Ensure that IAM roles with privileged administrative permissions are not assigned to IAM identities (users, groups, and service accounts) to promote least privilege and provide your members (principals) the minimal access required to perform their tasks.
In Google Cloud, roles with administrative permissions can incorporate positions that provide elevated access privileges. To minimize security risks, these roles should not be assigned to IAM members (principals) on a regular basis. When IAM members have administrator privileges (Owner and Editor roles, or roles containing "Admin" or "admin" in their names), they can access, create, and manage cloud resources. To adhere to the Principle of Least Privilege (POLP), assign IAM members the minimal set of permissions required for their operations, and remove any administrator roles that grant overly permissive access.
Audit
To determine if your IAM members are using roles with administrative permissions, perform the following operations:
Remediation / Resolution
To remove any administrator role assignments from your IAM role members (principals), perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- Identity and Access Management (IAM)
- IAM basic and predefined roles reference
- Manage access to projects, folders, and organizations
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud projects get-iam-policy
- gcloud projects set-iam-policy
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Roles with Administrative Permissions
Risk Level: Medium