GCP IAM custom roles should not grant excessive sensitive permissions to reduce the potential impact of a compromised account.

Why is this an issue?

Granting excessive sensitive permissions in a GCP IAM custom role increases the potential impact of a compromised account. Sensitive permissions include read-write and destructive operations such as creating, modifying, deleting, disabling, or canceling resources. When an account is compromised, attackers use these permissions to deploy malicious resources or remove evidence of their activity. This rule raises an issue when a custom role grants more than a configurable number of sensitive permissions.

What is the potential impact?

Unauthorized access and resource manipulation

If a GCP account with excessive sensitive permissions is compromised, an attacker can create, modify, or delete resources across the affected projects. This can lead to deployment of malicious infrastructure, data exfiltration, disruption of services, and removal of audit evidence.

How to fix it

Reduce the permissions granted by the custom role to only those that are strictly necessary. Prefer read-only over read-write permissions, and avoid granting destructive permissions unless required.

Code examples

The following code is vulnerable because the custom role grants more than 5 sensitive permissions, including destructive operations such as deleting projects and setting IAM policies.

Noncompliant code example

resource "google_project_iam_custom_role" "example" {
  permissions = [ # Noncompliant
    "resourcemanager.projects.create", # Sensitive permission
    "resourcemanager.projects.delete", # Sensitive permission
    "resourcemanager.projects.get",
    "resourcemanager.projects.list",
    "run.services.create", # Sensitive permission
    "run.services.delete", # Sensitive permission
    "run.services.get",
    "run.services.getIamPolicy",
    "run.services.setIamPolicy",  # Sensitive permission
    "run.services.list",
    "run.services.update",  # Sensitive permission
  ]
}

Compliant solution

resource "google_project_iam_custom_role" "example" {
  permissions = [
    "resourcemanager.projects.get",
    "resourcemanager.projects.list",
    "run.services.create", # Sensitive permission
    "run.services.delete", # Sensitive permission
    "run.services.get",
    "run.services.getIamPolicy",
    "run.services.list",
    "run.services.update",  # Sensitive permission
  ]
}

Resources

Documentation

• Google Cloud Documentation - Enforce least privilege with role recommendations
• Google Cloud Documentation - Security Insights

Standards

• CWE - CWE-284 - Improper Access Control