Ensure IAM roles do not impersonate or manage service accounts used at organization level for Google Cloud

HIGH

Description

IAM roles and Service Accounts have different functions and therefore it is best practice to prevent IAM users from having Service Account roles. For more information on how to use Service Accounts and Service Account Roles, see the GCP documentation.
References:
https://cloud.google.com/iam/docs/service-accounts

Remediation

In GCP Console -

  1. Log into the GCP Console and go to IAM.
  2. Under IAM, select the pencil icon next to the entry you wish to edit.
  3. After editing the permissions as needed, select Save.

In Terraform -

  1. In the google_organization_iam_binding resource, remove service account or system roles from the role list.

References:
https://cloud.google.com/resource-manager/docs/creating-managing-organization
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam

Policy Details

Rule Reference ID: AC_GCP_0247
CSP: GCP
Remediation Available: Yes
Resource Type: Policy

Frameworks