Popular with:
Cloud Engineer
Security Architect
Security Champion
Security Engineer
Cloud Security

Google Cloud Security Tips #1: IAM Recommender

January 18, 2023
Written by
Joshua Jebaraj

Table of Contents:

  1. Identification of Obsolete Permissions
  2. Prediction of Future Permissions
  3. What is Outside the Purview of IAM Recommender?
  4. Final Words

What is IAM Recommender?

Every time you grant permission to a user to perform a specific task on Google Cloud resources, that's one more loose end waiting to be exploited. You might not revoke access, expecting the user to need it for another task in the near future, but each new permission is a new threat vector for attackers to exploit. 

All it needs is one attack on the user's account, and there goes your Google Cloud resources like a house of cards! So, every outdated permission must be handled appropriately to safeguard cloud resources against potential vulnerabilities. 

This is where the Identity and Access Management (IAM) Recommender comes in like a knight in shining armor. A machine-learning policy tool created to help you stop permissions from becoming threats, IAM Recommender's function is two-pronged:

  1. Identification of obsolete permissions
  2. Prediction of future permissions

A French resource-management firm, Veolia Group, which manages over 87,000 projects on Google Cloud, has stated that IAM Recommender helped them reduce 1.2 million permissions across production in an initial cleanup exercise that secured over 1,000 user and service accounts. This has helped reduce the chance of a potential data breach. 

Identification of Obsolete Permissions

IAM Recommender looks at all your current access policies and permissions, and identifies the ones that are obsolete or haven’t been used in a long time. It studies your usage patterns over time and recommends which unused permissions are better revoked. 

At any given time, IAM Recommender uses the previous 90 days of permissions usage on your cloud to determine what policies are unnecessary.

Prediction of Future Permissions

With IAM Recommender reviewing your last 90 days' logs, every last permission that has not been used in a while will be brought to your attention, but that's not all. It uses machine-learning to predict which permissions may be required in the near future. This way, even if permission has not been acted upon in the past 90 days, a study of ongoing projects and resource usage will help the IAM Recommender predict that the user should retain access to the task.

Want to learn Google Cloud security? Try out our brand-new courses with hands-on labs now.

What is Outside the Purview of IAM Recommender?

There are a few things outside the scope of the Google Cloud IAM Recommender. It pays to learn about them so that you can be wary of what the recommendations are not considering in their study. Here's all that the IAM Recommender does not consider:

  • Role grants at the organization or folder level
  • Role grants that are conditional
  • Access controls separate from IAM
  • Role grants below the project level on intra-project service-specific resources 
  • Role grants applicable for service accounts managed by Google

Barring the exceptions above, the IAM Recommender can thoroughly study usage patterns and make well-informed recommendations on user permissions. IAM Recommender is founded on the principle of least privilege, meaning users will be approved on a need-only basis. It does not make recommendations that can increase a user's level of access. 

It’s important to note that this is only a recommendation tool. IAM Recommender can’t remove permissions of its own accord. You can practice removing unwanted, old permissions and reducing potential risks to your cloud resources. Alternatively, if you wish to dismiss a recommendation as irrelevant, you are free to do so.

Here’s how to learn Google Cloud security

There’s way more to Google Cloud security than Identity & Access Management (IAM). From cloud storage security, to logging and monitoring, you have a whole host of controls you can tweak for optimal results.

But the best way to learn anything in cloud security is with hands-on exercises. AppSecEngineer’s courses feature labs in real-world GCP environments and security scenarios.

If you want to dive deeper into IAM in GCP, check out our Google Cloud IAM Essentials course. It’s packed with video lessons, hands-on labs, and more.

For even more courses on Google Cloud security, check out our full learning path.

Source for article
Joshua Jebaraj

Joshua Jebaraj

Joshua Jebaraj is the Creator of GCP-Goat. He works as Security Researcher at we45 focusing on cloud and cloud-native security. He has 3+ years of experience working related to containers and Kubernetes. He has also spoken at conferences like Defcon, Owasp-Seasides, Bsides-Delhi, and Eko-party. When AFK, he can be found watching movies and making memes.

Joshua Jebaraj


Contact Support


1603 Capitol Avenue,
Suite 413A #2898,
Cheyenne, Wyoming 82001,
United States

Copyright AppSecEngineer © 2023