IAM user has privileged roles at project level Affecting IAM service in Google

Severity Framework Snyk CCSS

Rule category IAM / Least Privilege

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google CSA-CCM HIPAA ISO-27001 PCI-DSS SOC-2

Snyk ID SNYK-CC-00347
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Assigning IAM users with project-level 'Service Account User' or 'Service Account Token Creator' roles means that they can potentially access resources across an entire project. IAM users should be assigned to a specific service account with more scoped access.

How to fix?

Remove roles/iam.serviceAccountUser and roles/iam.serviceAccountTokenCreator from project level bindings.

Example Configuration

resource "google_project_iam_member" "allowed" {
  project = "your-project-id"
  role    = "roles/editor"
  member  = "user:jane@example.com"
}

IAM user has privileged roles at project level Affecting IAM service in Google

Description

How to fix?

Example Configuration

Terraform