Excessive granting of GCP IAM permissions can allow attackers to exploit an organization’s cloud resources with malicious intent.

To prevent improper creation or deletion of resources after an account is compromised, proactive measures include both following GCP Security Insights and ensuring custom roles contain as few privileges as possible.

After gaining a foothold in the target infrastructure, sophisticated attacks typically consist of two major parts.
First, attackers must deploy new resources to carry out their malicious intent. To guard against this, operations teams must control what unexpectedly appears in the infrastructure, such as what is:

• added
• written down
• updated
• started
• appended
• applied
• accessed.

Once the malicious intent is executed, attackers must avoid detection at all costs.
To counter attackers' attempts to remove their fingerprints, operations teams must control what unexpectedly disappears from the infrastructure, such as what is:

• stopped
• disabled
• canceled
• deleted
• destroyed
• detached
• disconnected
• suspended
• rejected
• removed.

For operations teams to be resilient in this scenario, their organization must apply both:

• Detection security: log these actions to better detect malicious actions.
• Preventive security: review and limit granted permissions.

This rule raises an issue when a custom role grants a number of sensitive permissions (read-write or destructive permission) that is greater than a given parameter.

Ask Yourself Whether

• This custom role will be mostly used for read-only purposes.
• Compliance policies require read-only access.

There is a risk if you answered yes to any of these questions.

Recommended Secure Coding Practices

To reduce the risks associated with this role after a compromise:

• Reduce the list of permissions to grant only those that are actually needed.
• Favor read-only over read-write.

Sensitive Code Example

This custom role grants more than 5 sensitive permissions:

resource "google_project_iam_custom_role" "example" {
  permissions = [ # Sensitive
    "resourcemanager.projects.create", # Sensitive permission
    "resourcemanager.projects.delete", # Sensitive permission
    "resourcemanager.projects.get",
    "resourcemanager.projects.list",
    "run.services.create", # Sensitive permission
    "run.services.delete", # Sensitive permission
    "run.services.get",
    "run.services.getIamPolicy",
    "run.services.setIamPolicy",  # Sensitive permission
    "run.services.list",
    "run.services.update",  # Sensitive permission
  ]
}

Compliant Solution

This custom role grants less than 5 sensitive permissions:

resource "google_project_iam_custom_role" "example" {
  permissions = [
    "resourcemanager.projects.get",
    "resourcemanager.projects.list",
    "run.services.create",
    "run.services.delete",
    "run.services.get",
    "run.services.getIamPolicy",
    "run.services.list",
    "run.services.update",
  ]
}

See

• GCP Docs - Enforce least privilege with role recommendations
• GCP Docs - Security Insights
• CWE - CWE-668 - Exposure of Resource to Wrong Sphere