Too many Service account permissions may compromise services
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | MEDIUM | Google Cloud Provider | PERMISSION |
Description
Service accounts are used to grant privileges to a user. Limiting permissions assigned to a service account reduces the impact of an attack if the service account is compromised.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | True |
An attacker with access to the service account gets access to all resources authorized by the assigned permissions.
Remediation guidelines
- Remove all permissions associated with the service account that are not necessary.
- Create dedicated, smaller service accounts for each application, instead of sharing one powerful account for all of them.
- Review Google's recommendations to identify excess permissions