More Info:

Ensure that “Disable Automatic IAM Grants for Default Service Accounts” policy is enforced for your Google Cloud Platform (GCP) organizations in order to deactivate the automatic IAM role grant for default service accounts.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Remediation

To remediate the misconfiguration “Disable Automatic IAM Role Grants for Default Service Accounts” in GCP using GCP console, please follow the below steps:

  1. Login to your GCP console.
  2. Navigate to the “IAM & Admin” section from the left-hand side menu.
  3. Click on the “Settings” tab.
  4. Scroll down to the “Service Accounts” section.
  5. In the “Service Accounts” section, you will find the option “Enable automatic role grants for default service accounts”. Make sure this option is unchecked. If it is checked, click on the edit button (pencil icon) and uncheck the option.
  6. Once you have unchecked the option, click on the “Save” button to save the changes.

By following the above steps, you have successfully remediated the misconfiguration “Disable Automatic IAM Role Grants for Default Service Accounts” in GCP using GCP console.