Google > Iam >

No Folder Level Service Account Impersonation

MEDIUM
Source
Trivy
ID
AVD-GCP-0005

Users should not be granted service account access at the folder level

Users with service account access at folder level can impersonate any service account. Instead, they should be given access to particular service accounts as required.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Provide access at the service-level instead of folder-level, if required

1
2
3
4
resource "google_folder_iam_binding" "folder-123" {
  folder = "folder-123"
  role   = "roles/nothingInParticular"
}