IAM Scanner required roles

[janmasarik]

Hey guys 👋 ,

Thanks for your amazing work! :-)

I tried to reach out the community with a question regarding IAM rule creation, but the slack link is expired, and I've received the following mail[1] from [email protected].

Is there any other way how to ask it? :-)

Thanks in advance!

[1]

Hello [email protected],

We're writing to let you know that the group you tried to contact (discuss) may not exist, or you may not have permission to post messages to the group. A few more details on why you weren't able to post:

 * You might have spelled or formatted the group name incorrectly.
 * The owner of the group may have removed this group.
 * You may need to join the group before receiving permission to post.
 * This group may not be open to posting.

If you have questions related to this or any other Google Group, visit the Help Center at https://support.google.com/a/forsetisecurity.org/bin/topic.py?topic=25838.

Thanks,

forsetisecurity.org admins

[auto-comment]

Thank you for opening an issue. Our team's interrupts engineer will review your issue shortly.

Issue Resolution:

• [Interrupts Engineer] Triage / apply categorization labels
• [Interrupts Engineer] Verify / Reproduce the reported issue
• [Forseti Engineer] Perform root cause analysis
• Forseti Engineer] Add tasks and next steps to resolve this issue.

[gkowalski-google]

Hi @janmasarik, thanks for letting us know about the Slack issue. I have not seen that error in regards to the email address, will look into it. You can also provide the issue details in this ticket and we can work on it.

[janmasarik]

Hey @gkowalski-google, thanks a lot for super quick ack!

All right then, I'll copy-paste it here. :-)

I'm currently trying to find out how to write a policy to check if the given account contains only specified roles. Neither blacklist nor whitelist seems to be working for this use case, as the whitelist is essentially useless here, and in case of the blacklist, I would have to enumerate literally every role except the allowed ones.

I would appreciate any hint or confirmation that the blacklist approach is the only possible one. Attaching the snippet below.

- name: Forbid permissive roles on default service accounts
  mode: whitelist  # but in a meaning "allow only specified roles for SA" 
  resource:
    - type: organization
      applies_to: self_and_children
      resource_ids:
        - '*'
  inherit_from_parents: true
  bindings:
    - role: roles/monitoring.viewer
      members:
        - serviceAccount:*[email protected]
        - serviceAccount:*@appspot.gserviceaccount.com
    - role: roles/monitoring.metricWriter
      members:
        - serviceAccount:*[email protected]
        - serviceAccount:*@appspot.gserviceaccount.com
    - role: roles/logging.logWriter
      members:
        - serviceAccount:*[email protected]
        - serviceAccount:*@appspot.gserviceaccount.com
    - role: roles/cloudtrace.agent
      members:
        - serviceAccount:*[email protected]
        - serviceAccount:*@appspot.gserviceaccount.com

[gkowalski-google]

@janmasarik The Forseti IAM scanner actually has a required mode which will do what you want: https://forsetisecurity.org/docs/latest/configure/scanner/rules.html#cloud-iam-policy-rules.

FYI this functionality is also available in Config Validator. Here is a sample policy that achieves the same thing. Forseti docs for how to migrate IAM policy to Config Validator.

Let me know if you need anything else.

[gkowalski-google]

@janmasarik Any luck? Let me know if you still need help. FYI the Slack link has been fixed on the website.

[janmasarik]

Hey @gkowalski-google,

Pardon my ignorance, but based on what I understood, the required mode would not check for additional roles that would be granted to default service accounts, which is exactly what we want to check.

I think matches from firewall rules would exactly fit our use-case here as we want to allow only specified roles for a given member (default service account(s)).

With that said, thanks for recommending Config Validator, and thanks again for your response! It's awesome to see such response time on a big project like this!:)

[janmasarik]

Hey @gkowalski-google 👋 ,

I was wondering if my assumptions are correct or not. 😅

As far as I understand, this would require ~560 files[1] with Config Validator as you cannot specify multiple parameters in a single rule. This might be fairly inconvenient + should be updated when Google adds new roles:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
  name: restrict_editor_on_default_sa
  annotations:
    description: Default service accounts should not have editor privileges
spec:
  severity: high
  match:
    target:
    - "organizations/**"
  parameters:
    mode: denylist
    role: roles/editor
    members:
      - serviceAccount:*[email protected]
      - serviceAccount:*@appspot.gserviceaccount.com

[1] current number of roles after listing gcloud iam roles list | grep roles/ | wc -l

[gkowalski-google]

Hi @janmasarik, sorry for not looking more into this initially. Your assumptions are correct. I'm sorry that ability is not available in the Forseti IAM scanner and is currently blocked in Config Validator as well. In order to ensure that a service account matches a set list of roles, Config Validator would require referential constraints so that it would know if all IAM bindings are given to a service account and check for no additional roles. Config Validator currently works by scanning each asset/resource and see if it violations any of the constraints. In this way, it would not be able to check if a service account is assigned to roles other than the ones you explicitly allow.

[janmasarik]

Understand, thank you @gkowalski-google!

Currently, the best workaround is probably to blacklist roles that we really care about, right? (such as Editor, Owner or Storage Admin)