More Info:

Ensuring that no service accounts have admin privileges.

Risk Level

Critical

Address

Security

Compliance Standards

CISGCP, CBP

Remediation

Using Console

To remediate the misconfiguration “Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time” for GCP using GCP console, follow the below steps:

  1. Login to the GCP console (https://console.cloud.google.com/).
  2. Navigate to the IAM & Admin page by clicking on the hamburger menu on the top left corner and selecting “IAM & Admin” from the menu.
  3. Select “Service accounts” from the left-hand menu.
  4. Locate the service account that has both admin and user permissions assigned to it.
  5. Click on the service account to view its details.
  6. Click on the “Permissions” tab to view the permissions assigned to the service account.
  7. Remove the admin permissions from the service account by clicking on the “Edit” button next to the role that has admin permissions assigned to it.
  8. Deselect the admin role and click “Save” to remove the admin permissions.
  9. Verify that the service account now only has user permissions assigned to it.

By following these steps, the misconfiguration “Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time” will be remediated for GCP.

Using CLI

To remediate the misconfiguration of assigning both Service Accounts Admin and User permissions at the same time in GCP using GCP CLI, follow these steps:

  1. Open the Google Cloud Shell from the GCP console.

  2. Run the following command to list all the IAM policies of the project:

gcloud projects get-iam-policy <PROJECT_ID>

Replace <PROJECT_ID> with the actual project ID.

  1. Identify the service account that has both Service Accounts Admin and User permissions assigned to it.

  2. Run the following command to remove the Service Accounts Admin role from the service account:

gcloud projects remove-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<SERVICE_ACCOUNT_EMAIL> --role=roles/iam.serviceAccountAdmin

Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.

  1. Verify that the Service Accounts Admin role has been removed from the service account by running the following command:
gcloud projects get-iam-policy <PROJECT_ID> --flatten="bindings[].members" --format="table(bindings.role, bindings.members)" --filter="bindings.members:<SERVICE_ACCOUNT_EMAIL>"

Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.

  1. If the User role is still assigned to the service account, run the following command to remove it:
gcloud projects remove-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<SERVICE_ACCOUNT_EMAIL> --role=roles/iam.serviceAccountUser

Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.

  1. Verify that the User role has been removed from the service account by running the following command:
gcloud projects get-iam-policy <PROJECT_ID> --flatten="bindings[].members" --format="table(bindings.role, bindings.members)" --filter="bindings.members:<SERVICE_ACCOUNT_EMAIL>"

Replace <PROJECT_ID> with the actual project ID and <SERVICE_ACCOUNT_EMAIL> with the email address of the service account.

  1. Repeat steps 3-7 for any other service accounts that have both Service Accounts Admin and User permissions assigned to them.

By following these steps, you will successfully remediate the misconfiguration of assigning both Service Accounts Admin and User permissions at the same time for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time” in GCP using Python, follow these steps:

  1. Create a list of all the service accounts in your GCP project using the following code:
from google.oauth2 import service_account
from googleapiclient.discovery import build

credentials = service_account.Credentials.from_service_account_file(
    'path/to/your/credentials.json'
)

service = build('iam', 'v1', credentials=credentials)

response = service.projects().serviceAccounts().list(name='projects/your-project-id').execute()

service_account_emails = [account['email'] for account in response['accounts']]
  1. For each service account in the list, check if it has both admin and user permissions assigned to it using the following code:
for email in service_account_emails:
    response = service.projects().serviceAccounts().get(name=f'projects/your-project-id/serviceAccounts/{email}').execute()
    for role in response['iam_roles']:
        if 'admin' in role.lower() and 'user' in role.lower():
            print(f'Service account {email} has both admin and user permissions assigned to it.')
  1. If any service account has both admin and user permissions assigned to it, remove the user permissions using the following code:
for email in service_account_emails:
    response = service.projects().serviceAccounts().get(name=f'projects/your-project-id/serviceAccounts/{email}').execute()
    roles_to_remove = []
    for role in response['iam_roles']:
        if 'admin' in role.lower() and 'user' in role.lower():
            roles_to_remove.append(role)
    if roles_to_remove:
        body = {
            'updateMask': 'iam_roles',
            'iam_roles': [role for role in response['iam_roles'] if role not in roles_to_remove]
        }
        service.projects().serviceAccounts().patch(name=f'projects/your-project-id/serviceAccounts/{email}', body=body).execute()
        print(f'Removed user permissions from service account {email}.')

Note: Replace “your-project-id” with the ID of your GCP project and “path/to/your/credentials.json” with the path to your GCP service account credentials file. Also, make sure that the credentials have the necessary permissions to manage service accounts in your GCP project.

Additional Reading: