Table of Contents:
Every time you grant permission to a user to perform a specific task on Google Cloud resources, that's one more loose end waiting to be exploited. You might not revoke access, expecting the user to need it for another task in the near future, but each new permission is a new threat vector for attackers to exploit.
All it needs is one attack on the user's account, and there goes your Google Cloud resources like a house of cards! So, every outdated permission must be handled appropriately to safeguard cloud resources against potential vulnerabilities.
This is where the Identity and Access Management (IAM) Recommender comes in like a knight in shining armor. A machine-learning policy tool created to help you stop permissions from becoming threats, IAM Recommender's function is two-pronged:
A French resource-management firm, Veolia Group, which manages over 87,000 projects on Google Cloud, has stated that IAM Recommender helped them reduce 1.2 million permissions across production in an initial cleanup exercise that secured over 1,000 user and service accounts. This has helped reduce the chance of a potential data breach.
IAM Recommender looks at all your current access policies and permissions, and identifies the ones that are obsolete or haven’t been used in a long time. It studies your usage patterns over time and recommends which unused permissions are better revoked.
At any given time, IAM Recommender uses the previous 90 days of permissions usage on your cloud to determine what policies are unnecessary.
With IAM Recommender reviewing your last 90 days' logs, every last permission that has not been used in a while will be brought to your attention, but that's not all. It uses machine-learning to predict which permissions may be required in the near future. This way, even if permission has not been acted upon in the past 90 days, a study of ongoing projects and resource usage will help the IAM Recommender predict that the user should retain access to the task.
Want to learn Google Cloud security? Try out our brand-new courses with hands-on labs now.
There are a few things outside the scope of the Google Cloud IAM Recommender. It pays to learn about them so that you can be wary of what the recommendations are not considering in their study. Here's all that the IAM Recommender does not consider:
Barring the exceptions above, the IAM Recommender can thoroughly study usage patterns and make well-informed recommendations on user permissions. IAM Recommender is founded on the principle of least privilege, meaning users will be approved on a need-only basis. It does not make recommendations that can increase a user's level of access.
It’s important to note that this is only a recommendation tool. IAM Recommender can’t remove permissions of its own accord. You can practice removing unwanted, old permissions and reducing potential risks to your cloud resources. Alternatively, if you wish to dismiss a recommendation as irrelevant, you are free to do so.
There’s way more to Google Cloud security than Identity & Access Management (IAM). From cloud storage security, to logging and monitoring, you have a whole host of controls you can tweak for optimal results.
But the best way to learn anything in cloud security is with hands-on exercises. AppSecEngineer’s courses feature labs in real-world GCP environments and security scenarios.
If you want to dive deeper into IAM in GCP, check out our Google Cloud IAM Essentials course. It’s packed with video lessons, hands-on labs, and more.
For even more courses on Google Cloud security, check out our full learning path.
Joshua Jebaraj is the Creator of GCP-Goat. He works as Security Researcher at we45 focusing on cloud and cloud-native security. He has 3+ years of experience working related to containers and Kubernetes. He has also spoken at conferences like Defcon, Owasp-Seasides, Bsides-Delhi, and Eko-party. When AFK, he can be found watching movies and making memes.