Users should not be granted service account access at the organization level
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | iam |
| Provider | |
| Vulnerability Type | misconfiguration |
Description#
Granting service account access at the organization level allows users to impersonate any service account across all projects. This broad permission should be restricted to only the specific service accounts required for a user’s role.
Impact#
If exploited, users can escalate privileges and act as any service account within the organization, enabling unauthorized access to sensitive resources, data exfiltration, or disruption of services across all projects.
Resolution#
Provide access at the service-level instead of organization-level, if required