Ensure that your Google Cloud functions are configured to use user-managed service accounts instead of the default service account managed by Google Cloud in order to follow the Principle of Least Privilege (POLP) and enhance the security posture of your functions.
excellence
For production environments, Google Cloud recommends assigning each function a dedicated identity through a user-managed service account instead of using the default, managed service account. User-managed service accounts enable precise access control by granting only essential permissions through Identity and Access Management (IAM).
Audit
To determine the type of the service account associated with your Google Cloud functions, perform the following operations:
Remediation / Resolution
To ensure that your Google Cloud functions are configured to use user-managed service accounts instead of the default service account, perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- Secure your Cloud Function
- Function Identity
- Types of service accounts
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud functions list
- gcloud functions describe
- gcloud functions deploy
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
GCP Function using Default Service Account
Risk Level: Medium