Ensure organization member does not have elevated access.
Description
This policy checks whether any organization members have elevated access in Yandex Cloud. Elevated access includes roles such as admin, editor, organization-manager.organizations.owner, and organization-manager.admin. It's essential to restrict these roles to only those who require them to minimize the risk of unauthorized access or malicious activities. By limiting elevated access, organizations can better protect their resources and data from potential security threats.
Code Example
terraform
resource "yandex_organizationmanager_organization_iam_member" "example" {
member_id = "some-member-id"
role = "viewer"
}Remediation
Ensure that organization members do not have elevated access by assigning them less privileged roles.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1354 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | yandex_organizationmanager_organization_iam_binding, yandex_organizationmanager_organization_iam_member |
| Checkov ID | CKV_YC_21 |