# Restrict Sensitive GCP IAM Role Assignments

This check ensures that sensitive IAM roles — `roles/iam.serviceAccountUser` and `roles/iam.serviceAccountTokenCreator` — are **not assigned to IAM users at the project level** in Google Cloud Platform (GCP).

These roles, when granted to individual users, allow impersonation of service accounts and unauthorised access to resources. Sprinto flags this as a violation of the principle of least privilege, which is a key requirement across SOC 2, ISO 27001, and other frameworks.

***

#### When is this check triggered? <a href="#pdf-page-qjmcrebjr2vsglingfsx-when-is-this-check-triggered" id="pdf-page-qjmcrebjr2vsglingfsx-when-is-this-check-triggered"></a>

This check is triggered if:

* An **IAM user** (non-service account) is assigned either of the following roles:
  * `roles/iam.serviceAccountUser`
  * `roles/iam.serviceAccountTokenCreator`
* These roles are assigned at the **project level**, not constrained to specific service accounts or groups

***

#### How to resolve <a href="#pdf-page-qjmcrebjr2vsglingfsx-how-to-resolve" id="pdf-page-qjmcrebjr2vsglingfsx-how-to-resolve"></a>

Follow these steps to audit and remove risky role assignments:

1. Log in to your **GCP Console**.
2. Navigate to **IAM & Admin → IAM**.
3. In the IAM member list, filter by role:
   * `Service Account User`
   * `Service Account Token Creator`
4. Review each IAM user assigned to these roles:
   * Ensure they are not individual users unless justified
   * Validate if they belong to a secure automation group (e.g. Terraform CI/CD pipelines)
5. If unjustified, click **Edit** for the user and remove the role assignment.
6. Click **Save**.

{% hint style="info" %}
Best practice: Grant these roles only to **service accounts** or tightly scoped automation identities — never to human users directly.
{% endhint %}

***

#### Provide evidence <a href="#pdf-page-qjmcrebjr2vsglingfsx-provide-evidence" id="pdf-page-qjmcrebjr2vsglingfsx-provide-evidence"></a>

To confirm resolution in Sprinto, provide one of the following:

* A **screenshot** showing these roles no longer assigned to IAM users
* A **CSV or JSON export** of IAM policy bindings with verified removal
* A link to an internal role audit script or process (if applicable)

***

#### Best practices <a href="#pdf-page-qjmcrebjr2vsglingfsx-best-practices" id="pdf-page-qjmcrebjr2vsglingfsx-best-practices"></a>

* Regularly review IAM policy bindings via automated scans or GCP Cloud Asset Inventory.
* Use **custom roles** with more limited permissions if full impersonation rights are not required.
* Apply **resource-level role assignments** wherever possible (avoid broad project-level grants).