GCP_CAN_SET_FOLDER_IAMPOLICY

Summary

Description

GCP_CAN_SET_FOLDER_IAMPOLICY indicates that an identity can call setIamPolicy on a GCP Folder. Folders are intermediate containers in the GCP resource hierarchy that sit between the Organization and Projects. A principal who can set IAM policy on a folder gains control over every project nested beneath that folder.

An attacker with this edge can grant themselves broad roles on the folder, which inherit down to all child projects and their resources. The blast radius depends on how many projects live under the targeted folder.

Key abuse scenarios:

• Grant roles/owner to a controlled identity at folder scope, inheriting to all child projects.

• Add a backdoor service account as roles/resourcemanager.folderAdmin for persistence.

• Grant roles/iam.serviceAccountTokenCreator on service accounts scoped under the folder.

Identification

gcloud CLI

GCP Console

1. Open GCP Console → IAM & Admin → IAM.

2. Select the target Folder from the resource selector.

3. Review all principals with Owner, Folder Admin, or Folder IAM Admin roles.

Exploitation

gcloud CLI

Compound path: Folder-level setIamPolicy → grant roles/iam.serviceAccountTokenCreator on all service accounts under the folder's projects → impersonate high-privilege SAs.

Mitigation

1. Limit folder IAM admin roles to dedicated admin accounts with MFA enforced.

2. Use Privileged Access Manager for just-in-time elevation of folder-scoped roles.

3. Apply constraints/iam.allowedPolicyMemberDomains at the org level to prevent granting access to external identities.

4. Regularly audit folder IAM policies:

Detection

Alert on:

• SetIamPolicy calls on folder resources.

• New bindings adding roles/owner, roles/resourcemanager.folderAdmin, or roles/resourcemanager.folderIamAdmin.

References

• https://cloud.google.com/resource-manager/docs/access-control-folders