Ensure cloud member does not have elevated access.
Description
This policy checks whether cloud members have elevated access, specifically the 'admin' or 'editor' roles, which could potentially lead to unauthorized access and modifications. Elevated access can pose a significant risk to the security and integrity of cloud resources. It is essential to restrict access to only necessary roles to minimize the attack surface. By ensuring that cloud members do not have elevated access, organizations can better protect their resources from potential security threats.
Code Example
terraform
resource "yandex_resourcemanager_cloud_iam_binding" "example" {
cloud_id = "your-cloud-id"
role = "viewer"
members = ["userAccount:your-user-id"]
}Remediation
Ensure cloud members are assigned roles with limited privileges, rather than 'admin' or 'editor' roles.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1346 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | yandex_resourcemanager_cloud_iam_binding, yandex_resourcemanager_cloud_iam_member |
| Checkov ID | CKV_YC_13 |