Ensure that "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced for your Google Cloud Platform (GCP) organizations in order to deactivate the automatic IAM role grant for default service accounts.
There are Google Cloud services that require to create default service accounts for your GCP projects. When a default service account is created, it is automatically granted the Editor role ("roles/editor") on your project. To enhance access security and meet compliance requirements, it is strongly recommended to disable the automatic IAM role grant. Use the "Disable Automatic IAM Grants for Default Service Accounts" (i.e. "iam.automaticIamGrantsForDefaultServiceAccounts") constraint to disable the automatic role grant for all the projects created within your organization.
To determine if "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced at the organization level, perform the following operations:
Remediation / Resolution
To ensure that the automatic IAM role grant for default service accounts is disabled within your Google Cloud organization, enable the “Disable Automatic IAM Grants for Default Service Accounts” organization policy by performing the following operations:
- Google Cloud Platform (GCP) Documentation
- Organization policy constraints
- Using constraints
- Creating and managing organization policies
- Restricting service account usage
- GCP Command Line Interface (CLI) Documentation
- gcloud organizations list
- gcloud alpha resource-manager org-policies describe
- gcloud alpha resource-manager org-policies enable-enforce
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Disable Automatic IAM Role Grants for Default Service Accounts
Risk level: Medium