Back to Details

auditing-gcp-iam-permissions

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Auditing GCP IAM Permissions

GCP IAM权限审计

When to Use

适用场景

  • When performing security assessments of GCP organization or project IAM configurations
  • When identifying service accounts with excessive permissions or unused access
  • When compliance requirements mandate review of access controls and role assignments
  • When investigating potential lateral movement through IAM misconfigurations
  • When reducing the blast radius of compromised credentials by scoping down permissions
Do not use for VPC firewall rule auditing (use network security tools), for GKE RBAC auditing (use Kubernetes-specific RBAC tools), or for real-time threat detection on IAM actions (use SCC Event Threat Detection).
  • 对GCP组织或项目的IAM配置进行安全评估时
  • 识别拥有过多权限或未使用访问权限的服务账号时
  • 合规要求强制审查访问控制和角色分配时
  • 调查因IAM配置错误导致的潜在横向移动风险时
  • 通过缩小权限范围来降低凭证泄露后的影响范围时
不适用场景:不适用于VPC防火墙规则审计(使用网络安全工具)、GKE RBAC审计(使用Kubernetes专用RBAC工具)或IAM操作的实时威胁检测(使用SCC Event Threat Detection)。

Prerequisites

前置条件

  • GCP organization or project with 
    roles/iam.securityReviewer
    and 
    roles/cloudAsset.viewer
  • gcloud CLI authenticated with appropriate permissions
  • Cloud Asset API enabled (
    gcloud services enable cloudasset.googleapis.com
    )
  • IAM Recommender API enabled (
    gcloud services enable recommender.googleapis.com
    )
  • Policy Analyzer API enabled (
    gcloud services enable policyanalyzer.googleapis.com
    )
  • 拥有
    roles/iam.securityReviewer
    roles/cloudAsset.viewer
    权限的GCP组织或项目
  • 已通过适当权限认证的gcloud CLI
  • 已启用Cloud Asset API(
    gcloud services enable cloudasset.googleapis.com
  • 已启用IAM Recommender API(
    gcloud services enable recommender.googleapis.com
  • 已启用Policy Analyzer API(
    gcloud services enable policyanalyzer.googleapis.com

Workflow

工作流程

Step 1: Enumerate IAM Bindings Across the Organization

步骤1:枚举整个组织的IAM权限绑定

List all IAM bindings at organization, folder, and project levels to understand the full access landscape.
bash
undefined
列出组织、文件夹和项目级别的所有IAM权限绑定,以全面了解访问权限情况。
bash
undefined

Organization-level IAM bindings

Organization-level IAM bindings

gcloud organizations get-iam-policy ORG_ID
--format=json > org-iam-policy.json
gcloud organizations get-iam-policy ORG_ID
--format=json > org-iam-policy.json

Search all IAM policies across the organization

Search all IAM policies across the organization

gcloud asset search-all-iam-policies
--scope=organizations/ORG_ID
--format="table(resource, policy.bindings.role, policy.bindings.members)"
--limit=500
gcloud asset search-all-iam-policies
--scope=organizations/ORG_ID
--format="table(resource, policy.bindings.role, policy.bindings.members)"
--limit=500

Find all users and service accounts with Owner role

Find all users and service accounts with Owner role

gcloud asset search-all-iam-policies
--scope=organizations/ORG_ID
--query="policy:roles/owner"
--format="table(resource, policy.bindings.members)"
gcloud asset search-all-iam-policies
--scope=organizations/ORG_ID
--query="policy:roles/owner"
--format="table(resource, policy.bindings.members)"

Find all bindings using primitive roles (Owner, Editor, Viewer)

Find all bindings using primitive roles (Owner, Editor, Viewer)

gcloud asset search-all-iam-policies
--scope=organizations/ORG_ID
--query="policy:roles/owner OR policy:roles/editor"
--format=json | python3 -c " import json, sys data = json.load(sys.stdin) for result in data: resource = result.get('resource', '') for binding in result.get('policy', {}).get('bindings', []): role = binding.get('role', '') if role in ['roles/owner', 'roles/editor']: for member in binding.get('members', []): print(f'{resource} | {role} | {member}') "
undefined
gcloud asset search-all-iam-policies
--scope=organizations/ORG_ID
--query="policy:roles/owner OR policy:roles/editor"
--format=json | python3 -c " import json, sys data = json.load(sys.stdin) for result in data: resource = result.get('resource', '') for binding in result.get('policy', {}).get('bindings', []): role = binding.get('role', '') if role in ['roles/owner', 'roles/editor']: for member in binding.get('members', []): print(f'{resource} | {role} | {member}') "
undefined

