mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-02-09 15:10:36 +00:00
Compare commits
2 Commits
review_met
...
review_met
| Author | SHA1 | Date | |
|---|---|---|---|
|
cebdfa9fc9 | ||
|
|
72fceda6c0 |
@@ -14,6 +14,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
||||
- Update AWS SQS service metadata to new format [(#9429)](https://github.com/prowler-cloud/prowler/pull/9429)
|
||||
- Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
|
||||
- Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
|
||||
- Update GCP IAM service metadata to new format [(#9646)](https://github.com/prowler-cloud/prowler/pull/9646)
|
||||
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -1,29 +1,35 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_account_access_approval_enabled",
|
||||
"CheckTitle": "Ensure Access Approval is Enabled in your account",
|
||||
"CheckTitle": "Project has Access Approval enabled",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "Account",
|
||||
"Description": "Ensure that Access Approval is enabled within your Google Cloud Platform (GCP) account in order to allow you to require your explicit approval whenever Google personnel need to access your GCP projects. Once the Access Approval feature is enabled, you can delegate users within your organization who can approve the access requests by giving them a security role in Identity and Access Management (IAM). These requests show the requester name/ID in an email or Pub/Sub message that you can choose to approve. This creates a new control and logging layer that reveals who in your organization approved/denied access requests to your projects.",
|
||||
"Risk": "Controlling access to your Google Cloud data is crucial when working with business-critical and sensitive data. With Access Approval, you can be certain that your cloud information is accessed by approved Google personnel only. The Access Approval feature ensures that a cryptographically-signed approval is available for Google Cloud support and engineering teams when they need to access your cloud data (certain exceptions apply). By default, Access Approval and its dependency of Access Transparency are not enabled.",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "accessapproval.googleapis.com/AccessApprovalSettings",
|
||||
"Description": "**GCP project** has **Access Approval** configured at the project level, requiring explicit customer authorization before Google personnel can access project data. The evaluation looks for Access Approval settings associated with the project.",
|
||||
"Risk": "Without Access Approval, Google support or engineering may access Customer Data without prior consent, weakening **confidentiality** and **accountability**. Reduced visibility hinders incident response and raises exposure for sensitive or regulated workloads.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://cloud.google.com/cloud-provider-access-management/access-approval/docs",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/enable-access-approval.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gcloud access-approval settings update --project=<PROJECT_ID> --enrolled-services=all",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/enable-access-approval.html",
|
||||
"Terraform": ""
|
||||
"Other": "1. In the Google Cloud Console, go to Security > Access Approval (or search \"Access Approval\")\n2. Select the project <example_resource_id>\n3. Click Enable (or Edit settings if already open)\n4. Set Enrolled services to All Google Cloud services\n5. Click Save (enable the API if prompted)",
|
||||
"Terraform": "```hcl\nresource \"google_access_approval_settings\" \"<example_resource_name>\" {\n project = \"<example_resource_id>\"\n\n enrolled_services {\n cloud_product = \"all\" # Critical: enroll all services to enable Access Approval for the project\n enrollment_level = \"BLOCK_ALL\" # Critical: require approval for all applicable access requests\n }\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Ensure that Access Approval is enabled within your Google Cloud Platform (GCP) account in order to allow you to require your explicit approval whenever Google personnel need to access your GCP projects. Once the Access Approval feature is enabled, you can delegate users within your organization who can approve the access requests by giving them a security role in Identity and Access Management (IAM). These requests show the requester name/ID in an email or Pub/Sub message that you can choose to approve. This creates a new control and logging layer that reveals who in your organization approved/denied access requests to your projects.",
|
||||
"Url": "https://cloud.google.com/cloud-provider-access-management/access-approval/docs"
|
||||
"Text": "Enable **Access Approval** for projects and *where feasible* at higher hierarchy for consistency. Assign **least-privilege approvers** with **separation of duties**, integrate timely notifications, and monitor **Access Transparency** records to maintain **defense in depth**.",
|
||||
"Url": "https://hub.prowler.com/check/iam_account_access_approval_enabled"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"identity-access"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,43 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_audit_logs_enabled",
|
||||
"CheckTitle": "Configure Google Cloud Audit Logs to Track All Activities",
|
||||
"CheckTitle": "GCP project has Cloud Audit Logs enabled",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "Audit Logs",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "GCPProject",
|
||||
