Users should not be granted service account access at the folder level
Default Severity: medium
Explanation
Users with service account access at folder level can impersonate any service account. Instead, they should be given access to particular service accounts as required.
Possible Impact
Privilege escalation, impersonation of any/all services
Suggested Resolution
Provide access at the service-level instead of folder-level, if required
Insecure Example
The following example will fail the google-iam-no-folder-level-service-account-impersonation check.
resource "google_folder_iam_binding" "folder-123" {
folder = "folder-123"
role = "roles/iam.serviceAccountUser"
}
Secure Example
The following example will pass the google-iam-no-folder-level-service-account-impersonation check.
resource "google_folder_iam_binding" "folder-123" {
folder = "folder-123"
role = "roles/nothingInParticular"
}