GCP- IDENTITY AUDITING ,ROLE RECOMMENDER, SERVICE ACCOUNT.

 

CLOUD IAM is a service that you make use to authenticate and authorize users or applications. Should you want to integrate users from on-premises, AWS, AZURE, IBM etc, you need IAM to create access. In order to consistently manage the accesses of software engineers within the platform and maintaining best practise with high security posture within your environment. For example, a colleague might reach out to you because they do not have access and requested you to provide, you do not have to provide access because there's a possibility that the individual does not need that access probably because they are assigned to a specific role or service. As a cloud engineer you need to be aware of security. Google Cloud has provided services to monitor your platform and analyze the behaviour in your environment by implementing best practise; 

1.  CLOUD IAM POLICY ANALYZER : Allow you to identify that specific resources like restricted GCS bucket, and it will scan the environment to know who has access to the resources . This gives you the ability to check a detailed review in a closed-up environment in an automated fashion. Policy Analyzer uses the cloud  Asset API , which offers best-effort data freshness. while almost all policy updates appear in policy analyzer in minutes, its possible that policy analyzer won't include the most recent policy updates. 

There are two main implementation within policy analyzer for this analyses to perform: 

a. Query Scope: This has to do with the level at which you want to perform the analyses within your organization. When it comes to the identities, do you want to analyze from the root to projects. You have the ability to target the actual project or folder. 

b. Query Parameter: This has to do with the actual resource (GCS bucket) you want to audit or validate. By this, you can  provide the principal as the parameter to validation against if the user have been given that permission at the folder or organization level. 

2.  CLOUD POLICY TROUBLESHOOTER: Makes it easier to understand user accessibility to a resource or doesn't have permission to call an API . 

example: Perhaps a colleague is having troubles with communication protocol. You can further investigate by making use of policy troubleshooter and provider full details. 

For example: HR hires you as a developer and you're given organization admin access and Quality Assurance engineer is also given organization access or folder access. In this regards quality assurance team has been given escalated privilege which is bad.  To automatically check your environment regarding previous and current team, IAM role recommender will be the service. 

There are three component you inject with in policy;

a. The actual principle: At this level you provide the email. Meaning the identity you want to validate against. 

b. Resources: If you want to access a compute engine and you're getting error, probably you're trying to create a snapshot for a compute engine instance . At this level you provide the specific resources and the actual permission that is needed to be able to interact with the action which the individual is trying to initiate. 

c. Permission: You pass the actual permission from GCS bucket  within the column to validate the resources and principal. it will check the pool of roles if the individual has access. This will give you the final result in milliseconds to know who has access. 

3.  IAM ROLE RECOMMENDER: This suggests a group of permission regarding role. Does its role at the background and you find it within security insight dashboard. Is a google native artificial intelligence tool to automatically check historical data. Checks the access of the individual and recommend. like Uber highly uses role recommender.

 example: If you have 40 developers, 20 Cloud Architect , and you have been creating GCS, GCE  with this, its hard to track all the activities. Over time, role recommender will monitor and gather the data for the last 90 days and suggest the best purpose role to the engineers. The AI will estimate/ filters what policy the developer might need to use and policies unused. That is very specific. However, if you're doing this manually it will take you months to achieve. 

4.  IAM POLICY STIMULATOR: This allows you check the validation of a particular user policy before its implemented. And it only works for existing policy either for groups, service account etc.

5.  SERVICE ACCOUNT : Are used by particular type of entities like machines and applications. A developer can make an API REQUEST  CALL to initiate that via the application. One of the most risk in IAM is service account. 

example: You have an automation Pipeline and there's a service account in that process and its been used for authorization and you want to modify it, if you're careful your code could break, because you did not take precaution around your pipeline set-up. In this case policy stimulator will stimulate the behaviour based on the existing user access. 

example: You could have different service account idle probably because the team no longer works and this users still exist within IAM. This can host certain level of risk, in this case you can make use of activity analyzer to decommission those users immediately.

6.  ACTIVITY ANALYZER/EVENT MANAGER: It tracks and trace every activities within your GCP eco system.

Referencing : https://cloud.google.com/docs