Open in app

Sign in

Write

Sign in

Google Cloud Platform Security Checklist : Part 1/7 — Identity and Access Management (IAM)

Hassene BELGACEM
Google Cloud - Community
Published in
5 min readApr 12, 2023
IAM Security

Welcome to the first installment of our GCP Security Best Practices series! In this article, we will focus on Identity and Access Management (IAM), a foundational aspect of securing your Google Cloud Platform (GCP) infrastructure.

By the end of this article, you will have a solid understanding of how to implement and maintain a secure IAM strategy in GCP, providing a strong foundation for the other security measures we will discuss in the subsequent articles of this series.

Definition

Identity and Access Management (IAM) in Google Cloud Platform (GCP) is a service that helps you manage access control by defining who (identity) has what access (role) to which resources within your GCP projects. With IAM, you can ensure that only authorized users, groups, and service accounts have access to specific resources and services, thus improving the security and governance of your cloud infrastructure.

Best Practices Checklist

1. Never use personal accounts

Personal accounts lack the robust security features offered by Google Identity, such as two-factor authentication, single sign-on, and security key enforcement. This makes personal accounts more susceptible to unauthorized access, phishing, and data breaches.

Detection Policy: Here is a Cloud Custodian rule for detecting the use of personal accounts:

policies:
  - name: detect-personal-emails-used
    resource: gcp.project
    mode:
      type: gcp-audit
      methods:
        - google.iam.admin.v1.SetIamPolicy
    filters:
      - type: iam-policy
        doc:
          key: bindings[*].members[]
          op: regex
          value_regex: ^user:.+@(?!organization\\.com|.+gserviceaccount\\.com)(.+\\.[a-zA-Z]{2,}$)

2. Enforce MFA for all users

Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to provide additional proof of identity beyond just a password. This reduces the risk of unauthorized access due to compromised credentials or phishing attacks.

Detection Policy: Already supported in Security Command Center (SCC) Standard mode, so no need to use Cloud Custodian for this.

3. Ensure Security Key enforcement for admin accounts

Admin accounts are high-value targets for attackers as they typically have elevated privileges and can access sensitive information and critical systems. By enforcing Security Key usage for admin accounts, you can ensure that only authorized individuals can access the systems and data, even if their password is compromised.

Detection Policy: Cloud Custodian currently lacks support for Cloud Identity. However, we are actively developing an extension to address this limitation, which is expected to be available in the coming weeks.

4. Disable Unused Service Accounts

Unused service accounts with unnecessary permissions may provide an entry point for attackers if the associated credentials are compromised. Disabling these accounts reduces the potential attack surface and mitigates risks associated with unauthorized access.

Detection Policy: Here is a Cloud Custodian rule for detecting unused service accounts:

polices:
- name: detect-unused-service-accounts
  resource: gcp.service-account
  mode:
    type: gcp-periodic
    schedule: "0 3 * * *"
  filters:
  - type: metrics
    name: iam.googleapis.com/service_account/authn_events_count
    value: -1
    days: 30
    missing-value: -1
    op: eq
    aligner: ALIGN_SUM

5. Delete Unused Service Accounts Keys

Service accounts can have access to critical resources and permissions to perform specific actions on them. Therefore, leaving unused or unnecessary service account keys active can pose a significant security risk.

An attacker who gains access to an unused service account key can potentially use it to access sensitive data or resources, leading to data breaches, loss of confidential information, and financial loss.

Detection Policy: Here is a Cloud Custodian rule for detecting unused service account keys:

policies:
- name: detect-unused-service-account-keys
  resource: gcp.service-account-key
  mode:
    type: gcp-periodic
    schedule: "0 3 * * *"
  filters:
  - type: value
    key: keyType
    value: SYSTEM_MANAGED
    op: ne
  - type: metrics
    name: iam.googleapis.com/service_account/key/authn_events_count
    value: -1
    days: 30
    missing-value: -1
    op: eq
    aligner: ALIGN_SUM

6. Set session length for Cloud Console and CLI

When a user logs into the Cloud Console or CLI, a session is established, and the user is granted access to the cloud resources based on their role and permissions. If the session is left open indefinitely, it can increase the risk of unauthorized access, particularly if the user leaves their workstation unattended or if their device is lost or stolen.

