Policy Packs

guardrails-samples

Minimize the risk of unauthorized access and potential misuse of administrative capabilities.

Enforce GCP IAM User-Managed Service Accounts Do Not Have Admin Privileges

main

gcp_iam_service_account_approved

Determine the action to take when a GCP IAM service account is not approved based on `GCP &gt; IAM &gt; Service Account &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

serviceAccountApproved

GCP > IAM > Service Account > Approved

gcp_iam_service_account_approved_custom

Determine whether the GCP IAM service account is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP IAM service account is not approved, it will be subject to the action specified in the `GCP &gt; IAM &gt; Service Account &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

serviceAccountApprovedCustom

GCP > IAM > Service Account > Approved > Custom

turbot_policy_setting.gcp_iam_service_account_approved

turbot_policy_setting.gcp_iam_service_account_approved_custom

Policy	Setting	Note
GCP > IAM > Service Account > Approved	Check: Approved
GCP > IAM > Service Account > Approved > Custom	Calculated

Policy Settings