"Description": "Ensure that Google Cloud Audit Logs feature is configured to track Data Access logs for all Google Cloud Platform (GCP) services and users, in order to enhance overall access security and meet compliance requirements. Once configured, the feature can record all admin related activities, as well as all the read and write access requests to user data.",
|
||||
"Risk": "In order to maintain an effective Google Cloud audit configuration for your project, folder, and organization, all 3 types of Data Access logs (ADMIN_READ, DATA_READ and DATA_WRITE) must be enabled for all supported GCP services. Also, Data Access logs should be captured for all IAM users, without exempting any of them. Exemptions let you control which users generate audit logs. When you add an exempted user to your log configuration, audit logs are not created for that user, for the selected log type(s). Data Access audit logs are disabled by default and must be explicitly enabled based on your business requirements.",
|
||||
"Severity": "high",
|
||||
"ResourceType": "cloudresourcemanager.googleapis.com/Project",
|
||||
"Description": "**GCP project** has **Cloud Audit Logs** configured to capture administrative operations and data access events for services and principals (*per IAM Audit Logs*, including `ADMIN_READ`, `DATA_READ`, `DATA_WRITE`).",
|
||||
"Risk": "Absent or partial audit logging reduces visibility into who accessed data or changed configurations, hindering detection and forensics.\n\nMisused identities can alter IAM to persist access, exfiltrate data, or delete resources, impacting **confidentiality**, **integrity**, and **availability**.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/record-all-activities.html",
|
||||
"https://docs.prowler.com/checks/gcp/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project#terraform",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudTasks/enable-data-access-audit-logs.html",
|
||||
"https://cloud.google.com/logging/docs/audit/",
|
||||
"https://support.expel.io/hc/en-us/articles/7041816059923-Google-Cloud-Platform-Setup-for-Workbench-Appendix",
|
||||
"https://www.skills.google/focuses/19184?parent=catalog",
|
||||
"https://docs.cloud.google.com/logging/docs/audit/configure-data-access",
|
||||
"https://www.cadosecurity.com/blog/how-to-be-ir-prepared-in-google-cloud-platform-gcp",
|
||||
"https://www.naukri.com/code360/library/cloud-audit-logs-in-gcp"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/record-all-activities.html",
|
||||
"Terraform": "https://docs.prowler.com/checks/gcp/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project#terraform"
|
||||
"Other": "1. In the Google Cloud console, go to IAM & Admin > Audit Logs\n2. Click Set default configuration\n3. Under Permission types, check Admin Read, Data Read, and Data Write\n4. Click Save",
|
||||
"Terraform": "```hcl\n# Enable Cloud Audit Logs (Data Access) for all services\nresource \"google_project_iam_audit_config\" \"all\" {\n project = \"<example_resource_id>\"\n service = \"allServices\" # Critical: apply to all services\n\n # Critical: enable Data Access audit log types to pass the check\n audit_log_config { log_type = \"ADMIN_READ\" } # metadata/config reads\n audit_log_config { log_type = \"DATA_READ\" } # data reads\n audit_log_config { log_type = \"DATA_WRITE\" } # data writes\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.",
|
||||
"Url": "https://cloud.google.com/logging/docs/audit/"
|
||||
"Text": "Enable comprehensive **Cloud Audit Logs** for all services and principals, including `ADMIN_READ`, `DATA_READ`, `DATA_WRITE`. *Avoid exemptions.* Set org/folder defaults, centralize and retain logs, enforce least privilege on log access, protect logs from alteration, and alert on anomalous access.",
|
||||
"Url": "https://hub.prowler.com/check/iam_audit_logs_enabled"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"logging",
|
||||
"forensics-ready"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,35 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_cloud_asset_inventory_enabled",
|
||||
"CheckTitle": "Ensure Cloud Asset Inventory Is Enabled",
|
||||
"CheckTitle": "Project has Cloud Asset Inventory API enabled",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "Asset Inventory",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "Service",
|
||||
"Description": "GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.",
|
||||
"Risk": "Gaining insight into Google Cloud resources and policies is vital for tasks such as DevOps, security analytics, multi-cluster and fleet management, auditing, and governance. With Cloud Asset Inventory you can discover, monitor, and analyze all GCP assets in one place, achieving a better understanding of all your cloud assets across projects and services.",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "serviceusage.googleapis.com/Service",
|
||||
"Description": "**Project service usage** includes the **Cloud Asset Inventory** API (`cloudasset.googleapis.com`), enabling resource and IAM policy inventory with time-series metadata and change history.",
|
||||
"Risk": "Without **Cloud Asset Inventory**, gaps in asset and IAM visibility hinder detection of drift and unauthorized changes, weakening access control integrity and risking data confidentiality. Shadow assets and silent privilege escalation can persist, delaying incident response.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudAPI/enabled-cloud-asset-inventory.html",
|
||||
"https://cloud.google.com/asset-inventory/docs"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "gcloud services enable cloudasset.googleapis.com",
|
||||
"CLI": "gcloud services enable cloudasset.googleapis.com --project <PROJECT_ID>",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudAPI/enabled-cloud-asset-inventory.html",
|
||||