By setting a session length, you can enforce an automatic logout after a certain period of inactivity, which reduces the risk of unauthorized access if the user forgets to log out or leaves their device unattended. This can help ensure that only authorized individuals can access the cloud resources and that any suspicious activities are detected and addressed promptly.

Detection Policy: Cloud Custodian currently lacks support for Cloud Identity. However, we are actively developing an extension to address this limitation, which is expected to be available in the coming weeks.

#Work in progress

7. Limit the number admins accounts (Organisation Admin, Network Admin…)

Admin accounts are typically granted elevated privileges and permissions that enable the account holder to perform critical actions, such as managing user accounts, accessing sensitive data, and configuring system settings. However, having too many admin accounts increases the risk of insider threats, such as malicious insiders abusing their privileges or unauthorized access by compromised accounts.

By limiting the number of admin accounts, you reduce the attack surface and minimize the risk of unauthorized access to critical systems and data. It is best practice to assign admin privileges to only the necessary individuals who require it for their job roles and to monitor their activities regularly.

policies:
  - name: detect-iam-admin-account-limit
    resource: gcp.project
    mode:
      type: gcp-audit
      methods:
        - google.iam.admin.v1.SetIamPolicy
    filters:
      - type: iam-policy
        key: bindings[*].role
        op: intersect
        value:
          - roles/owner
          - roles/editor
          - roles/resourcemanager.folderAdmin
          - roles/resourcemanager.organizationAdmin
          - roles/billing.admin
          - ...

8. Grant roles to a group instead of to individual users

By using group-based role assignments, you can ensure that all members of a group have the same level of access to resources. This consistency makes it easier to manage and audit access controls, reducing the chance of unauthorized access or privilege escalation.

policies:
  - name: detect-users-with-assigned-roles
    resource: gcp.iam-role
    mode:
      type: gcp-audit
      methods:
        - google.iam.admin.v1.SetIamPolicy
    filters:
      - type: value
        key: members
        op: contains
        value_type: swap
        value: user

9. Avoid the use of Basic IAM Roles

The principle of least privilege suggests that users should be granted only the permissions necessary to perform their tasks. Using basic IAM roles makes it challenging to adhere to this principle, as they provide wide-ranging access, which can lead to users having more permissions than they need.

policies:
  - name: detect-basic-iam-roles-assignment
    resource: gcp.project
    mode:
      type: gcp-audit
      methods:
        - google.iam.admin.v1.SetIamPolicy
    filters:
      - type: iam-policy
        key: bindings[*].role
        op: intersect
        value:
          - roles/owner
          - roles/editor
          - roles/viewer

Conclusion

As we conclude our first article in the GCP Security Best Practices series, it’s important to emphasize that a robust and well-implemented Identity and Access Management (IAM) strategy is the cornerstone of securing your Google Cloud Platform (GCP) infrastructure. By effectively managing users, groups, and service accounts, as well as assigning appropriate roles and permissions, you can ensure that your resources and services are accessible only by authorized individuals.

As you continue to secure your GCP infrastructure, remember that the journey doesn’t end with IAM. In the next article of this series, we will talk about into the Key Management System (KMS), an essential component of data security in the cloud.

Originally published at https://hassene.belgacem.io .

Google Cloud Platform
Security
Cybersecurity
Cloud Custodian
Gcp Security Operations

--

--

Hassene BELGACEM
Google Cloud - Community

Written by Hassene BELGACEM

1.1K Followers
Writer for

Cloud Architect | Trainer . Here, I share my thoughts and exp on the topics like cloud computing and cybersecurity. https://www.linkedin.com/in/hassene-belgacem

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams