/
Ensure that Service Account has no Admin privileges.

Ensure that Service Account has no Admin privileges.

Owned by Solomon F Prophete
Last updated: Nov 06, 2020
1 min read

Description: 

A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount.



A service account in your organization has Admin, Owner, or Editor privileges assigned to it. It is recommended that service accounts not be assigned Admin, Owner, or Editor roles.

Solution: 

  1. Go to the IAM policy page.

  2. For each of the following members:

    Example: Member Conflicting Roles serviceAccount:iot5-546@iotlab4-292218.iam.gserviceaccount.com roles/owner

    1. Click Edit next to the member. 

    2. To remove permissions, click Delete next to the offending role above.

    3. Click Save.

Reference: 

https://www.cisecurity.org/controls/account-monitoring-and-control

https://console.cloud.google.com/security/command-center/findings

Related content

Ensure that Separation of duties is enforced while assigning service account related roles to users
Ensure that Separation of duties is enforced while assigning service account related roles to users
CUIT CyberSecurity
More like this
Ensure that IAM users are not assigned Service Account User role at project level
Ensure that IAM users are not assigned Service Account User role at project level
CUIT CyberSecurity
More like this
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
CUIT CyberSecurity
More like this
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
CUIT CyberSecurity
More like this
Ensure that Cloud Storage bucket is not anonymously or publicly accessible
Ensure that Cloud Storage bucket is not anonymously or publicly accessible
CUIT CyberSecurity
More like this
Ensure default Service account is not used for Project access in Kubernetes Clusters
Ensure default Service account is not used for Project access in Kubernetes Clusters
CUIT CyberSecurity
More like this