Ensure that separation of duties (also known as segregation of duties - SoD) is enforced for all Google Cloud Platform (GCP) service-account related roles. The security principle of separation of duties has as its primary objective the prevention of fraud and human error. This objective is achieved by disbanding the tasks and associated privileges for a specific business process among multiple users/members. To follow security best practices, your GCP service accounts should not have the Service Account Admin and Service Account User roles assigned at the same time.
This rule resolution is part of the Conformity Security & Compliance tool for GCP.
The principle of separation of duties should be enforced in order to eliminate the need for high-privileged IAM members, as the permissions granted to these members can allow them to perform malicious or unwanted actions.
Audit
To determine if there are any IAM members that have Service Account Admin and Service Account User roles assigned at the same time, perform the following operations:
Remediation / Resolution
To implement the principle of separation of duties and secure the access to your GCP projects, revoke either Service Account Admin role or Service Account User role from the IAM user/member that is associated with both these roles, and attach one of the roles to another member according to your business requirements.
Step A: To revoke the Service Account User role from the required IAM user account, perform the following actions:
Step B: Assign the removed service role, i.e. Service Account User, to another IAM user/member account created for your GCP project by performing the following actions:
References
- Google Cloud Platform (GCP) Documentation
- Cloud Identity and Access Management (IAM)
- Service accounts
- Understanding roles
- Granting, changing, and revoking access to resources
- CIS Security Documentation
- Securing Google Cloud Computing Platform
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud projects get-iam-policy
- gcloud projects set-iam-policy
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enforce Separation of Duties for Service-Account Related Roles
Risk Level: Medium