# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: GCPIAMAllowedBindingsConstraintV3 metadata: name: block_serviceaccount_key_creator annotations: description: Ban any users from being granted Service Account key Creator access # This constraint is not certified by CIS. bundles.validator.forsetisecurity.org/cis-v1.1: 1.0X # TODO: Update this with final number when the CIS benchmark is finalized spec: severity: high match: target: # {"$ref":"#/definitions/io.k8s.cli.setters.target_fldr_trusted"} - "organizations/**" exclude: [] # optional, default is no exclusions parameters: mode: denylist assetType: cloudresourcemanager.googleapis.com/Project role: roles/iam.serviceAccountKeyAdmin members: - "*" # Although it is still okay to use "*" to match all, consider using "**" (see https://www.openpolicyagent.org/docs/latest/policy-reference/#glob)