Service accounts should keep the 'Service Account Admin' and 'Service Account User' roles separate
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
Security best practices recommend that the principle of ‘Separation of Duties’ is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.
Rationale
The predefined IAM role Service Account admin
allows the user/identity to
create, delete, and manage service account(s). The predefined IAM role Service Account User
allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.
Separation of duties is the concept of ensuring that one individual does not have all
necessary permissions to be able to complete a malicious action. Using Cloud IAM service
accounts, a malicious user could assume the identity of a service account to access resources that
they otherwise cannot access.
Separation of duties is a business control typically used in larger organizations, meant to
help avoid security or privacy incidents and errors. It is considered a best practice.
No user should have Service Account Admin
and Service Account User
roles assigned
at the same time.
- Go to
IAM & Admin/IAM
using https://console.cloud.google.com/iam-admin/iam - For any member having both
Service Account Admin
and Service Account User
roles granted/assigned, click the Delete Bin
icon to remove either role from the member.
Removal of a role should be done based on the business requirements.
Impact
The removed role should be assigned to a different user based on business needs.
References
- https://cloud.google.com/iam/docs/service-accounts
- https://cloud.google.com/iam/docs/understanding-roles
- https://cloud.google.com/iam/docs/granting-roles-to-service-accounts
Users granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges
equivalent to Service Account Admin and Service Account User. To avoid misuse,
Owner and Editor roles should be granted to a very limited number of users. Use of these primitive
privileges should be minimal. These requirements are addressed in separate
recommendations.