IAM misconfigurations

Service Account with an Administrative Primitive Role (Owner/Editor)

Risk Level

Hazardous (3)

Compliance Frameworks


Primitive roles are roles that existed prior to the introduction of IAM in GCP. These roles are very powerful, and include a large number of permissions across all Google Cloud services. The Service Account {GcpIamServiceAccount} was found with the primitive administrative role ""{GcpIamServiceAccount.PolicyBindings.Role}"", this role allow the user broad administrative permissions on the {GcpIamServiceAccount.PolicyBindings.Policy.Scope} level.
  • Recommended Mitigation

    Primitive roles should not be used to give users access to resources. Make sure to follow the principle of least privilege. Read more here: https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege. ## Remediation --- >1. Sign in to the GCP Console and go to the **[IAM & Admin](https://console.cloud.google.com/iam-admin)**. >2. At the left toolbar, choose **IAM**. >3. Select a project, folder, or organization. >4. Under **PERMISSIONS** tab, **View By: PRINCIPALS**, Find the row containing the principal's name and choose **Edit principal** in that row. >5. Replace the primitive role (Owner/Editor) - Select a role to grant from the drop-down list. For best security practices, choose a role that includes only the permissions that your principal needs. >6. Choose **Save**. The principal is granted the role on the resource.