Ensure that the service account associated with your Google Cloud functions is not configured to use basic roles for permissions in order to follow the Principle of Least Privilege (POLP) and grant only the specific permissions needed for the function to operate securely. In Google Cloud, basic roles are: "Viewer", "Editor", and "Owner" managed roles.
excellence
Before IAM was introduced in Google Cloud, basic roles existed as highly permissive roles. Basic roles were designed to provide wide-ranging access to cloud resources. However, it's essential to exercise caution when using basic roles, as they encompass thousands of permissions across all Google Cloud services. In production environments, it's advisable to avoid granting basic roles unless absolutely necessary. Instead, opt for predefined roles with the most restricted permissions or create custom roles tailored to your specific requirements.
Audit
To determine if the service account associated with your Google Cloud functions is configured to use basic roles, perform the following actions:
Remediation / Resolution
Basic roles provide overly broad permissions that can lead to security risks and potential misuse of resources. To ensure that your Google Cloud functions are not using basic roles for permissions, perform the following actions:
References
- Google Cloud Platform (GCP) Documentation
- Secure your Cloud Function
- Function Identity
- IAM basic and predefined roles reference
- Principal identifiers
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud functions list
- gcloud functions describe
- gcloud projects get-iam-policy
- gcloud projects remove-iam-policy-binding
- gcloud projects add-iam-policy-binding
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
GCP Function using Service Account with Basic Roles
Risk Level: High