[GCP] Tools and templates to accelerate GC service delivery. Outils et modèles pour accélérer la prestation de services du GC.
MIT License
10
stars
8
forks
source link
Document "Project Creator" and "Billing Account Creator" roles removal from default organization level IAM permissions - move to identity principals and reduce to viewer for restricted users by default #69
users are able to create projects off the root of the organization and also create rogue billing accounts (their credit card) until these 2 roles are removed and redistributed among selected admins at selected org/folder levels
This details removal of the default configuration on new GCP cloud accounts
Issue: by default all users have "Billing Account Creator" and "Project Creator" IAM roles via the organization - this needs to be reduced.
Watch permissions that are part of these roles - like groups viewer at the org level under "Project Creator" that are currently inherited and need to be re-distributed.
By default non-admin or elevated identity principals (users and service accounts) - should have these two roles assigned.
The default access for regular or restricted users should be viewer only
I recommend and will integrate the pre-req of cleaning out excess IAM permissions to the LZ (along the same lines of mitigating existing non-compliant services (like those in us-central for example) - except that these 2 IAM roles are in completely clean orgs
Restricted user can create new projects
Create the project
Project created and available - this is a access level over reach - project creation abilities should be reduced to project viewer
Remove org level access
wait a couple min - no org level or billing access for new projects
By default any restricted user that creates a project is the owner
see no access yet
A project created normally via a separate elevated admin user - has reduced permissions for the restricted user
effect:
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/242 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/290 https://github.com/canada-ca/accelerators_accelerateurs-gcp/issues/69
This details removal of the default configuration on new GCP cloud accounts Issue: by default all users have "Billing Account Creator" and "Project Creator" IAM roles via the organization - this needs to be reduced. Watch permissions that are part of these roles - like groups viewer at the org level under "Project Creator" that are currently inherited and need to be re-distributed. By default non-admin or elevated identity principals (users and service accounts) - should have these two roles assigned.
The default access for regular or restricted users should be viewer only
I recommend and will integrate the pre-req of cleaning out excess IAM permissions to the LZ (along the same lines of mitigating existing non-compliant services (like those in us-central for example) - except that these 2 IAM roles are in completely clean orgs
Restricted user can create new projects
Create the project
Project created and available - this is a access level over reach - project creation abilities should be reduced to project viewer
Remove org level access
wait a couple min - no org level or billing access for new projects
By default any restricted user that creates a project is the owner
see no access yet
A project created normally via a separate elevated admin user - has reduced permissions for the restricted user
add editor
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/242