GCP Group Account has overly permissive access to resources in the project

Description

Editor or Owner roles are highly permissive roles that existed prior to the introduction of IAM.

Rationale

Assigning the Editor or Owner role to a public Google group account grants them full control over all resources in the project. This includes the ability to create, modify, and delete resources across all services in the project. Using Google group accounts with Editor or Owner roles can lead to unauthorized access to sensitive resources and data due to not having full control over the group members.

Remediation

Datadog recommends using domain controlled Google group accounts with predefined roles or creating custom roles with the minimum required permissions for users to fulfill their function.

If you determine a public Google group account is required, consider the following: Remove the Editor or Owner role binding from the group account on the project resource and create a new role binding with the required permissions for the group account.