"Terraform": ""
|
||||
"Other": "1. In the Google Cloud Console, select the project <PROJECT_ID> from the project picker.\n2. Go to APIs & Services > Library.\n3. Search for \"Cloud Asset Inventory API\" and select it.\n4. Click Enable.\n5. Verify it appears under APIs & Services > Enabled APIs & services.",
|
||||
"Terraform": "```hcl\nresource \"google_project_service\" \"<example_resource_name>\" {\n project = \"<example_project_id>\"\n service = \"cloudasset.googleapis.com\" # Enables Cloud Asset Inventory API to pass the check\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Ensure that Cloud Asset Inventory is enabled for all your GCP projects in order to efficiently manage the history and the inventory of your cloud resources. Google Cloud Asset Inventory is a fully managed metadata inventory service that allows you to view, monitor, analyze, and gain insights for your Google Cloud and Anthos assets. Cloud Asset Inventory is disabled by default in each GCP project.",
|
||||
"Url": "https://cloud.google.com/asset-inventory/docs"
|
||||
"Text": "Enable **Cloud Asset Inventory** across all projects *and, if applicable, at the organization level* to maintain authoritative asset and IAM histories. Centralize analysis, retain records per policy, and use the data to enforce **least privilege** and **defense in depth**.",
|
||||
"Url": "https://hub.prowler.com/check/iam_cloud_asset_inventory_enabled"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"forensics-ready"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,41 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_no_service_roles_at_project_level",
|
||||
"CheckTitle": "Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level",
|
||||
"CheckTitle": "Project has no IAM users assigned the Service Account User or Service Account Token Creator roles at project level",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "IAM Policy",
|
||||
"Description": "It is recommended to assign the `Service Account User (iam.serviceAccountUser)` and `Service Account Token Creator (iam.serviceAccountTokenCreator)` roles to a user for a specific service account rather than assigning the role to a user at project level.",
|
||||
"Risk": "The Service Account User (iam.serviceAccountUser) role allows an IAM user to attach a service account to a long-running job service such as an App Engine App or Dataflow Job, whereas the Service Account Token Creator (iam.serviceAccountTokenCreator) role allows a user to directly impersonate the identity of a service account.",
|
||||
"RelatedUrl": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/check-for-iam-users-with-service-roles.html",
|
||||
"Severity": "high",
|
||||
"ResourceType": "cloudresourcemanager.googleapis.com/Project",
|
||||
"Description": "**Google Cloud IAM policies** are inspected for **project-level grants** of `roles/iam.serviceAccountUser` and `roles/iam.serviceAccountTokenCreator` to principals. The focus is on bindings that enable attaching or impersonating service accounts at the project scope rather than on individual service accounts.",
|
||||
"Risk": "**Project-wide impersonation rights** enable **privilege escalation** and **lateral movement**. Holders can act as any service account, access data across services, modify resources, and persist access. New service accounts inherit exposure, undermining confidentiality and integrity.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/check-for-iam-users-with-service-roles.html",
|
||||
"https://engineering.sada.com/managing-google-cloud-api-keys-using-terraform-37d01f068937",
|
||||
"https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_3/",
|
||||
"https://cloud.google.com/iam/docs/granting-changing-revoking-access",
|
||||
"https://cloud.google.com/iam/docs/best-practices-service-accounts?ref=alphasec.io",
|
||||
"https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_3#terraform",
|
||||
"https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_3",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000232882-1-6-ensure-iam-users-are-not-assigned-service-account-user-or-service-account-token-creator-roles-at-"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_3",
|
||||
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_3#terraform"
|
||||
"Other": "1. In Google Cloud Console, go to IAM & Admin > IAM\n2. Use the filter to find Role: Service Account User\n3. Remove all project-level bindings for this role and click Save\n4. Repeat steps 2-3 for Role: Service Account Token Creator\n5. Do not add these roles at the project level; if needed, grant them on specific service accounts only (IAM & Admin > Service Accounts > select account > Permissions > Grant access)",
|
||||
"Terraform": "```hcl\n# Grant required access at the service account level instead of the project level\nresource \"google_service_account_iam_member\" \"<example_resource_name>\" {\n service_account_id = \"projects/<example_resource_id>/serviceAccounts/<example_resource_name>@<example_resource_id>.iam.gserviceaccount.com\" # CRITICAL: scope grant to a specific service account, not the project\n role = \"roles/iam.serviceAccountUser\" # CRITICAL: this role is granted only at the service account level\n member = \"user:<example_resource_name>@example.com\"\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Ensure that the Service Account User and Service Account Token Creator roles are assigned to a user for a specific GCP service account rather than to a user at the GCP project level, in order to implement the principle of least privilege (POLP). The principle of least privilege (also known as the principle of minimal privilege) is the practice of providing every user the minimal amount of access required to perform its tasks. Google Cloud Platform (GCP) IAM users should not have assigned the Service Account User or Service Account Token Creator roles at the GCP project level. Instead, these roles should be allocated to a user associated with a specific service account, providing that user access to the service account only.",
