Developers & Practitioners
How to create and safeguard your admin accounts
Setting up your new cloud infrastructure is scary. Extra scary when you realize that someone (is it gonna be you?) gets to have phenomenal cosmic power over the whole thing.
Yes, I'm talking about the admin account, and today we'll dig into why they are important, dangerous and different.
When the team at pistach.io got their nuts-as-a-service business growing fruitfully, they knew they needed to think carefully about admin accounts. These people would have tremendous control over their use of Google Cloud, and they could potentially cause very big problems if any were compromised. Definitely resources that require a protective shell.
Early in pistach.io's development, an employee named Walter Nutt wanted to play a prank by changing his co-worker's profile photo from an almond to a peanut (pretty devious, since a peanut is actually a legume). He didn't have access to his friend's computer, but he did have access to the company's Cloud Storage bucket. While searching for the profile photo in question, Wally inadvertently deleted the entire contents of the bucket!
As he searched for ways to restore its contents, Wally modified access to two other pistach.io buckets. The company was ground to a halt for a week while teams worked to crack through the permissions issues.
Time to rethink permissions a bit, so this couldn't spoil their buttery smooth operations in the future.
Following the resource manager guide, the team made a super admin email address that wasn't tied to a particular individual or Workspace account, and secured it with strong multi-factor authentication. This would be their backup in case an admin account were to be compromised, so they could recover and repair.
The team already uses Google Workspace, so they have an organization set up already. That creation process established initial super administrators, allowing them to create and modify all other resources inside the organization. As they looked toward using Google Cloud, the super administrators could:
Give the admin role to people, for Cloud
Act as a point of contact for account recovery
Modify or delete the organization if needed
Making admin users for the organization allows other people to then flesh out the resources and policies for pistach.io, before they go nuts and give everyone all the permissions. While that would speed things up, it would make it easy for an attacker to crack through the security shell because any account compromise could give ousize access. Yikes!
Instead, the IT leads specified certain people to act as organization admins, and then gave them permissions to:
Structure the Resource Hierarchy
Delegate control of specific Cloud elements to others on the team
Once those organization admins were set up, they could give management and oversight of Compute, Storage, Networking and other resource types to the relevant leads, making sure each person had just the right amount of permission for the role they needed to perform. The organization admins don't have permissions themselves to make these resources. They just delegate.
Now each person can accomplish the job they're responsible for, but doesn't have overly permissive access. Delegating like this keeps the entire organization safer, and limits the blast radius if someone does manage to break in.
You can go through these steps yourself with this tutorial.
By default the creation of an organization resource for the domain gives everyone the ability to create projects and billing accounts. Once they set up their Organization Admin at pistach.io they decided to remove some of these wide permissions and, in a nutshell, bring everything down to a much finer control. So people could get permissions for a folder or a project, but not the entire organization!
Remember to take care of your admin roles, as they have the power, and responsibility, to cause serious harm if not used safely. Be safe with your Identity and Access Management. And keep your data yours!
Next time we join you we'll take a crack at creating and provisioning an app to run inside the policies and resource management frameworks created today.