Users should not be granted service account access at the folder level
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | IAM |
| Provider | |
| Vulnerability Type | misconfiguration |
Description#
Granting users service account access at the folder level allows them to impersonate any service account within that folder, rather than limiting access to only necessary accounts. This broad permission increases the risk of unauthorized actions and privilege misuse.
Impact#
If exploited, a user could escalate privileges or perform actions as any service account in the folder, potentially accessing sensitive resources, modifying infrastructure, or bypassing intended security controls across multiple projects.
Resolution#
Provide access at the service-level instead of folder-level, if required