Basic roles used at the folder level
Description
This policy is checking for the use of basic roles at the folder level within Google Cloud Platform (GCP). Basic roles include primitive roles (Owner, Editor, Viewer) and predefined roles that have a wide range of permissions. Using these basic roles at the folder level can be a security risk as it might grant more permissions than necessary to users or services, violating the principle of least privilege. Accessibility or modification of sensitive data beyond what's required can lead to data breaches or unwanted changes. Therefore, it's recommended to grant only specific, necessary permissions to users or services.
Code Example
resource "google_folder_iam_binding" "folder_iam_binding" {
members = [
"user:[email protected]",
]
role = "roles/monitoring.editor"
}Remediation
Terraform
- Resource: 'google_folder_iam_member', 'google_folder_iam_binding'
Apply the principle of least privilege. Always provide only the level of access necessary to the services your applications need, no more and no less.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0974 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_116 |