GCP Group Account has overly permissive access to resources in the project

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

Editor or Owner roles are highly permissive roles that existed prior to the introduction of IAM.

Rationale

Assigning the Editor or Owner role to a public Google group account grants them full control over all resources in the project. This includes the ability to create, modify, and delete resources across all services in the project. Using Google group accounts with Editor or Owner roles can lead to unauthorized access to sensitive resources and data due to not having full control over the group members.

Remediation

Datadog recommends using domain controlled Google group accounts with predefined roles or creating custom roles with the minimum required permissions for users to fulfill their function.

If you determine a public Google group account is required, consider the following: Remove the Editor or Owner role binding from the group account on the project resource and create a new role binding with the required permissions for the group account.