TF 0050 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Users should not be granted service account access at the project level
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | iam |
| Provider | |
| Vulnerability Type | misconfiguration |
Description
Granting users service account access at the project level allows them to impersonate any service account within the project. This broad permission bypasses the principle of least privilege and should be restricted to specific service accounts as needed.
Impact
If exploited, users can escalate privileges by impersonating any service account, potentially accessing sensitive resources or performing unauthorized actions across all services in the project, leading to loss of control and data exposure.
Resolution
Provide access at the service-level instead of project-level, if required