Users should not be granted service account access at the project level
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | iam |
| Provider | |
| Vulnerability Type | misconfiguration |
Description#
Granting users service account access at the project level allows them to impersonate any service account within the project. This broad permission bypasses the principle of least privilege and should be restricted to specific service accounts as needed.
Impact#
If exploited, users can escalate privileges by impersonating any service account, potentially accessing sensitive resources or performing unauthorized actions across all services in the project, leading to loss of control and data exposure.
Resolution#
Provide access at the service-level instead of project-level, if required