Improve rationales

nccgroup · Feb 13, 2020 · 32abeee · 32abeee
1 parent e049394
commit 32abeee
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/ScoutSuite/providers/gcp/rules/findings/cloudresourcemanager-primitive-role-in-use.json b/ScoutSuite/providers/gcp/rules/findings/cloudresourcemanager-primitive-role-in-use.json
@@ -1,6 +1,7 @@
 {
   "dashboard_name": "Bindings",
   "description": "Primitive Role In Use",
+  "rationale": "<b>Description:</b><br><br>Primitive roles grant significant privileges. In most cases, usage of these roles is not recommended and does not follow security best practice.<br><br><b>Note: </b>This rule may flag Google-Managed Service Accounts. Google services rely on these Service Accounts having access to the project, and recommends not removing or changing the Service Account's role (see https://cloud.google.com/iam/docs/service-accounts#google-managed).<br><br><b>References:</b><ul><li>CIS Google Cloud Platform Foundations v1.0.0 1.4</li></ul>",
   "path": "cloudresourcemanager.projects.id.bindings.id",
   "conditions": [ "and",
     [ "cloudresourcemanager.projects.id.bindings.id.name", "containAtLeastOneOf", ["owner", "editor", "viewer"] ]

diff --git a/ScoutSuite/providers/gcp/rules/findings/cloudresourcemanager-sa-has-admin-privileges.json b/ScoutSuite/providers/gcp/rules/findings/cloudresourcemanager-sa-has-admin-privileges.json
@@ -1,7 +1,7 @@
 {
   "dashboard_name": "Bindings",
   "description": "Service Account with Admin Privileges",
-  "rationale": "<b>Description:</b><br><br>Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin rights gives full access to assigned application or a VM, ServiceAccount Access holder can user, so It's recommended not to have Admin rights.<br><br><b>References:</b><ul><li>CIS Google Cloud Platform Foundations v1.0.0 1.4</li></ul>",
+  "rationale": "<b>Description:</b><br><br>Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it. Enrolling Service Accounts with administrative privileges grants full access to assigned application or a VM, Service Account Access holder can user.<br><br><b>Note: </b>This rule may flag Google-Managed Service Accounts. Google services rely on these Service Accounts having access to the project, and recommends not removing or changing the Service Account's role (see https://cloud.google.com/iam/docs/service-accounts#google-managed).<br><br><b>References:</b><ul><li>CIS Google Cloud Platform Foundations v1.0.0 1.4</li></ul>",
   "path": "cloudresourcemanager.projects.id.bindings.id",
   "conditions": [ "and",
     [ "or",