How to resolve Sprinto check to ensure no service account on GCP account is assigned with administrator roles

About

Sprinto check: GCP service account should not have admin privilege access

The above-mentioned Sprinto check in Sprinto verifies that the service accounts on the Google Cloud Platform (GCP) you integrated into your Sprinto account do not have administrative privileges, following the principle of least privilege.

Purpose

The purpose of this check is to enforce the principle of least privilege for service accounts. Service accounts are special types of accounts used by applications or services to access GCP resources. Granting unnecessary administrative privileges to service accounts increases the risk of unauthorized access or misuse of resources. By restricting service accounts to only the necessary permissions, you can reduce a security breach's attack surface and potential impact.

How to fix this check

Follow the below steps to resolve the check:

Before you begin

• Ensure you have administrator privileges on the GCP account where you want to make configuration changes.

Updating via GCP Console

1. Log in to the GCP Console using your credentials.

2. Navigate to the IAM & Admin service.

3. From the Permission for Project section, review the users from your GCP account. You can view by principle or by roles.

   
4. Review the service accounts and ensure they are not assigned administrator roles like Owner, Editor, Admin, etc.

5. If you find any service account with an administrator role, select the service account and click on the modify icon from the right-hand side.

   
6. Delete the admin role, and click Save to apply the changes. Ensure no admin role remains assigned to the selected service account.

   
7. Repeat the above steps and ensure all service accounts are not assigned to the administrator roles.

Sprinto will detect the configuration change and set the check status to "Passing."

Contact Sprinto support if you have any queries related to the check or need assistance.