Detections
Analytics

Ensure IAM roles do not impersonate or manage service accounts through Google Folder IAM Binding

LOW

Description

IAM roles impersonate or manage service accounts used at folder level for Google Cloud.

Remediation

In GCP Console -

  1. Log into the GCP Console and go to IAM.
  2. Under IAM, select the pencil icon next to the entry you wish to edit.
  3. After editing the permissions as needed, select Save.

In Terraform -

  1. In the google_folder_iam_member resource, remove service account or system roles from the role list.

References:
https://cloud.google.com/resource-manager/docs/access-control-folders
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder_iam

Policy Details

Rule Reference ID: AC_GCP_0245
CSP: GCP
Remediation Available: Yes
Domain: Identity and Access Management
Resource: google_folder_iam_binding
Resource Category: Management
Resource Type: Folder

Frameworks