← all rules
iac/iam/iam-gcp-primitive-owner
GCP primitive role roles/owner granted
highCloud IAMiac-iam
What it detects
`roles/owner` is a primitive role that grants full control of the project, including IAM and billing. Google explicitly recommends predefined or custom roles over primitive ones.
Remediation
Replace `roles/owner` with the least-privilege predefined role(s) the identity actually needs.
How it runs
Run against JSON/YAML/source files. AWS IAM rules require a policy-document context (Statement + Effect); GCP primitive roles are matched anywhere. HCL is left to the Terraform layer.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.