Ensure folder member does not have elevated access.
Description
This policy checks whether a Yandex Cloud folder has members with elevated access, specifically the 'admin' or 'editor' roles. Elevated access can pose a security risk if not properly managed, as it grants excessive permissions to users or service accounts. It's essential to restrict access to the least privilege necessary to perform tasks. By ensuring that folder members do not have elevated access, organizations can reduce the risk of unauthorized data modifications or other security breaches.
Code Example
terraform
resource "yandex_resourcemanager_folder_iam_binding" "example" {
folder_id = "your_folder_id"
role = "viewer"
members = ["userAccount:your_user_id"]
}Remediation
Ensure that the folder member does not have the 'admin' or 'editor' role. Instead, assign a role with the least privilege necessary for the member to perform their tasks.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1356 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | yandex_resourcemanager_folder_iam_binding, yandex_resourcemanager_folder_iam_member |
| Checkov ID | CKV_YC_23 |