Too many Service account permissions may compromise services

Severity	Exploitability	Providers	Categories
HIGH	MEDIUM	Google Cloud Provider	PERMISSION

Description

Service accounts are used to grant privileges to a user. Limiting permissions assigned to a service account reduces the impact of an attack if the service account is compromised.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	False	False	True

An attacker with access to the service account gets access to all resources authorized by the assigned permissions.

Remediation guidelines

• Remove all permissions associated with the service account that are not necessary.
• Create dedicated, smaller service accounts for each application, instead of sharing one powerful account for all of them.
• Review Google's recommendations to identify excess permissions

References

• Best practices for using service accounts
• Google Cloud Service accounts
• Google Cloud IAM roles
• IAM policy configuration using Terraform

Was this page helpful?