More Info:

Ensure that the creation of Cloud IAM service accounts is prevented within your Google Cloud organization through the “Disable Service Account Creation” organization policy. This allows you to easily centralize the management of your service accounts while not restricting the other permissions that your developers and administrators have on the projects within the organization. A Cloud IAM service account is a special account that can be used by services and applications running on your Compute Engine instances to interact with other Google Cloud APIs. Applications can use service account credentials to authorize themselves to a set of APIs and perform actions within the permissions granted to the service account.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Remediation

Using Console

To remediate the misconfiguration of preventing service account creation for Google Cloud Organizations, you can follow the below steps in the GCP console:

  1. Open the Google Cloud Console and select the organization for which you want to remediate the misconfiguration.

  2. Click on the “IAM & Admin” option from the left-hand menu.

  3. From the IAM dashboard, click on the “Roles” tab.

  4. Search for the “Service Account Admin” role and click on it.

  5. Click on the “Edit” button to edit the role.

  6. In the “Permissions” tab, search for the “iam.serviceAccounts.create” permission and remove it from the role.

  7. Click on the “Save” button to save the changes.

  8. Repeat the above steps for the “Service Account User” role.

By removing the “iam.serviceAccounts.create” permission from the “Service Account Admin” and “Service Account User” roles, you will remediate the misconfiguration of preventing service account creation for Google Cloud Organizations.

Using CLI

To remediate the misconfiguration “Prevent Service Account Creation for Google Cloud Organizations” in GCP using GCP CLI, follow the below steps:

Step 1: Open the Cloud Shell in your GCP console.

Step 2: Run the following command to list the current IAM organization policy constraints:

gcloud organizations get-iam-policy [ORGANIZATION_ID] --flatten="constraints[]" --format="table(constraints.constraint|constraints.listPolicy.booleanPolicy.enforced)"

Note: Replace [ORGANIZATION_ID] with your actual organization ID.

Step 3: Check if the constraint “constraints/iam.disableServiceAccountCreation” is set to “true”. If it is set to “true”, then the service account creation is already prevented for the organization.

Step 4: If the constraint is not set or set to “false”, then run the following command to update the constraint and prevent service account creation:

gcloud organizations update-policy [ORGANIZATION_ID] --constraint="constraints/iam.disableServiceAccountCreation=true"

Note: Replace [ORGANIZATION_ID] with your actual organization ID.

Step 5: Verify the constraint update by running the command in step 2 again.

By following these steps, you can remediate the misconfiguration “Prevent Service Account Creation for Google Cloud Organizations” in GCP using GCP CLI.

Using Python

To prevent Service Account creation for Google Cloud Organizations, you can follow the steps below:

  1. First, you need to enable the “Constraint API” in your GCP project. You can do this by going to the “APIs & Services” section in the Cloud Console and searching for “Constraint API”. Once you find it, enable it.

  2. Next, you need to create a new constraint that prevents Service Account creation. You can do this using the following Python code:

from google.cloud import resource_manager_v3 as rm

# Replace ORGANIZATION_ID with your GCP organization ID
ORGANIZATION_ID = "YOUR_ORGANIZATION_ID"

# Create the Constraint object
constraint = {
    "constraint_default": True,
    "display_name": "Prevent Service Account Creation",
    "description": "Prevents the creation of Service Accounts in the organization",
    "constraint_type": "constraints/compute.disableServiceAccountCreation",
    "list_constraint": {
        "supports_in": True,
        "constraint_values": []
    },
    "version": 0
}

# Create the Constraint using the Resource Manager API
client = rm.OrganizationsClient()
response = client.create_constraint(parent=f"organizations/{ORGANIZATION_ID}", constraint=constraint)

print(response)

  1. This code creates a new constraint that prevents Service Account creation in your GCP organization. You can verify that the constraint has been created by going to the “Constraints” section in the Cloud Console.

  2. Once the constraint is in place, any attempt to create a Service Account in your GCP organization will fail.

Note: You need to have the appropriate permissions to create constraints in your GCP organization.