Ensure sharing of service account credentials is restricted using Google Service Account

MEDIUM

Description

IAM roles and Service Accounts have different functions and therefore it is best practice to prevent IAM users from sharing Service Account credentials. For more information on how to use Service Accounts and Service Account Roles, see the GCP documentation.
References:
https://cloud.google.com/iam/docs/service-accounts

Remediation

In GCP Console -

Log into the GCP Console and go to IAM.
Under Service Accounts, select the pencil icon next to the entry you wish to edit.
After editing the permissions as needed, select Save.

In Terraform -

In the google_service_account_iam_policy resource, remove any policy_data bindings for admin, editor, or owner roles.

References:
https://cloud.google.com/iam/docs/creating-managing-service-accounts
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam

Policy Details

Rule Reference ID: AC_GCP_0265

CSP: GCP

Remediation Available: Yes

Domain: Security Best Practices

Resource: google_service_account_iam_policy

Resource Category: Identity and Access Management (IAM)

Resource Type: Policy

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0