Step 2: Audit Service Accounts and Their Keys

步骤2:审计服务账号及其密钥

Identify service accounts with excessive permissions, user-managed keys, and unused accounts.
bash
undefined
识别拥有过多权限、用户管理密钥以及未使用的服务账号。
bash
undefined

List all service accounts in a project

List all service accounts in a project

gcloud iam service-accounts list
--project=PROJECT_ID
--format="table(email, displayName, disabled)"
gcloud iam service-accounts list
--project=PROJECT_ID
--format="table(email, displayName, disabled)"

Check for user-managed keys (should be minimized)

Check for user-managed keys (should be minimized)

for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do keys=$(gcloud iam service-accounts keys list
--iam-account="$sa"
--managed-by=user
--format="table(name.basename(),validAfterTime,validBeforeTime)") if [ -n "$keys" ]; then echo "=== $sa ===" echo "$keys" fi done
for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do keys=$(gcloud iam service-accounts keys list
--iam-account="$sa"
--managed-by=user
--format="table(name.basename(),validAfterTime,validBeforeTime)") if [ -n "$keys" ]; then echo "=== $sa ===" echo "$keys" fi done

Find service accounts with admin roles across all projects

Find service accounts with admin roles across all projects

gcloud asset search-all-iam-policies
--scope=organizations/ORG_ID
--query="policy.bindings.members:serviceAccount AND (policy:roles/owner OR policy:roles/editor OR policy:admin)"
--format="table(resource, policy.bindings.role, policy.bindings.members)"
gcloud asset search-all-iam-policies
--scope=organizations/ORG_ID
--query="policy.bindings.members:serviceAccount AND (policy:roles/owner OR policy:roles/editor OR policy:admin)"
--format="table(resource, policy.bindings.role, policy.bindings.members)"

Check service account IAM policies (who can impersonate)

Check service account IAM policies (who can impersonate)

for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do echo "=== $sa ===" gcloud iam service-accounts get-iam-policy "$sa" --format=json 2>/dev/null done
undefined
for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do echo "=== $sa ===" gcloud iam service-accounts get-iam-policy "$sa" --format=json 2>/dev/null done
undefined

Step 3: Use IAM Recommender to Identify Excess Permissions

步骤3:使用IAM Recommender识别多余权限

Leverage GCP's IAM Recommender to find roles that grant more access than actually used.
bash
undefined
利用GCP的IAM Recommender查找授予的权限超出实际使用需求的角色。
bash
undefined

List IAM role recommendations for a project

List IAM role recommendations for a project

gcloud recommender recommendations list
--project=PROJECT_ID
--recommender=google.iam.policy.Recommender
--location=global
--format="table(name, description, priority, stateInfo.state)"
gcloud recommender recommendations list
--project=PROJECT_ID
--recommender=google.iam.policy.Recommender
--location=global
--format="table(name, description, priority, stateInfo.state)"

Get detailed recommendation

Get detailed recommendation

gcloud recommender recommendations describe RECOMMENDATION_ID
--project=PROJECT_ID
--recommender=google.iam.policy.Recommender
--location=global
--format=json
gcloud recommender recommendations describe RECOMMENDATION_ID
--project=PROJECT_ID
--recommender=google.iam.policy.Recommender
--location=global
--format=json

List insights about IAM usage

List insights about IAM usage

gcloud recommender insights list
--project=PROJECT_ID
--insight-type=google.iam.policy.Insight
--location=global
--format="table(name, description, severity, category)"
gcloud recommender insights list
--project=PROJECT_ID
--insight-type=google.iam.policy.Insight
--location=global
--format="table(name, description, severity, category)"

Apply a recommendation (after review)

Apply a recommendation (after review)

gcloud recommender recommendations mark-claimed RECOMMENDATION_ID
--project=PROJECT_ID
--recommender=google.iam.policy.Recommender
--location=global
--etag=ETAG
undefined
gcloud recommender recommendations mark-claimed RECOMMENDATION_ID
--project=PROJECT_ID
--recommender=google.iam.policy.Recommender
--location=global
--etag=ETAG
undefined

Step 4: Analyze Effective Permissions with Policy Analyzer

步骤4:使用Policy Analyzer分析有效权限

Use Policy Analyzer to determine effective access for specific principals or resources.
bash
undefined
使用Policy Analyzer确定特定主体或资源的实际访问权限。
bash
undefined