|
||||
"Url": "https://cloud.google.com/iam/docs/granting-changing-revoking-access"
|
||||
"Text": "Assign `roles/iam.serviceAccountUser` and `roles/iam.serviceAccountTokenCreator` only on the specific service account, not at project scope. Enforce **least privilege** and **separation of duties** with per-SA grants, conditional bindings, and time-bound access. Prefer **short-lived impersonation**; review grants regularly.",
|
||||
"Url": "https://hub.prowler.com/check/iam_no_service_roles_at_project_level"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"identity-access"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,37 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_organization_essential_contacts_configured",
|
||||
"CheckTitle": "Ensure Essential Contacts is Configured for Organization",
|
||||
"CheckTitle": "Organization has Essential Contacts configured",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "Organization",
|
||||
"Description": "It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.",
|
||||
"Risk": "Google Cloud Platform (GCP) services, such as Cloud Billing, send out billing notifications to share important information with the cloud platform users. By default, these types of notifications are sent to members with certain Identity and Access Management (IAM) roles such as 'roles/owner' and 'roles/billing.admin'. With Essential Contacts, you can specify exactly who receives important notifications by providing your own list of contacts (i.e. email addresses).",
|
||||
"ResourceType": "cloudresourcemanager.googleapis.com/Organization",
|
||||
"Description": "Google Cloud organization has **Essential Contacts** defined at the organization level for categories such as `SECURITY`, `BILLING`, `LEGAL`, `SUSPENSION`, `TECHNICAL`, or `PRODUCT_UPDATES`.\n\nEvaluates whether at least one contact is configured.",
|
||||
"Risk": "Missing **Essential Contacts** means security, abuse, and billing notices can go unnoticed or to inappropriate recipients, slowing response.\n\nConsequences: data exposure via unaddressed alerts (C), unauthorized changes persisting (I), and suspensions/outages from unresolved issues (A).",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.cloud.google.com/resource-manager/docs/manage-essential-contacts?hl=es",
|
||||
"https://cloud.google.com/resource-manager/docs/managing-notification-contacts",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/essential-contacts.html",
|
||||
"https://nonameno.com/proxy2/index.php?proxy2=aHR0cHM6Ly9kb2NzLmNsb3VkLmdvb2dsZS5jb20vcmVzb3VyY2UtbWFuYWdlci9kb2NzL2NyZWF0aW5nLW1hbmFnaW5nLW9yZ2FuaXphdGlvbg=="
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "gcloud essential-contacts create --email=<EMAIL> --notification-categories=<NOTIFICATION_CATEGORIES> --organization=<ORGANIZATION_ID>",
|
||||
"CLI": "gcloud essential-contacts create --email=<EMAIL> --notification-categories=all --organization=<ORGANIZATION_ID>",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/essential-contacts.html",
|
||||
"Terraform": ""
|
||||
"Other": "1. In the Google Cloud console, go to Essential Contacts\n2. In the resource selector, choose your Organization\n3. Click Add contact\n4. Enter the contact email and select category All\n5. Click Save",
|
||||
"Terraform": "```hcl\nresource \"google_essential_contacts_contact\" \"<example_resource_name>\" {\n parent = \"organizations/<example_resource_id>\" # Critical: set at org level to satisfy the check\n email = \"<EMAIL>\" # Critical: creates the essential contact\n notification_category_subscriptions = [\"ALL\"] # Critical: required; ensures the contact is created\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.",
|
||||
"Url": "https://cloud.google.com/resource-manager/docs/managing-notification-contacts"
|
||||
"Text": "Configure **Essential Contacts** at the organization (and inherit to folders/projects) with group aliases for `SECURITY`, `BILLING`, `LEGAL`, `SUSPENSION`, `TECHNICAL`, and `PRODUCT_UPDATES`.\n\nApply **least privilege** and **separation of duties**. Review quarterly, verify delivery, and restrict contacts to approved domains.",
|
||||
"Url": "https://hub.prowler.com/check/iam_organization_essential_contacts_configured"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"resilience"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,36 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_role_kms_enforce_separation_of_duties",
|
||||
"CheckTitle": "Enforce Separation of Duties for KMS-Related Roles",
|
||||
"CheckTitle": "Project members are not assigned both Cloud KMS Admin and CryptoKey Encrypter/Decrypter roles",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "IAMRole",
|
||||
"Description": "Ensure that separation of duties is enforced for all Cloud Key Management Service (KMS) related roles. The principle of separation of duties (also known as segregation of duties) has as its primary objective the prevention of fraud and human error. This objective is achieved by dismantling the tasks and the associated privileges for a specific business process among multiple users/identities. Google Cloud provides predefined roles that can be used to implement the principle of separation of duties, where it is needed. The predefined Cloud KMS Admin role is meant for users to manage KMS keys but not to use them. The Cloud KMS CryptoKey Encrypter/Decrypter roles are meant for services who can use keys to encrypt and decrypt data, but not to manage them. To adhere to cloud security best practices, your IAM users should not have the Admin role and any of the CryptoKey Encrypter/Decrypter roles assigned at the same time.",
