Service Account with Improper Privileges
- Query id: cefdad16-0dd5-4ac5-8ed2-a37502c78672
- Query name: Service Account with Improper Privileges
- Platform: Terraform
- Severity: Medium
- Category: Resource Management
- CWE: Ongoing
- URL: Github
Description¶
Service account should not have improper privileges like admin, editor, owner, or write roles
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
data "google_iam_policy" "admin" {
binding {
role = "roles/editor"
members = [
"serviceAccount:jane@example.com",
]
}
}
Positive test num. 2 - tf file
resource "google_project_iam_binding" "project1" {
project = "your-project-id"
role = "roles/container.admin"
members = [
"serviceAccount:jane@example.com",
]
condition {
title = "expires_after_2019_12_31"
description = "Expiring at midnight of 2019-12-31"
expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
}
}
resource "google_project_iam_member" "project2" {
project = "your-project-id"
role = "roles/editor"
member = "serviceAccount:jane@example.com"
}
Positive test num. 3 - tf file
data "google_iam_policy" "admin" {
binding {
role = "roles/compute.imageUser"
members = [
"serviceAccount:jane@example.com",
]
}
binding {
role = "roles/owner"
members = [
"serviceAccount:john@example.com",
]
}
}
Positive test num. 4 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
data "google_iam_policy" "policy5" {
binding {
role = "roles/apigee.runtimeAgent"
members = [
"user:jane@example.com",
]
}
}
Negative test num. 2 - tf file
resource "google_project_iam_binding" "project3" {
project = "your-project-id"
role = "roles/apigee.runtimeAgent"
members = [
"user:jane@example.com",
]
condition {
title = "expires_after_2019_12_31"
description = "Expiring at midnight of 2019-12-31"
expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
}
}
resource "google_project_iam_member" "project4" {
project = "your-project-id"
role = "roles/apigee.runtimeAgent"
member = "user:jane@example.com"
}