Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Google > Iam >

No User Granted Permissions

MEDIUM
Source
Trivy
ID
AVD-GCP-0003
terraform

IAM granted directly to user.

Permissions should not be directly granted to users, you identify roles that contain the appropriate permissions, and then grant those roles to the user.

Granting permissions to users quickly become unwieldy and complex to make large scale changes to remove access to a particular resource.

Permissions should be granted on roles, groups, services accounts instead.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Roles should be granted permissions and assigned to users

1
2
3
4
5
6
7
8
9

resource "google_project_iam_binding" "good_example" {
  members = [
    "group:test@example.com",
  ]
}

resource "google_storage_bucket_iam_member" "good_example" {
  member = "serviceAccount:test@example.com"
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use