metadata: id: c13f49ab-845e-5a89-a05e-6a7c7b23f628 name: Ensure That Service Account Has No Admin Privileges profile_applicability: '* Level 1' description: |- A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount. rationale: |- Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc. without user intervention. For this reason, it's recommended that service accounts not have Admin rights. audit: |- **From Google Cloud Console** 1. Go to `IAM & admin/IAM` using `https://console.cloud.google.com/iam-admin/iam` 2. Go to the `Members` 3. Ensure that there are no `User-Managed user created service account(s)` with roles containing `*Admin` or `*admin` or role matching `Editor` or role matching `Owner` **From Google Cloud CLI** 4. Get the policy that you want to modify, and write it to a JSON file: ``` gcloud projects get-iam-policy PROJECT_ID --format json > iam.json ``` 5. The contents of the JSON file will look similar to the following. Note that `role` of members group associated with each `serviceaccount` does not contain `*Admin` or `*admin` or does not match `roles/editor` or does not match `roles/owner`. This recommendation is only applicable to `User-Managed user-created` service accounts. These accounts have the nomenclature: `SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com`. Note that some Google-managed, Google-created service accounts have the same naming format, and should be excluded (e.g., `appsdev-apps-dev-script-auth@system.gserviceaccount.com` which needs the Owner role). **Sample Json output:** { "bindings": [ { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", ], "role": "roles/appengine.appAdmin" }, { "members": [ "user:email1@gmail.com" ], "role": "roles/owner" }, { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", "serviceAccount:123456789012-compute@developer.gserviceaccount.com" ], "role": "roles/editor" } ], "etag": "BwUjMhCsNvY=", "version": 1 } remediation: |- **From Google Cloud Console** 1. Go to `IAM & admin/IAM` using `https://console.cloud.google.com/iam-admin/iam` 2. Go to the `Members` 3. Identify `User-Managed user created` service account with roles containing `*Admin` or `*admin` or role matching `Editor` or role matching `Owner` 4. Click the `Delete bin` icon to remove the role from the member (service account in this case) **From Google Cloud CLI** ``` gcloud projects get-iam-policy PROJECT_ID --format json > iam.json ``` 5. Using a text editor, Remove `Role` which contains `roles/*Admin` or `roles/*admin` or matched `roles/editor` or matches 'roles/owner`. Add a role to the bindings array that defines the group members and the role for those members. For example, to grant the role roles/appengine.appViewer to the `ServiceAccount` which is roles/editor, you would change the example shown below as follows: { "bindings": [ { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", ], "role": "roles/appengine.appViewer" }, { "members": [ "user:email1@gmail.com" ], "role": "roles/owner" }, { "members": [ "serviceAccount:our-project-123@appspot.gserviceaccount.com", "serviceAccount:123456789012-compute@developer.gserviceaccount.com" ], "role": "roles/editor" } ], "etag": "BwUjMhCsNvY=" } 6. Update the project's IAM policy: ``` gcloud projects set-iam-policy PROJECT_ID iam.json ``` impact: |- Removing `*Admin` or `*admin` or `Editor` or `Owner` role assignments from service accounts may break functionality that uses impacted service accounts. Required role(s) should be assigned to impacted service accounts in order to restore broken functionalities. default_value: '' references: |- 1. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/ 2. https://cloud.google.com/iam/docs/understanding-roles 3. https://cloud.google.com/iam/docs/understanding-service-accounts section: Identity and Access Management version: '1.0' tags: - CIS - GCP - CIS 1.5 - Identity and Access Management benchmark: name: CIS Google Cloud Platform Foundation version: v2.0.0 id: cis_gcp rule_number: '1.5' posture_type: cspm