Resolve Sprinto Check: Restrict Service Account Roles at Project Level

About:

Sprinto check: GCP service account user role/ token creator role should not be assigned at project level

The above-mentioned Sprinto check in Sprinto verifies that no IAM users on the Google Cloud Platform (GCP) are assigned the "Service Account User" or "Service Account Token Creator" roles at the project level.

Purpose:

The purpose of this check is to enforce the principle of least privilege for IAM users. The "Service Account User" and "Service Account Token Creator" roles grant broad permissions to create and manage service account keys and tokens. Assigning these roles at the project level can grant excessive privileges to users, increasing the risk of unauthorized access or misuse of resources.

How to fix this check:

Follow these steps to resolve the check:

Before you begin

• Ensure you have administrator privileges on the GCP account where you want to make configuration changes.

Updating via GCP Console

1. Log in to the GCP Console using your credentials.

2. Navigate to the IAM & Admin service.

3. Review the accounts list and ensure there is no IAM user with roles like "Service Account User" or "Service Account Token Creator" assigned at the project level. Use the filter field and enter Role: Service Account User or Role: Service Account Token Creator for quick navigation.

   
4. If you find an IAM user with the abovementioned roles assigned, click on the edit icon next to the user.

   
5. Revoke the role from the IAM user and click Save to apply the changes.

   
6. If necessary, assign these roles at a more granular level (e.g., specific service accounts or resources) to ensure the principle of least privilege is followed.

Sprinto will detect the configuration change and set the check status to "Passing."

Contact Sprinto support if you have any queries related to the check or need assistance.