Check who has access to a specific resource

Check who has access to a specific resource

gcloud asset analyze-iam-policy
--organization=ORG_ID
--full-resource-name="//storage.googleapis.com/projects/_/buckets/sensitive-data-bucket"
--format="table(identityList.identities, accessControlLists.accesses.role)"
gcloud asset analyze-iam-policy
--organization=ORG_ID
--full-resource-name="//storage.googleapis.com/projects/_/buckets/sensitive-data-bucket"
--format="table(identityList.identities, accessControlLists.accesses.role)"

Check what resources a specific user can access

Check what resources a specific user can access

gcloud asset analyze-iam-policy
--organization=ORG_ID
--identity="user:developer@company.com"
--format="table(accessControlLists.resources.fullResourceName, accessControlLists.accesses.role)"
gcloud asset analyze-iam-policy
--organization=ORG_ID
--identity="user:developer@company.com"
--format="table(accessControlLists.resources.fullResourceName, accessControlLists.accesses.role)"

Check who can perform a specific action

Check who can perform a specific action

gcloud asset analyze-iam-policy
--organization=ORG_ID
--full-resource-name="//cloudresourcemanager.googleapis.com/projects/PROJECT_ID"
--permissions="iam.serviceAccounts.actAs,iam.serviceAccountKeys.create"
--format="table(identityList.identities, accessControlLists.accesses.permission)"
gcloud asset analyze-iam-policy
--organization=ORG_ID
--full-resource-name="//cloudresourcemanager.googleapis.com/projects/PROJECT_ID"
--permissions="iam.serviceAccounts.actAs,iam.serviceAccountKeys.create"
--format="table(identityList.identities, accessControlLists.accesses.permission)"

Find all principals with allUsers or allAuthenticatedUsers access

Find all principals with allUsers or allAuthenticatedUsers access

gcloud asset search-all-iam-policies
--scope=organizations/ORG_ID
--query="policy:allUsers OR policy:allAuthenticatedUsers"
--format="table(resource, policy.bindings.role, policy.bindings.members)"
undefined
gcloud asset search-all-iam-policies
--scope=organizations/ORG_ID
--query="policy:allUsers OR policy:allAuthenticatedUsers"
--format="table(resource, policy.bindings.role, policy.bindings.members)"
undefined

Step 5: Check for Domain-Wide Delegation and Impersonation Risks

步骤5:检查全域委托和模拟风险

Identify service accounts with domain-wide delegation and impersonation capabilities.
bash
undefined
识别拥有全域委托和模拟能力的服务账号。
bash
undefined

Check for service accounts with domain-wide delegation

Check for service accounts with domain-wide delegation

(Requires Admin SDK access to list delegated accounts)

(Requires Admin SDK access to list delegated accounts)

gcloud iam service-accounts list --project=PROJECT_ID --format=json | python3 -c " import json, sys accounts = json.load(sys.stdin) for sa in accounts: email = sa.get('email', '') # Check if the SA has domain-wide delegation enabled # This requires Admin SDK API access print(f'SA: {email} - Check admin.google.com for delegation status') "
gcloud iam service-accounts list --project=PROJECT_ID --format=json | python3 -c " import json, sys accounts = json.load(sys.stdin) for sa in accounts: email = sa.get('email', '') # Check if the SA has domain-wide delegation enabled # This requires Admin SDK API access print(f'SA: {email} - Check admin.google.com for delegation status') "

Find service accounts that other identities can impersonate

Find service accounts that other identities can impersonate

for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do policy=$(gcloud iam service-accounts get-iam-policy "$sa" --format=json 2>/dev/null) if echo "$policy" | python3 -c " import json, sys p = json.load(sys.stdin) for b in p.get('bindings', []): if b['role'] in ['roles/iam.serviceAccountTokenCreator', 'roles/iam.serviceAccountUser']: print(f' {b["role"]}: {b["members"]}') " 2>/dev/null; then echo "=== Impersonation risk: $sa ===" fi done
undefined
for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do policy=$(gcloud iam service-accounts get-iam-policy "$sa" --format=json 2>/dev/null) if echo "$policy" | python3 -c " import json, sys p = json.load(sys.stdin) for b in p.get('bindings', []): if b['role'] in ['roles/iam.serviceAccountTokenCreator', 'roles/iam.serviceAccountUser']: print(f' {b["role"]}: {b["members"]}') " 2>/dev/null; then echo "=== Impersonation risk: $sa ===" fi done
undefined