|
||||
"Risk": "The principle of separation of duties can be enforced in order to eliminate the need for the IAM user/identity that has all the permissions needed to perform unwanted actions, such as using a cryptographic key to access and decrypt data which the user should not normally have access to.",
|
||||
"Severity": "high",
|
||||
"ResourceType": "cloudresourcemanager.googleapis.com/Project",
|
||||
"Description": "Project IAM assignments are analyzed for **Cloud KMS** separation of duties: principals simultaneously granted `roles/cloudkms.admin` and any of `roles/cloudkms.cryptoKeyEncrypterDecrypter`, `roles/cloudkms.cryptoKeyEncrypter`, or `roles/cloudkms.cryptoKeyDecrypter`.",
|
||||
"Risk": "Combining key management and key usage undermines **confidentiality**, **integrity**, and **availability**:\n- Unauthorized decryption of sensitive data\n- Tampering with policies or rotation to conceal access\n- Disabling or destroying keys, causing outages\n\nThis concentration of power reduces oversight and auditability.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://cloud.google.com/kms/docs/separation-of-duties",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/enforce-separation-of-duties-for-kms-related-roles.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gcloud projects remove-iam-policy-binding <PROJECT_ID> --member=<MEMBER> --role=roles/cloudkms.admin",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/enforce-separation-of-duties-for-kms-related-roles.html",
|
||||
"Terraform": ""
|
||||
"Other": "1. In Google Cloud Console, go to IAM & Admin > IAM\n2. Locate the principal listed in the finding and click Edit principal\n3. Remove either \"Cloud KMS Admin\" or any of the \"Cloud KMS CryptoKey Encrypter/Decrypter\" roles from the project\n4. Click Save",
|
||||
"Terraform": "```hcl\nresource \"google_project_iam_binding\" \"<example_resource_name>\" {\n project = \"<PROJECT_ID>\"\n role = \"roles/cloudkms.admin\" # Critical: ensure the offending principal is NOT bound as KMS Admin\n members = [\n \"user:<ALLOWED_MEMBER_EMAIL>\" # Critical: exclude any member who also has CryptoKey* roles to enforce separation of duties\n ]\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.",
|
||||
"Url": "https://cloud.google.com/kms/docs/separation-of-duties"
|
||||
"Text": "Apply **least privilege** and **separation of duties**:\n- Never combine `roles/cloudkms.admin` with any `roles/cloudkms.cryptoKey*`\n- Isolate key management and usage in dedicated projects\n- Require approvals, log all key access, and monitor\n- Avoid broad `roles/owner` on key scopes",
|
||||
"Url": "https://hub.prowler.com/check/iam_role_kms_enforce_separation_of_duties"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"identity-access",
|
||||
"encryption"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,39 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_role_sa_enforce_separation_of_duties",
|
||||
"CheckTitle": "Enforce Separation of Duties for Service-Account Related Roles",
|
||||
"CheckTitle": "Project enforces separation of duties for Service Account Admin and Service Account User roles",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "IAMRole",
|
||||
"Description": "Ensure that separation of duties (also known as segregation of duties - SoD) is enforced for all Google Cloud Platform (GCP) service-account related roles. The security principle of separation of duties has as its primary objective the prevention of fraud and human error. This objective is achieved by disbanding the tasks and associated privileges for a specific business process among multiple users/members. To follow security best practices, your GCP service accounts should not have the Service Account Admin and Service Account User roles assigned at the same time.",
|
||||
"Risk": "The principle of separation of duties should be enforced in order to eliminate the need for high-privileged IAM members, as the permissions granted to these members can allow them to perform malicious or unwanted actions.",
|
||||
"Severity": "high",
|
||||
"ResourceType": "cloudresourcemanager.googleapis.com/Project",
|
||||
"Description": "Google Cloud IAM policies are evaluated to find principals granted both `roles/iam.serviceAccountAdmin` and `roles/iam.serviceAccountUser` within a project. **Service-account related roles** are expected to be segregated so that service account lifecycle management is distinct from their use or impersonation.",
|
||||
"Risk": "With both roles, a principal can create or modify service accounts and then use or attach them to workloads, enabling unchecked impersonation. This endangers confidentiality (expanded data access), integrity (policy/workload changes), and availability (persistence or sabotage via privileged automation).",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.cloud.google.com/iam/docs/service-account-overview",
|
||||
"https://medium.com/scalesec/overview-of-google-cloud-function-identities-36633a746c1b",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000232885-1-8-ensure-separation-of-duties-is-enforced-when-assigning-service-account-roles-to-users-automated-",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/enforce-separation-of-duties-for-service-account-roles.html",
|
||||
"https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_10#terraform",
|
||||
"https://cloud.google.com/iam/docs/understanding-roles"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/enforce-separation-of-duties-for-service-account-roles.html",
