avoidance of misrepresentation and human blunder. To follow security best practices, your GCP administration records ought not to have the Service Account Admin and Service Account User jobs doled out simultaneously.


STEPS TO REPRODUCE


Using GCP Console-

In order to ensure find if there exists any IAM user(s) that have Service Account Admin & Service Account User Roles assigned simultaneously, just by following the given simple steps:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find IAM & Admin section under All Products Section, click on it.
     
  4. Under IAM & Admin section, click on the IAM button. Thence, a new IAM Page will appear.
  5. After selecting the IAM button, click on the Permissions Tab available on the IAM Page.
  6. Under Peermissions tab, there is an option available as VIEW BY, click on the ROLES or MEMBERS. This will list all the available and working members or the accounts available for your selected GCP Project.
  7.  Under the VIEW BY section you will find a Filter option, click on it and enter the Service Account Admin Property, press Enter to return the project member(s) with the Service Account Admin role. 
  8. Click again in the Filter option, select Role, type Service Account User and press Enter to return the member(s) with the Service Account User role.
  9. Now, check the IAM members returned to determine if there are any users/members that have both the Service Account Admin and the Service Account User roles assigned. If one or more members have both these roles assigned, this means that the principle of separation of duties was not implemented while assigning service-account related roles to IAM users.
  10. This way you can check out if there exists any IAM user(s) that have Service Account Admin & Service Account User Roles assigned simultaneously.
  11. Repeat the steps mentioned above for reviewing accounts in other folders/projects associated with other GCP organizations deployed within your record.

STEPS FOR REMEDIATION


Using GCP Console-


STEP A. In order to cancel the Service Account User role from a specified IAM user Account, follow the below-mentioned steps:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find IAM & Admin section under All Products Section, click on it.
     
  4. Under IAM & Admin section, click on the IAM button. Thence, a new IAM Page will appear.
  5. After selecting the IAM button, click on the Permissions Tab available on the IAM Page.
  6. Under Peermissions tab, there is an option available as VIEW BY, click on the ROLES or MEMBERS. This will list all the available and working members or the accounts available for your selected GCP Project.
  7. Select the IAM member you want to change settings of. Click on the Edit (PENCIL) icon to access the permissions of that member.
  8. Click on EDIT Permissions, remove the Service Account User, click on delete icon and apply SAVE option to save all your changes.
  9. You may repeat the above steps for other GCP Projects under your organization.

STEP B. In order to assign the removed service role to another IAM user account in your GCP project, follow the given steps:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find IAM & Admin section under All Products Section, click on it.
     
  4. Under IAM & Admin section, click on the IAM button. Thence, a new IAM Page will appear.
  5. After selecting the IAM button, click on the Permissions Tab available on the IAM Page.
  6. Under Peermissions tab, there is an option available as VIEW BY, click on the ROLES or MEMBERS. This will list all the available and working members or the accounts available for your selected GCP Project.
  7. Select the IAM member you want to change settings of. Click on the Edit (PENCIL) icon to access the permissions of that member.
  8. Click on EDIT Permissions, then click on ADD ANOTHER ROLE & select the Service Account User and apply SAVE option to save all your changes.
  9. You may repeat the above steps for other GCP Projects under your organization.