Step 6: Generate Audit Report and Apply Remediation

步骤6:生成审计报告并实施修复

Compile findings and implement recommended permission reductions.
bash
undefined
整理发现的问题并实施建议的权限缩减措施。
bash
undefined

Remove primitive role and replace with predefined role

Remove primitive role and replace with predefined role

gcloud projects remove-iam-policy-binding PROJECT_ID
--member="user:developer@company.com"
--role="roles/editor"
gcloud projects add-iam-policy-binding PROJECT_ID
--member="user:developer@company.com"
--role="roles/compute.viewer"
gcloud projects add-iam-policy-binding PROJECT_ID
--member="user:developer@company.com"
--role="roles/storage.objectViewer"
gcloud projects remove-iam-policy-binding PROJECT_ID
--member="user:developer@company.com"
--role="roles/editor"
gcloud projects add-iam-policy-binding PROJECT_ID
--member="user:developer@company.com"
--role="roles/compute.viewer"
gcloud projects add-iam-policy-binding PROJECT_ID
--member="user:developer@company.com"
--role="roles/storage.objectViewer"

Delete unused service account keys

Delete unused service account keys

gcloud iam service-accounts keys delete KEY_ID
--iam-account=SA_EMAIL
gcloud iam service-accounts keys delete KEY_ID
--iam-account=SA_EMAIL

Disable unused service accounts

Disable unused service accounts

gcloud iam service-accounts disable SA_EMAIL --project=PROJECT_ID
undefined
gcloud iam service-accounts disable SA_EMAIL --project=PROJECT_ID
undefined

Key Concepts

核心概念

TermDefinition
Primitive RoleLegacy GCP roles (Owner, Editor, Viewer) that grant broad permissions across all services, not recommended for production
Predefined RoleGCP-managed role scoped to specific services and actions, providing more granular access than primitive roles
IAM RecommenderGCP ML-based service that analyzes actual permission usage and suggests role reductions to achieve least privilege
Policy AnalyzerTool for analyzing effective IAM access across the organization hierarchy, answering who-can-access-what queries
Service Account KeyUser-managed credential for service account authentication, a security risk as keys can be exported and do not auto-expire
Domain-Wide DelegationGrants a service account the ability to impersonate any user in the Google Workspace domain, a significant privilege escalation risk
术语定义
Primitive RoleGCP的传统角色(Owner、Editor、Viewer),可跨所有服务授予广泛权限,不推荐在生产环境中使用
Predefined RoleGCP管理的角色,针对特定服务和操作进行范围限定,比原始角色提供更精细的访问控制
IAM Recommender基于机器学习的GCP服务,分析实际权限使用情况并建议缩减角色以实现最小权限原则
Policy Analyzer用于分析整个组织层级有效IAM访问权限的工具,可回答“谁能访问什么”的问题
Service Account Key用于服务账号认证的用户管理凭证,属于安全风险,因为密钥可导出且不会自动过期
Domain-Wide Delegation授予服务账号模拟Google Workspace域中任何用户的能力,存在严重的权限提升风险

Tools & Systems

工具与系统

  • gcloud CLI: Primary tool for querying and managing GCP IAM policies, service accounts, and role bindings
  • IAM Recommender: ML-based recommendation engine for reducing excessive permissions based on actual usage
  • Policy Analyzer: Organization-wide effective access analysis tool for understanding who can access what
  • Cloud Asset Inventory: Cross-project search for IAM policies and resource metadata
  • ScoutSuite: Multi-cloud auditing tool with GCP IAM-specific checks for role assignments and service accounts
  • gcloud CLI: 查询和管理GCP IAM策略、服务账号及角色绑定的主要工具
  • IAM Recommender: 基于机器学习的推荐引擎,根据实际使用情况减少过多权限
  • Policy Analyzer: 组织级别的有效访问权限分析工具,用于了解谁能访问什么资源
  • Cloud Asset Inventory: 跨项目搜索IAM策略和资源元数据的工具
  • ScoutSuite: 多云审计工具,包含针对GCP IAM角色分配和服务账号的专项检查

