GCP IAM Compliance

Protect your GCP account and secure your cloud workloads with these recipes

Following GCP IAM checks are performed at a configurable frequency

Access via Official Email only

User should have access via their official corporate email id and not their personal id.

Addresses: Security

KMS User Separation

Ensure that no users have the KMS admin role and any one of the CryptoKey roles follows separation of duties, where no user have access to resources out of the scope of duty.

Addresses: Security

User managed service account with no admin priviledges

Ensure that user managed service accounts do not have any admin, owner, or write privileges. Service accounts are primarily used for API access to Google. It is recommended to not use admin access for service accounts.

Addresses: Security

Service Account Key Rotation

Service account keys should be rotated periodically.

Addresses: Security

Service Account Managed Keys

Service account keys should be managed by Google to ensure that they are as secure as possible, including key rotations and restrictions to the accessibility of the keys.

Addresses: Security

Service Account Separation

Ensuring that no users have both roles follows separation of duties, where no user should have access to resources out of the scope of duty.

Addresses: Security

Service Account User

Ensures that no users have the Service Account User role. The Service Account User role gives users the access to all service accounts of a project. This can result in an elevation of privileges and is not recommended.

Addresses: Security

Service Limits

Determines if the number of resources is close to the per-account limit. Google limits accounts to certain numbers of resources. Exceeding those limits could prevent resources from launching.

Addresses: Operational Maturity

Project Ownership Logging

Ensures that logging and log alerts exist for project ownership assignments and changes. Project Ownership is the highest level of privilege on a project, any changes in project ownership should be heavily monitored to prevent unauthorized changes.

Addresses: Security

Additional Reading:

Audit Logging Enabled

Ensures that default audit logging is enabled on the project. The default audit logs should be configured to log all admin activities and write and read access to data for all services. In addition, no exempted members should be added to the logs to ensure proper delivery of all audit logs.

Addresses: Security

Additional Reading:

Audit Configuration Logging

Ensures that logging and log alerts exist for audit configuration changes. Project Ownership is the highest level of privilege on a project, any changes in audit configuration should be heavily monitored to prevent unauthorized changes.

Addresses: Security

Additional Reading: