iam/BP/2023_001

Policy constraint ‘AutomaticIamGrantsForDefaultServiceAccounts’ is enforced

Product: Identity and Access Management (IAM)
Rule class: BP - Best practice, opinionated recommendation

Description

Policy constraint AutomaticIamGrantsForDefaultServiceAccounts is strongly recommended to be enforced in production projects according to security best practices.

According to security best practices, admins should limit as much as possible the permission set of all users and service accounts of a project. This policy Constraint will prevent the automatic ‘editor’ role grant to default service accounts zero trust approach

Remediation

To improve security, we strongly recommend that you disable the automatic role grant. Use the iam.automaticIamGrantsForDefaultServiceAccounts boolean constraint to disable the automatic role grant. Turn on the policy constraint enforcement using gcloud SDK

Further information

Can read more at-

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_default_grants