Common Scenarios

常见场景

Scenario: Reducing Primitive Role Usage Across a GCP Organization

场景:在GCP组织中减少原始角色的使用

Context: An audit reveals that 60% of IAM bindings across the organization use primitive roles (Owner/Editor). The security team needs to migrate to predefined roles without disrupting developer workflows.
Approach:
  1. Run 
    gcloud asset search-all-iam-policies
    to inventory all primitive role bindings
  2. Use IAM Recommender to get ML-based suggestions for replacement predefined roles
  3. For each binding, use Policy Analyzer to understand what the principal actually accesses
  4. Create a mapping document: primitive role -> specific predefined roles needed
  5. Apply predefined roles alongside primitive roles for a testing period
  6. Monitor for access denied errors using Cloud Audit Logs
  7. Remove primitive roles after confirming no access issues over 2 weeks
Pitfalls: Primitive roles include permissions across all GCP services, so replacing them requires multiple predefined roles. The Recommender may suggest overly restrictive roles if the observation period does not capture all use cases. Custom roles can fill gaps where no predefined role matches the exact permission set needed.
背景:审计发现组织内60%的IAM权限绑定使用原始角色(Owner/Editor)。安全团队需要在不影响开发者工作流程的情况下迁移到预定义角色。
实施方法:
  1. 运行
    gcloud asset search-all-iam-policies
    来盘点所有原始角色绑定
  2. 使用IAM Recommender获取基于机器学习的预定义角色替换建议
  3. 对每个绑定,使用Policy Analyzer了解主体实际访问的资源
  4. 创建映射文档:原始角色 -> 所需的特定预定义角色
  5. 在测试期间同时应用预定义角色和原始角色
  6. 使用Cloud Audit Logs监控访问被拒绝的错误
  7. 在确认2周内无访问问题后移除原始角色
注意事项:原始角色包含跨所有GCP服务的权限,因此替换它们需要多个预定义角色。如果观察期未覆盖所有使用场景,Recommender可能会建议过于严格的角色。当没有预定义角色匹配确切权限集时,自定义角色可以填补空白。

Output Format

输出格式

GCP IAM Permissions Audit Report
===================================
Organization: acme-org (ORG_ID: 123456789)
Projects Audited: 25
Audit Date: 2026-02-23

IAM BINDING SUMMARY:
  Total bindings:                    342
  Using primitive roles:             205 (60%)
  Using predefined roles:            112 (33%)
  Using custom roles:                 25 (7%)

CRITICAL FINDINGS:
[IAM-001] Service Account with Owner Role
  SA: admin-sa@prod-project.iam.gserviceaccount.com
  Role: roles/owner on project prod-project
  User-Managed Keys: 3 (oldest: 14 months)
  Remediation: Replace with specific predefined roles, delete old keys

[IAM-002] allAuthenticatedUsers Binding
  Resource: gs://public-data-bucket
  Role: roles/storage.objectViewer
  Risk: Any Google account holder can read bucket contents
  Remediation: Restrict to specific user groups or service accounts

SERVICE ACCOUNT HEALTH:
  Total service accounts:            67
  With user-managed keys:            23
  Keys older than 90 days:           18
  Unused accounts (90+ days):        12
  With domain-wide delegation:        2

RECOMMENDER SUGGESTIONS:
  Total recommendations:             45
  Priority HIGH:                     12
  Estimated permissions reduced:     2,847 individual permissions
GCP IAM权限审计报告
===================================
组织:acme-org(ORG_ID: 123456789)
审计项目数:25
审计日期:2026-02-23

IAM权限绑定摘要:
  总绑定数:                    342
  使用原始角色的绑定数:             205 (60%)
  使用预定义角色的绑定数:            112 (33%)
  使用自定义角色的绑定数:                 25 (7%)

关键发现:
[IAM-001] 拥有Owner角色的服务账号
  服务账号:admin-sa@prod-project.iam.gserviceaccount.com
  角色:prod-project项目的roles/owner
  用户管理密钥数:3个(最早的已使用14个月)
  修复建议:替换为特定预定义角色,删除旧密钥

[IAM-002] allAuthenticatedUsers权限绑定
  资源:gs://public-data-bucket
  角色:roles/storage.objectViewer
  风险:任何Google账户持有者均可读取存储桶内容
  修复建议:限制为特定用户组或服务账号

服务账号健康状况:
  总服务账号数:            67
  拥有用户管理密钥的账号数:            23
  密钥使用超过90天的账号数:           18
  90天以上未使用的账号数:        12
  拥有全域委托权限的账号数:        2

Recommender建议:
  总建议数:             45
  高优先级建议数:                     12
  预计减少的权限数:     2,847项独立权限