GCP IAM
About
Monitoring your GCP IAM configuration and the policies is vital to have a secure setup. This recipe monitors several for rules and best practices recommended by GCP and industry leaders.
Security
Access via Official Email only
User should have access via their official corporate email id and not their personal id.
KMS User Separation
Ensure that no users have the KMS admin role and any one of the CryptoKey roles follows separation of duties, where no user have access to resources out of the scope of duty.
User managed service account with no admin priviledges
Ensure that user managed service accounts do not have any admin, owner, or write privileges. Service accounts are primarily used for API access to Google. It is recommended to not use admin access for service accounts.
Service Account Key Rotation
Service account keys should be rotated periodically.
Service Account Managed Keys
Service account keys should be managed by Google to ensure that they are as secure as possible, including key rotations and restrictions to the accessibility of the keys.
Service Account Separation
Ensuring that no users have both roles follows separation of duties, where no user should have access to resources out of the scope of duty.
Service Account User
Ensures that no users have the Service Account User role. The Service Account User role gives users the access to all service accounts of a project. This can result in an elevation of privileges and is not recommended.
Project Ownership Logging
Ensures that logging and log alerts exist for project ownership assignments and changes. Project Ownership is the highest level of privilege on a project, any changes in project ownership should be heavily monitored to prevent unauthorized changes.
Audit Logging Enabled
Ensures that default audit logging is enabled on the project. The default audit logs should be configured to log all admin activities and write and read access to data for all services. In addition, no exempted members should be added to the logs to ensure proper delivery of all audit logs.
Audit Configuration Logging
Ensures that logging and log alerts exist for audit configuration changes. Project Ownership is the highest level of privilege on a project, any changes in audit configuration should be heavily monitored to prevent unauthorized changes.
Operational Maturity
Service Limits
Determines if the number of resources is close to the per-account limit. Google limits accounts to certain numbers of resources. Exceeding those limits could prevent resources from launching.
Sources
https://www.cloudanix.com/recipelist/gcp/gcpiamcompliance
https://cloud.google.com/logging/docs/logs-based-metrics
https://cloud.google.com/logging/docs/audit/
https://cloud.google.com/logging/docs/logs-based-metrics/
Help Us Improve!
If you have any suggestions to improve this checklist, please let us know by filling out
this form.