|
||||
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_10#terraform"
|
||||
"Other": "1. In Google Cloud Console, go to IAM & Admin > IAM\n2. Click the View by Role tab\n3. Select the role Service Account Admin (roles/iam.serviceAccountAdmin)\n4. Remove all listed principals from this role and click Save\n5. Select the role Service Account User (roles/iam.serviceAccountUser)\n6. Remove all listed principals from this role and click Save",
|
||||
"Terraform": "```hcl\n# Remove all project-level principals from Service Account User\nresource \"google_project_iam_binding\" \"sa_user_none\" {\n project = \"<example_resource_id>\"\n role = \"roles/iam.serviceAccountUser\" # critical: target role to clear at project level\n members = [] # critical: empty list removes the binding (no members)\n}\n\n# Remove all project-level principals from Service Account Admin\nresource \"google_project_iam_binding\" \"sa_admin_none\" {\n project = \"<example_resource_id>\"\n role = \"roles/iam.serviceAccountAdmin\" # critical: target role to clear at project level\n members = [] # critical: empty list removes the binding (no members)\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Ensure that separation of duties (also known as segregation of duties - SoD) is enforced for all Google Cloud Platform (GCP) service-account related roles. The security principle of separation of duties has as its primary objective the prevention of fraud and human error. This objective is achieved by disbanding the tasks and associated privileges for a specific business process among multiple users/members. To follow security best practices, your GCP service accounts should not have the Service Account Admin and Service Account User roles assigned at the same time.",
|
||||
"Url": "https://cloud.google.com/iam/docs/understanding-roles"
|
||||
"Text": "Enforce separation of duties: assign `roles/iam.serviceAccountAdmin` for lifecycle tasks and `roles/iam.serviceAccountUser` for attach/impersonate, never both to one principal.\n- Apply **least privilege** with narrow scope and conditions\n- Use temporary elevation/approvals\n- Regularly audit IAM bindings and logs",
|
||||
"Url": "https://hub.prowler.com/check/iam_role_sa_enforce_separation_of_duties"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"identity-access"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,37 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_sa_no_administrative_privileges",
|
||||
"CheckTitle": "Ensure Service Account does not have admin privileges",
|
||||
"CheckTitle": "Service account has no administrative privileges",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "ServiceAccount",
|
||||
"Description": "Ensure Service Account does not have admin privileges",
|
||||
"Risk": "Enrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions, such as delete and update change settings, without user intervention.",
|
||||
"RelatedUrl": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/restrict-admin-access-for-service-accounts.html",
|
||||
"ResourceType": "iam.googleapis.com/ServiceAccount",
|
||||
"Description": "Google Cloud service accounts with **high-privilege IAM roles** are identified, including `roles/owner`, `roles/editor`, or any role containing `admin`. The evaluation looks for service accounts bound to these roles in IAM policies across the project hierarchy.",
|
||||
"Risk": "Over-privileged service accounts jeopardize the CIA triad:\n- Confidentiality: data can be read and exfiltrated\n- Integrity: configs, IAM, and code can be altered\n- Availability: resources can be deleted or halted\n\nCompromise via key theft or impersonation enables lateral movement and persistence.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/restrict-admin-access-for-service-accounts.html",
|
||||
"https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_4#terraform",
|
||||
"https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_4",
|
||||
"https://cloud.google.com/iam/docs/manage-access-service-accounts"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gcloud projects remove-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<SERVICE_ACCOUNT_EMAIL> --role=<ROLE>",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_4",
|
||||
"Terraform": "https://docs.prowler.com/checks/gcp/google-cloud-iam-policies/bc_gcp_iam_4#terraform"
|
||||
"Other": "1. In the Google Cloud console, go to IAM & Admin > IAM\n2. Select the project (or switch to the folder/organization) where the role is granted\n3. Find the service account by email and click Edit principal\n4. Remove roles: Owner, Editor, and any role with \"Admin\" in the name\n5. Click Save\n6. Repeat at folder/organization level if the role was inherited",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Ensure that your Google Cloud user-managed service accounts are not using privileged (administrator) roles, in order to implement the principle of least privilege and prevent any accidental or intentional modifications that may lead to data leaks and/or data loss.",
|
||||
"Url": "https://cloud.google.com/iam/docs/manage-access-service-accounts"
|
||||
"Text": "Apply **least privilege**: replace `roles/owner`, `roles/editor`, and roles containing `admin` with narrowly scoped predefined or custom roles. Use **separation of duties**, **temporary elevation**, and **IAM Conditions** to limit scope and time. Prefer **impersonation** over long-lived keys and monitor SA usage.",
|
||||
"Url": "https://hub.prowler.com/check/iam_sa_no_administrative_privileges"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"identity-access"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,36 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_sa_no_user_managed_keys",
