Service account was used within the configured maximum unused period
iam_service_account_unused
Google Cloud service accounts are evaluated for recent usage within a configurable window (default 180 days) using usage telemetry.
It highlights which accounts show activity versus those with no observed use in that period.
Risk
Dormant but permissioned service accounts threaten confidentiality and integrity via:
- Impersonation/privilege escalation through stale roles or leaked keys
- Lateral movement and persistent access They also weaken accountability, obscuring audit trails when reactivated unnoticed.
Run this check with Prowler CLI
prowler gcp --checks iam_service_account_unused
Recommendation
Apply least privilege and reduce attack surface:
- Verify inactivity, then disable and later delete unused accounts
- Revoke role bindings and keys; favor short-lived impersonation over keys
- Avoid powerful defaults; enforce separation of duties
- Continuously monitor usage and alert on dormancy
Remediation
CLI
gcloud auth print-access-token --impersonate-service-account=<SERVICE_ACCOUNT_EMAIL>
Other
- In the Google Cloud console, open the IAM Service Account Credentials API reference for "GenerateAccessToken" and click "Try this method" (APIs Explorer)
- Set name to: projects/-/serviceAccounts/<SERVICE_ACCOUNT_EMAIL>
- Add scope: https://www.googleapis.com/auth/cloud-platform
- Click Execute (use an identity with roles/iam.serviceAccountTokenCreator on the service account)
- The generated token records recent usage for the service account, changing the finding to PASS
Source Code
Resource Type
iam.googleapis.com/ServiceAccount