Basic roles utilized at the organization level
Description
This policy is checking to ensure that basic roles are not used at the organizational level within Google Cloud Platform. Basic roles such as Owner, Editor, and Viewer are broad and include a wide range of permissions, so assigning these roles at the organizational level could result in users having access to more resources or actions than they actually need. This is a potential security risk as it violates the principle of least privilege, where users should only have the minimum access necessary to perform their job functions. If these roles are used at the organization level, it could lead to unintentional data exposure or other damaging actions.
Code Example
resource "google_project_iam_member" "project" {
project = "your-project-id"
role = "roles/editor"
member = "user:[email protected]"
}Remediation
Terraform
- Resource: 'google_organization_iam_member', 'google_organization_iam_binding'
The policy states that you should not use basic roles at the organization level. Basic roles in Google Cloud are Owner, Editor, and Viewer and these roles include a multitude of permissions that cannot be restricted, which might pose a security risk.
To fix the issue, you should move towards using the pre-defined roles and custom roles in Google Cloud, as they offer finer grained access control.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0973 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_115 |