|
||||
"CheckTitle": "Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account",
|
||||
"CheckTitle": "Service account has no user-managed keys",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "ServiceAccountKey",
|
||||
"Description": "Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account",
|
||||
"Risk": "Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users.",
|
||||
"Severity": "high",
|
||||
"ResourceType": "iam.googleapis.com/ServiceAccount",
|
||||
"Description": "**IAM service accounts** do not have keys of type `USER_MANAGED`; only Google-managed keys (or no keys) are present.",
|
||||
"Risk": "**User-managed keys** are downloadable and long-lived, increasing theft and reuse risk. An attacker with a key can impersonate the service account, perform unauthorized API calls, exfiltrate data, and alter resources, impacting **confidentiality** and **integrity**, and potentially **availability**. Copies in repos or logs can evade centralized rotation and revocation.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-user-managed-service-account-keys.html",
|
||||
"https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gcloud iam service-accounts keys delete <KEY_ID> --iam-account=<SERVICE_ACCOUNT_EMAIL>",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-user-managed-service-account-keys.html",
|
||||
"Other": "1. In the Google Cloud console, go to IAM & Admin > Service Accounts\n2. Select your project and click the affected service account\n3. Open the Keys tab\n4. For each key with Type \"User-managed\", click Delete and confirm\n5. Verify no User-managed keys remain for that service account\n6. Repeat for any other affected service accounts",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "It is recommended to prevent user-managed service account keys.",
|
||||
"Url": "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
|
||||
"Text": "Avoid **user-managed keys**. Use **service account impersonation** or **Workload Identity Federation** for short-lived credentials and **least privilege**. Enforce `iam.disableServiceAccountKeyCreation`, restrict who can create keys, and monitor usage. *If exceptions are unavoidable*, tightly scope, rotate aggressively, and store keys securely.",
|
||||
"Url": "https://hub.prowler.com/check/iam_sa_no_user_managed_keys"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"secrets",
|
||||
"identity-access"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,35 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_sa_user_managed_key_rotate_90_days",
|
||||
"CheckTitle": "Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days",
|
||||
"CheckTitle": "Service account user-managed key has been rotated within the last 90 days",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "low",
|
||||
"ResourceType": "ServiceAccountKey",
|
||||
"Description": "Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days",
|
||||
"Risk": "Service Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "iam.googleapis.com/ServiceAccountKey",
|
||||
"Description": "**GCP IAM service account user-managed keys** are evaluated by last rotation. Keys of type `USER_MANAGED` older than `90` days are identified; those rotated within `90` days align with the expected rotation cadence.",
|
||||
"Risk": "**Stale service account keys** extend exposure of **long-lived credentials**. A leaked or retained key can grant persistent API access, enabling **data exfiltration**, tampering, and lateral movement. Weak rotation reduces revocation effectiveness and erodes **confidentiality** and **integrity**.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/rotate-service-account-user-managed-keys.html",
|
||||
"https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gcloud iam service-accounts keys delete <KEY_ID> --iam-account=<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/rotate-service-account-user-managed-keys.html",
|
||||
"Other": "1. In Google Cloud Console, go to IAM & Admin > Service Accounts\n2. Open the service account, then go to the Keys tab\n3. If the workload still needs a key: click Add key > Create new key (JSON), download it, and update the workload to use it\n4. Delete the user-managed key(s) older than 90 days by clicking Delete next to each\n5. Re-run the check to confirm only recent keys remain",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "It is recommended that all Service Account keys are regularly rotated.",
|
||||
"Url": "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
|
||||
"Text": "Rotate **user-managed keys** at least every `90` days and prefer **Workload Identity Federation** or other short-lived credentials over static keys.\n- Minimize key count; remove unused keys\n- Enforce **least privilege** on service accounts\n- Automate rotation and alert on aged keys\n- Set key expiry as **defense in depth**",
|
||||
"Url": "https://hub.prowler.com/check/iam_sa_user_managed_key_rotate_90_days"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"secrets"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,38 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_sa_user_managed_key_unused",
|
||||
"CheckTitle": "Ensure That There Are No Unused Service Account Keys for Each Service Account",
|
||||
"CheckTitle": "User-managed service account key was used within the allowed inactivity period",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "ServiceAccountKey",
|
||||
"Description": "Ensure That There Are No Unused Service Account Keys for Each Service Account.",
|
||||
"Risk": "Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users.",
|
||||
