Granting highly privileged resource rights to users or groups can reduce an organization's ability to protect against account or service theft. It prevents proper segregation of duties and creates potentially critical attack vectors on affected resources. If elevated access rights are abused or compromised, both the data that the affected resources work with and their access tracking are at risk. == Ask Yourself Whether * This GCP resource is essential to the information system infrastructure. * This GCP resource is essential to mission-critical functions. * Compliance policies require that administrative privileges for this resource be limited to a small group of individuals. There is a risk if you answered yes to any of these questions. == Recommended Secure Coding Practices Grant IAM policies or members a less permissive role: In most cases, granting them read-only privileges is sufficient. Separate tasks by creating multiple roles that do not use a full access role for day-to-day work. If the predefined GCP roles do not include the specific permissions you need, create https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role[custom IAM roles]. == Sensitive Code Example For an IAM policy setup: [source,terraform] ---- data "google_iam_policy" "admin" { binding { role = "roles/run.admin" # Sensitive members = [ "user:name@example.com", ] } } resource "google_cloud_run_service_iam_policy" "policy" { location = google_cloud_run_service.default.location project = google_cloud_run_service.default.project service = google_cloud_run_service.default.name policy_data = data.google_iam_policy.admin.policy_data } ---- For an IAM policy binding: [source,terraform] ---- resource "google_cloud_run_service_iam_binding" "example" { location = google_cloud_run_service.default.location project = google_cloud_run_service.default.project service = google_cloud_run_service.default.name role = "roles/run.admin" # Sensitive members = [ "user:name@example.com", ] } ---- For adding a member to a policy: [source,terraform] ---- resource "google_cloud_run_service_iam_member" "example" { location = google_cloud_run_service.default.location project = google_cloud_run_service.default.project service = google_cloud_run_service.default.name role = "roles/run.admin" # Sensitive member = "user:name@example.com" } ---- == Compliant Solution For an IAM policy setup: [source,terraform] ---- data "google_iam_policy" "admin" { binding { role = "roles/viewer" members = [ "user:name@example.com", ] } } resource "google_cloud_run_service_iam_policy" "example" { location = google_cloud_run_service.default.location project = google_cloud_run_service.default.project service = google_cloud_run_service.default.name policy_data = data.google_iam_policy.admin.policy_data } ---- For an IAM policy binding: [source,terraform] ---- resource "google_cloud_run_service_iam_binding" "example" { location = google_cloud_run_service.default.location project = google_cloud_run_service.default.project service = google_cloud_run_service.default.name role = "roles/viewer" members = [ "user:name@example.com", ] } ---- For adding a member to a policy: [source,terraform] ---- resource "google_cloud_run_service_iam_member" "example" { location = google_cloud_run_service.default.location project = google_cloud_run_service.default.project service = google_cloud_run_service.default.name role = "roles/viewer" member = "user:name@example.com" } ---- == See * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message * For a policy: Make sure it is safe to give all future members full access to this resource. * For a binding: Make sure it is safe to give those members full access to the resource. * For a member add: Make sure it is safe to grant that member full access to the resource. * For the rest: Make sure it is safe to grant full access to the resource. === Highlighting Highlight the full role assignment. In lists, highlight the non-compliant item. endif::env-github,rspecator-view[]