When Identity and Access Management (IAM) permissions are not sufficiently isolated using the structure provided by the Google Cloud Platform (GCP), the results could be disastrous. Ideally, if you must provide a service account with permissions at a Folder or Organization level, the service account should be created in its own project, which is well insulated from external traffic and contains multiple layers of protection.
For example, a GCP project that contains externally exposed workloads and also has a service account with permissions at the Organization level is something that should never occur in your environment. This situation could allow an att