IAM misconfigurations

User assigned with ‘Service Account User’ or ‘Service Account Token Creator’ roles at project level

Platform(s)
Compliance Frameworks

Brazilian General Data Protection (LGPD), CCPA, cis_8, CPRA, Data Security Posture Management (DSPM) Best Practices, essential_8_au, GCP CIS, iso_27001_2022, iso_27002_2022, Mitre ATT&CK, New Zealand Information Security Manual, NIST 800-171, NIST 800-53, PDPA, pipeda, UK Cyber Essentials

Description

Granting the 'iam.serviceAccountUser' or 'iam.serviceAserviceAccountTokenCreatorccountUser' roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. This can result in elevation of privileges by using service accounts and corresponding Compute Engine instances. In order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level.
Need help?

Get a free Security Risk Assessment. Start today

A screenshot of the Orca platform dashboard summarizing all of your cloud security risks

Personalized Demo

See Orca Security in Action

Gain visibility, achieve compliance, and prioritize risks with the Orca Cloud Security Platform.

Get a Demo