"RelatedUrl": "https://cloud.google.com/iam/docs/service-account-overview#identify-unused",
|
||||
"ResourceType": "iam.googleapis.com/ServiceAccountKey",
|
||||
"Description": "**User-managed service account keys** with no recorded activity during the last `max_unused_account_days` are identified using key-usage metrics per service account.",
|
||||
"Risk": "**Stale user-managed keys** expand exposure of long-lived credentials. If leaked, an attacker can authenticate as the service account off-platform, bypass network controls, access data, alter resources, and persist-compromising confidentiality and integrity, and risking availability via destructive changes.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://cloud.google.com/iam/docs/creating-managing-service-account-keys",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-user-managed-service-account-keys.html",
|
||||
"https://docs.cloud.google.com/iam/docs/samples/iam-delete-key",
|
||||
"https://cloud.google.com/iam/docs/service-account-overview#identify-unused",
|
||||
"https://stackoverflow.com/questions/49405063/google-cloud-audit-service-account-usage/49536975"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gcloud iam service-accounts keys delete <KEY_ID> --iam-account=<SERVICE_ACCOUNT_EMAIL>",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Other": "1. In Google Cloud Console, go to IAM & Admin > Service Accounts\n2. Select your project and click the service account with the unused user-managed key\n3. Open the Keys tab\n4. Find the unused key (Type: User-managed), click Delete, and confirm",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "It is recommended to prevent user-managed service account keys.",
|
||||
"Url": "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
|
||||
"Text": "Prefer **managed workload identities** and **service account impersonation** over user-managed keys. Enforce `iam.disableServiceAccountKeyCreation`, remove unused keys, and use short key lifetimes with rotation when unavoidable. Apply **least privilege**, monitor key usage, and enforce **separation of duties** to limit blast radius.",
|
||||
"Url": "https://hub.prowler.com/check/iam_sa_user_managed_key_unused"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"secrets"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,39 @@
|
||||
{
|
||||
"Provider": "gcp",
|
||||
"CheckID": "iam_service_account_unused",
|
||||
"CheckTitle": "Ensure That There Are No Unused Service Accounts",
|
||||
"CheckTitle": "Service account was used within the configured maximum unused period",
|
||||
"CheckType": [],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "ServiceAccount",
|
||||
"Description": "Ensure That There Are No Unused Service Accounts.",
|
||||
"Risk": "A malicious actor could make use of privilege escalation or impersonation to access an unused Service Account that is over-privileged.",
|
||||
"RelatedUrl": "https://cloud.google.com/iam/docs/service-account-overview#identify-unused",
|
||||
"ResourceType": "iam.googleapis.com/ServiceAccount",
|
||||
"Description": "Google Cloud service accounts are evaluated for **recent usage** within a configurable window (default `180` days) using usage telemetry.\n\nIt highlights which accounts show activity versus those with **no observed use** in that period.",
|
||||
"Risk": "Dormant but permissioned service accounts threaten **confidentiality** and **integrity** via:\n- **Impersonation/privilege escalation** through stale roles or leaked keys\n- **Lateral movement** and persistent access\nThey also weaken **accountability**, obscuring audit trails when reactivated unnoticed.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://nonameno.com/proxy2/index.php?proxy2=aHR0cHM6Ly9kb2NzLmNsb3VkLmdvb2dsZS5jb20vaWFtL2RvY3MvYmVzdC1wcmFjdGljZXMtc2VydmljZS1hY2NvdW50cw==",
|
||||
"https://stackoverflow.com/questions/55956548/find-out-last-activity-of-service-account-key-in-gcp-iam/66741187",
|
||||
"https://github.com/erasmus74/GCP-IAM-Janitor",
|
||||
"https://www.linkedin.com/pulse/cloud-architecting-gcp-part5-iam-security-practices-a-abdulfatah-e2qdf",
|
||||
"https://cloud.google.com/iam/docs/best-practices-service-accounts?ref=alphasec.io",
|
||||
"https://cloud.google.com/iam/docs/service-account-overview#identify-unused"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gcloud auth print-access-token --impersonate-service-account=<SERVICE_ACCOUNT_EMAIL>",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Other": "1. In the Google Cloud console, open the IAM Service Account Credentials API reference for \"GenerateAccessToken\" and click \"Try this method\" (APIs Explorer)\n2. Set name to: projects/-/serviceAccounts/<SERVICE_ACCOUNT_EMAIL>\n3. Add scope: https://www.googleapis.com/auth/cloud-platform\n4. Click Execute (use an identity with roles/iam.serviceAccountTokenCreator on the service account)\n5. The generated token records recent usage for the service account, changing the finding to PASS",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "It is recommended to disable or remove unused Service Accounts.",
|
||||
"Url": "https://cloud.google.com/iam/docs/service-account-overview#identify-unused"
|
||||
"Text": "Apply **least privilege** and **reduce attack surface**:\n- Verify inactivity, then *disable* and later delete unused accounts\n- Revoke role bindings and keys; favor short-lived impersonation over keys\n- Avoid powerful defaults; enforce separation of duties\n- Continuously monitor usage and alert on dormancy",
|
||||
"Url": "https://hub.prowler.com/check/iam_service_account_unused"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"identity-access"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
Reference in New Issue
Block a user