Security command center reported the vulnerability " An unused permission" on user and service account and suggested to remediate accordingly to the IAM recommender.
On the popup window, there IAM recommender suggested to remove the unused and granted offending permission and add the less privilege roles to the user and service account.
After removing the overly granted permission, the scan dashboard still shows the vulnerabilities. Also to be sure on removing the role and binding to the service accounts and user, verified the user permission in the IAM and as well as gcloud command, it all confirming the excess and unused permission has been removed but security command center still stays or reporting the same case.
Solved! Go to Solution.
If I had to take a stab, its a matter of the observation period for the iam_recommendation that needs to be updated (since it thinks you still have the overly permissive permission)
https://cloud.google.com/policy-intelligence/docs/role-recommendations-overview#observation-period
Updates should be close to real time, if the overly permissions were removed; however, there is a possibility of latency. Would it be possible to check in a few hours?
https://cloud.google.com/security-command-center/docs/concepts-scan-latency-overview#overview
Thank you Nelsonlam,
I was waiting for the updates on the security command center dashboard for 3 days. This is only happening for the event_type "iam_recommender", If I address or remediate for other types of vulnerabilities, its immediately updating the status in the Security command center. May be is there any schedule or pre-configuration for the security command center shows the latest updates, specially for "roles" updated in the IAM ?
If I had to take a stab, its a matter of the observation period for the iam_recommendation that needs to be updated (since it thinks you still have the overly permissive permission)
https://cloud.google.com/policy-intelligence/docs/role-recommendations-overview#observation-period
LinkedIn
Twitter