Users with service account access at folder level can impersonate any service account. Instead, they should be given access to particular service accounts as required.
Privilege escalation, impersonation of any/all services
Provide access at the service-level instead of folder-level, if required
The following example will fail the google-iam-no-folder-level-service-account-impersonation check.
The following example will pass the google-iam-no-folder-level-service-account-impersonation check.