Policy: GCP > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that Separation of duties is enforced while assigning service account related roles to users (Not Scored)
Configures auditing against a CIS Benchmark item.
Level: 2 (Not Scored)
Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.
Any user(s) should not have Service Account Admin and Service Account User , both roles assigned at a time.
Targets
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Controls
Setting this policy configures this control:
Policy Specification
Schema Type | |
|---|---|
Default | |
Valid Values [YAML] |
|
Category
In Your Workspace
Developers
- tmod:@turbot/cis#/control/categories/v071406
- tmod:@turbot/gcp-cisv1#/policy/types/r0107
- turbot graphql policy-type --id "tmod:@turbot/gcp-cisv1#/policy/types/r0107"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/gcp-cisv1#/policy/types/r0107"
Get Policy TypeGet Policy Settings