User assigned with 'Service Account User' or 'Service Account Token Creator' roles at project level

IAM misconfigurations

User assigned with ‘Service Account User’ or ‘Service Account Token Creator’ roles at project level

Risk Level

Informational (4)

Platform(s)

Compliance Frameworks

Brazilian General Data Protection (LGPD)
CCPA
cis_8
CPRA
Data Security Posture Management (DSPM) Best Practices
essential_8_au
GCP CIS
ISO/IEC 27001
Mitre ATT&CK
New Zealand Information Security Manual
NIST 800-171
NIST 800-53
PDPA
UK Cyber Essentials

Description

Granting the 'iam.serviceAccountUser' or 'iam.serviceAserviceAccountTokenCreatorccountUser' roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. This can result in elevation of privileges by using service accounts and corresponding Compute Engine instances. In order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level.

Recommended Mitigation

Service Account User or Service Account Token Creator roles should be assigned to a user for a specific service account, giving that user access to the service account

User assigned with ‘Service Account User’ or ‘Service Account Token Creator’ roles at project level

Description

Need help?

CLOUD SECURITY PLATFORM

TECHNOLOGY ECOSYSTEM

By Solution

By Industry

COMPARISONS