Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

GCP Functions with Admin Privileges

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Google Cloud functions don't have privileged administrative permissions in order to promote the Principle of Least Privilege (POLP) and provide your functions the minimal amount of access required to perform their tasks.

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

In Google Cloud, predefined administrator roles can incorporate positions that provide elevated access privileges. The service account associated with your Google Cloud functions should not have admin privileges in order to minimize security risks. Granting admin rights can lead to unintended access, data breaches, and misuse. Limiting permissions to the minimum necessary for the function's operation follows the Principle of Least Privilege, enhancing overall security by reducing the attack surface and potential damage from unauthorized access.

Audit

To determine if your Google Cloud functions are not configured with admin privileges, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Click on the name (link) of the Google Cloud function that you want to examine, listed in the Name column.

05 Select the DETAILS tab and copy the service account identifier, listed next to Service account.

06 Navigate to Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam and choose IAM.

07 Select the PERMISSIONS tab and choose the VIEW BY PRINCIPALS tab to access the identities defined for your project's IAM policy.

08 Click inside the Filter box, choose Principal, paste the service account identitfier copied at step no. 5, and press Enter.

09 Check the name of each role attached to the selected service acocunt, listed in the Role column to determine if the selected identity has predefined administrator roles such as Cloud Functions Admin and Cloud KMS Admin, or any predefined roles that contain the word Admin. If one or more predefined administrator roles are assigned to the service account associated with your function, the selected Google Cloud function is configured with admin privileges.

10 Repeat steps no. 4 - 9 for each Google Cloud function created for the selected GCP project.

11 Repeat steps no. 2 - 10 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s): 

PROJECT_ID
cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each Google Cloud function deployed within the selected project: 

gcloud functions list 
  --project cc-bigdata-project-123123 
  --format="(NAME,REGION)"

04 The command output should return the requested function names and their regions: 

NAME                  REGION
cc-web-app-function   us-central1
cc-stream-function    us-central1

05 Run functions describe command (Windows/macOS/Linux) using the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the identifier (ID) of the service account associated with the selected function: 

gcloud functions describe cc-web-app-function 
  --region=us-central1 
  --format="value(serviceConfig.serviceAccountEmail)"

06 The command output should return the requested service account ID: 

123412341234-compute@developer.gserviceaccount.com

07 Run projects get-iam-policy command (Windows/macOS/Linux) to describe the IAM policy defined for the Google Cloud project used to managed your functions: 

gcloud projects get-iam-policy cc-bigdata-project-123123

08 The command output should return the IAM policy configured for your GCP project: 

bindings:
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		role: roles/cloudfunctions.admin
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		role: roles/cloudkms.admin
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		- serviceAccount:123412341234@cloudservices.gserviceaccount.com
		role: roles/editor
	- members:
		- user:email@domain.com
		role: roles/owner
	- members:
		- serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com
		role: roles/pubsub.serviceAgent
	- members:
		- serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com
		role: roles/run.serviceAgent
	- members:
		- serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com
		role: roles/vpcaccess.serviceAgent
	etag: ABCD1234ABCD
	version: 1

Check the roles attached to the service account associated with your function, returned at step no. 6, to determine if the selected identity has predefined administrator roles such as roles/cloudfunctions.admin and roles/cloudkms.admin, or any predefined roles that contain the word admin. If one or more predefined administrator roles are assigned to the service account associated with your function, the selected Google Cloud function is configured with admin privileges.

09 Repeat steps no. 5 - 8 for each Google Cloud function created for the selected GCP project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that your Google Cloud functions are not configured with admin privileges, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam and choose IAM.

04 Select the PERMISSIONS tab and choose the VIEW BY PRINCIPALS tab to access the identities defined for your project's IAM policy.

05 Click on the Edit pricipal (pencil icon) button available next to the service account associated with your Google Cloud function to modify the principal permission.

06 Choose the predefined administrator role that you want to remove from the service account and click on the Remove (bin icon) button to delete the role assignment for your identity.

07 To assign a new role that follows the Principle of Least Privilege (POLP), choose + ADD ANOTHER ROLE and select the appropriate, non-privileged role that you want to attach to your service account.

08 Choose SAVE to apply the permission changes.

09 Repeat steps no. 2 – 8 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run remove-iam-policy-binding command (OSX/Linux/UNIX) to remove a predefined administrator role from the service account associated with your Google Cloud function. The following command request example removes the Cloud Functions Admin role assignment from a service account identified by the ID "<123412341234-compute@developer.gserviceaccount.com>": 

gcloud projects remove-iam-policy-binding cc-bigdata-project-123123 
  --member=serviceAccount:123412341234-compute@developer.gserviceaccount.com 
  --role=roles/cloudfunctions.admin

02 The command output should return the updated IAM policy in YAML format: 

bindings:
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		- serviceAccount:123412341234@cloudservices.gserviceaccount.com
		role: roles/editor
	- members:
		- user:email@domain.com
		role: roles/owner
	- members:
		- serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com
		role: roles/pubsub.serviceAgent
	- members:
		- serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com
		role: roles/run.serviceAgent
	- members:
		- serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com
		role: roles/vpcaccess.serviceAgent
	etag: ABCD1234ABCD
	version: 1

03 Run projects add-iam-policy-binding command (Windows/macOS/Linux) to assign a non-privileged role to the service account associated with your Google Cloud functions. The following command request example adds the Cloud Functions Admin (i.e. roles/cloudfunctions.viewer) role to a service account identified by the ID "<123412341234-compute@developer.gserviceaccount.com>". The Cloud Functions Admin provides read-only access to functions and locations: 

gcloud projects add-iam-policy-binding cc-bigdata-project-123123 
  --member=serviceAccount:123412341234-compute@developer.gserviceaccount.com 
  --role=roles/cloudfunctions.viewer

04 The command output should return the updated IAM policy: 

bindings:
	- members:
		- serviceAccount:461695253704-compute@developer.gserviceaccount.com
		role: roles/cloudfunctions.viewer
	- members:
		- serviceAccount:123412341234-compute@developer.gserviceaccount.com
		- serviceAccount:123412341234@cloudservices.gserviceaccount.com
		role: roles/editor
	- members:
		- user:email@domain.com
		role: roles/owner
	- members:
		- serviceAccount:service-123412341234@gcp-sa-pubsub.iam.gserviceaccount.com
		role: roles/pubsub.serviceAgent
	- members:
		- serviceAccount:service-123412341234@serverless-robot-prod.iam.gserviceaccount.com
		role: roles/run.serviceAgent
	- members:
		- serviceAccount:service-123412341234@gcp-sa-vpcaccess.iam.gserviceaccount.com
		role: roles/vpcaccess.serviceAgent
	etag: ABCD1234ABCD
	version: 1

05 Repeat steps no. 1 - 4 for each project deployed within your Google Cloud account.

References

Publication date Oct 24, 2023

Related Functions rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

GCP Functions with Admin Privileges

Risk Level: High