Detections
Analytics

Ensure that IAM permissions are not granted directly to users for Google Cloud

HIGH

Description

IAM user accounts should not have permissions directly granted to the user as it is best practice to use role-based access control in the case of cloud services. For more information on roles and permissions, see the GCP documentation.
References:
https://cloud.google.com/iam/docs/roles-overview

Remediation

In GCP Console -

  1. Log into the GCP Console and go to IAM.
  2. Under IAM, select the pencil icon next to the entry you wish to edit.
  3. After editing the permissions as needed, select Save.

In Terraform -

  1. In the google_project_iam_member resource, remove any users specifically identified starting with 'user:'. Using this resource assigns a role directly to a single user.
  2. In a new (or existing) google_project_iam_binding resource, add the user to the members list. This assigns a group of users to a role.

References:
https://cloud.google.com/iam/docs/granting-changing-revoking-access
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam

Policy Details

Rule Reference ID: AC_GCP_0255
CSP: GCP
Remediation Available: Yes
Domain: Identity and Access Management
Resource: google_project_iam_binding
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks