Enterprises
Individuals
Enterprises
Individuals
Menu
Menu
Sign in
Product
Solutions
Pricing
Resources
Learn
Hands-on Labs
Courses
Learning Journeys
Challenges
Cloud Sandboxes
Playgrounds
Measure
Assessments
Tournaments
Certifications
Reports
Integrate
SCORM & LTI
SSO & SCIM
Our Learning Platform
Get Started Today
Book a demo
Get free trial
Contact us
Industries
Manufacturing
Government
Finance
Technology
Healthcare
Defense
Retail
Teams
C-suite
Security Teams
Engineering Teams
For L&D
We’ll help you
Achieve ROI
Achieve Compliance
Reduce Risk
Measurable Increase in Skills
Instructor Led Training
Success Stories
View all
View Enterprise Plans
Resources
E-books
Case studies
Webinars
Blog
Support
AppSecEngineer 101 Guide
Help Center
Discord
Teams
For C-suite
For Engineering Teams
For Product Teams
For L&D
What’s New
View all
How to Protect Your Organization from AI Threats Using Role-Based Security Training
Are Your Management Practices Pushing Your Security Team to the Brink?
X
X
X
Enterprises
Individuals
Enterprises
Individuals
Sign in
Menu
Menu
Training for
Library
Platform
Pricing
Resources
Step into the Spotlight with AppSec Expertise: Use coupon ‘SKILLUP30’ and get 30% Off on Individual Pro Annual Plans.
Popular with:
Cloud Engineer
Security Architect
Security Champion
Security Engineer

Google Cloud Security Tips #1: IAM Recommender

Updated:
January 18, 2023
Written by
Joshua Jebaraj

Table of Contents:

  1. Identification of Obsolete Permissions
  2. Prediction of Future Permissions
  3. What is Outside the Purview of IAM Recommender?
  4. Final Words

What is IAM Recommender?

Every time you grant permission to a user to perform a specific task on Google Cloud resources, that's one more loose end waiting to be exploited. You might not revoke access, expecting the user to need it for another task in the near future, but each new permission is a new threat vector for attackers to exploit. 

All it needs is one attack on the user's account, and there goes your Google Cloud resources like a house of cards! So, every outdated permission must be handled appropriately to safeguard cloud resources against potential vulnerabilities. 

This is where the Identity and Access Management (IAM) Recommender comes in like a knight in shining armor. A machine-learning policy tool created to help you stop permissions from becoming threats, IAM Recommender's function is two-pronged:

  1. Identification of obsolete permissions
  2. Prediction of future permissions

A French resource-management firm, Veolia Group, which manages over 87,000 projects on Google Cloud, has stated that IAM Recommender helped them reduce 1.2 million permissions across production in an initial cleanup exercise that secured over 1,000 user and service accounts. This has helped reduce the chance of a potential data breach. 

Identification of Obsolete Permissions

IAM Recommender looks at all your current access policies and permissions, and identifies the ones that are obsolete or haven’t been used in a long time. It studies your usage patterns over time and recommends which unused permissions are better revoked. 

At any given time, IAM Recommender uses the previous 90 days of permissions usage on your cloud to determine what policies are unnecessary.

Prediction of Future Permissions

With IAM Recommender reviewing your last 90 days' logs, every last permission that has not been used in a while will be brought to your attention, but that's not all. It uses machine-learning to predict which permissions may be required in the near future. This way, even if permission has not been acted upon in the past 90 days, a study of ongoing projects and resource usage will help the IAM Recommender predict that the user should retain access to the task.

Want to learn Google Cloud security? Try out our brand-new courses with hands-on labs now.

What is Outside the Purview of IAM Recommender?

There are a few things outside the scope of the Google Cloud IAM Recommender. It pays to learn about them so that you can be wary of what the recommendations are not considering in their study. Here's all that the IAM Recommender does not consider:

  • Role grants at the organization or folder level
  • Role grants that are conditional
  • Access controls separate from IAM
  • Role grants below the project level on intra-project service-specific resources 
  • Role grants applicable for service accounts managed by Google

Barring the exceptions above, the IAM Recommender can thoroughly study usage patterns and make well-informed recommendations on user permissions. IAM Recommender is founded on the principle of least privilege, meaning users will be approved on a need-only basis. It does not make recommendations that can increase a user's level of access. 

It’s important to note that this is only a recommendation tool. IAM Recommender can’t remove permissions of its own accord. You can practice removing unwanted, old permissions and reducing potential risks to your cloud resources. Alternatively, if you wish to dismiss a recommendation as irrelevant, you are free to do so.

Here’s how to learn Google Cloud security

There’s way more to Google Cloud security than Identity & Access Management (IAM). From cloud storage security, to logging and monitoring, you have a whole host of controls you can tweak for optimal results.

But the best way to learn anything in cloud security is with hands-on exercises. AppSecEngineer’s courses feature labs in real-world GCP environments and security scenarios.

If you want to dive deeper into IAM in GCP, check out our Google Cloud IAM Essentials course. It’s packed with video lessons, hands-on labs, and more.

For even more courses on Google Cloud security, check out our full learning path.

Source for article
Joshua Jebaraj

Joshua Jebaraj

Joshua Jebaraj is the Creator of GCP-Goat. He works as Security Researcher at we45 focusing on cloud and cloud-native security. He has 3+ years of experience working related to containers and Kubernetes. He has also spoken at conferences like Defcon, Owasp-Seasides, Bsides-Delhi, and Eko-party. When AFK, he can be found watching movies and making memes.

Categories

L&D
Product Teams
Engineering Teams
C-suite
Infographics
AI Security
Container Security
Threat Modeling
Cloud Security
DevSecOps
Kubernetes
Application Security

Latest

How to Protect Your Organization from AI Threats Using Role-Based Security Training
Are Your Management Practices Pushing Your Security Team to the Brink?
Protect Your Business By Strengthening API Security
How to Successfully Implement Shift-Left Security for Your Organization
Understanding SOC 2 Compliance: A Complete Guide
Ditch the Audit Panic! AppSecEngineer's Got Your Back.
The Complete Guide to ISO 27001 Compliance
A Guide to NIST SP 800-53: 20 Steps to Compliance
Thinking about a career in tech? DevOps vs DevSecOps
Deep-Dive into PCI-DSS: Achieve Compliance in 12 Steps
Why Less Is More for High-Impact Developer Education
Top 10 Cybersecurity Power Players
How to Build a Stronger, More Secure Software Supply Chain
Stop Security Team Burnout Before It Starts
BigQuery Vector Search for Log Analysis: A Security Researcher's Perspective
The AI Advantage in DevSecOps
One Week After the CrowdStrike Incident
An In-Depth Look at Secure-By-Design Strategies
The Only Guide You’ll Need to Build Your Own DevSecOps Trained Team
Is DevSecOps a Good Career Option?

Ready to Elevate Your Security Training?

Empower your teams with the skills they need to secure your applications and stay ahead of the curve.
Get Our Newsletter
Get Started
X
X
FOLLOW APPSECENGINEER
CONTACT

Contact Support

help@appsecengineer.com

1603 Capitol Avenue,
Suite 413A #2898,
Cheyenne, Wyoming 82001,
United States

Copyright AppSecEngineer © 2023
QUICK LINKS
Sign InSign UpPrivacy Policy
E-BOOKS
Beginner's Guide to
a Career in AppSecTrain your Teams to Fly
FOLLOW APPSECENGINEER
CONTACT

Contact Support

help@appsecengineer.com

68 Circular Road, #02-01, 049422, Singapore

Copyright AppSecEngineer © 2023