For production and security-critical cloud environments, limit the use of primitive roles such as "Owner", "Editor", and "Viewer" for Cloud IAM members. Instead, grant predefined roles to these IAM members to allow the least-permissive access required to perform their tasks (i.e. Principle of Least Privilege – POLP).
Cloud Identity and Access Management (IAM) service provides 3 types of roles: primitive, predefined and custom roles. Primitive roles, i.e. "Owner", "Editor" and "Viewer", are managed roles that existed prior to the introduction of Cloud IAM. Predefined roles are roles created and maintained by Google, that provide granular access to specific Google Cloud Platform (GCP) resources and deny unwanted access to other resources. Custom roles are user-defined roles that allow you to bundle one or more supported permissions to meet your specific needs. Google Cloud projects are often (and overly) using primitive roles. To implement the Principle of Least Privilege (POLP) and follow security best practices, grant predefined roles to IAM identities wherever possible, as these roles provide more granular access than the primitive roles. This eliminates over-privileged cloud identities from your Google Cloud projects and prevent any unwanted or unauthorized access to your GCP cloud resources.
The use of primitive roles should be limited to the following cases only:
When the Google Cloud service does not provide a predefined role.
When it is required to grant broader permissions for a GCP project (e.g. when granting permissions to development and/or test environments).
When it is required to allow an IAM member to modify permissions for a GCP project. In this case, it is necessary to grant the identity the "Owner" role, because only owners have the permission to grant access to other IAM users.
When the project is used within a small team where the team members do not need granular permissions.
To determine if there are any IAM identities that make use of Cloud IAM primitive roles, perform the following operations:
Remediation / Resolution
To implement the Principle of Least Privilege (POLP) and secure the access to your Google Cloud Platform (GCP) projects, revoke primitive roles, i.e. the "Owner", "Editor" and "Viewer", for each IAM identity (member) and attach one or more Cloud IAM predefined roles according to the identity access requirements. To replace the primitive roles with the required predefined roles, perform the following operations:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Minimize the Use of Primitive Roles
Risk level: Medium