Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.
Description
This policy checks whether a passport account is used for assignment in Yandex Cloud IAM bindings and members. Using a passport account for assignment can lead to security risks, as it may grant excessive permissions to individual users. It is recommended to use service accounts and federated accounts instead, where possible, to ensure least privilege access and better security management. This check helps to identify and prevent potential security vulnerabilities by detecting the use of passport accounts in IAM configurations.
Code Example
terraform
resource "yandex_resourcemanager_folder_iam_binding" "example" {
folder_id = "your_folder_id"
role = "your_role"
members = ["serviceAccount:your_service_account_id"]
}Remediation
Ensure that service accounts or federated accounts are used for assignment instead of passport accounts.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1357 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | yandex_organizationmanager_organization_iam_binding, yandex_organizationmanager_organization_iam_member, yandex_resourcemanager_cloud_iam_binding, yandex_resourcemanager_cloud_iam_member, yandex_resourcemanager_folder_iam_binding, yandex_resourcemanager_folder_iam_member |
| Checkov ID | CKV_YC_24 |