IAM controls for generative AI use cases

This document includes the best practices and guidelines for Identity and Access Management (IAM) when running generative AI workloads on Google Cloud. Use IAM with Vertex AI to controls who can perform specific actions on your generative workload resources, such as creating, editing, or deleting them.

Required IAM controls

The following controls are strongly recommended when using IAM.

Disable automatic Identity and Access Management (IAM) grants for default service accounts

Google control ID IAM-CO-4.1
Category Required
Description

Use the automaticIamGrantsForDefaultServiceAccounts boolean constraint to disable automatic role grants when Google Cloud services automatically create default service accounts with overly permissive roles. For example, if you don't enforce this constraint and you create a default service account, the service account is automatically granted the Editor role (roles/editor) on your project.
Applicable products
  • IAM
  • Organization Policy Service
Path constraints/iam.automaticIamGrantsForDefaultServiceAccounts
Operator Is
Value
  • False
Type Boolean
Related NIST-800-53 controls
  • AC-3
  • AC-17
  • AC-20
Related CRI profile controls
  • PR.AC-3.1
  • PR.AC-3.2
  • PR.AC-4.1
  • PR.AC-4.2
  • PR.AC-4.3
  • PR.AC-6.1
  • PR.PT-3.1
  • PR.PT-4.1
Related information

Block the creation of external service account keys

Google control ID IAM-CO-4.2
Category Required
Description

Use the iam.disableServiceAccountKeyCreation boolean constraint to disable external service account keys from being created. This constraint lets you control the use of unmanaged long-term credentials for service accounts. When this constraint is set, you can't create user-managed credentials for service accounts in projects affected by the constraint.
Applicable products
  • Organization Policy Service
  • IAM
Path constraints/iam.disableServiceAccountKeyCreation
Operator Is
Value
  • True
Type Boolean
Related NIST-800-53 controls
  • AC-3
  • AC-17
  • AC-20
Related CRI profile controls
  • PR.AC-3.1
  • PR.AC-3.2
  • PR.AC-4.1
  • PR.AC-4.2
  • PR.AC-4.3
  • PR.AC-6.1
  • PR.PT-3.1
  • PR.PT-4.1
Related information

Block service account key uploads

Google control ID IAM-CO-4.3
Category Required
Description

Use the iam.disableServiceAccountKeyUpload boolean constraint to disable the upload of external public keys to service accounts. When this constraint is set, users can't upload public keys to service accounts in projects affected by the constraint.
Applicable products
  • Organization Policy Service
  • IAM
Path constraints/iam.disableServiceAccountKeyUpload
Operator Is
Value
  • True
Type Boolean
Related NIST-800-53 controls
  • AC-3
  • AC-17
  • AC-20
Related CRI profile controls
  • PR.AC-3.1
  • PR.AC-3.2
  • PR.AC-4.1
  • PR.AC-4.2
  • PR.AC-4.3
  • PR.AC-6.1
  • PR.PT-3.1
  • PR.PT-4.1
Related information

Depending on your use cases around generative AI, you might require additional IAM controls.

Implement tags to efficiently assign Identity and Access Management (IAM) policies and organization policies

Google control ID IAM-CO-6.1
Category Recommended
Description

Tags provide a way to create annotations for resources, and in some cases conditionally allow or deny policies based on whether a resource has a specific tag. Use tags and conditional policy enforcement for fine-grained control across your resource hierarchy.
Applicable products
  • Resource Manager
Related NIST-800-53 controls
  • AC-2
  • AC-3
  • AC-5
Related CRI profile controls
  • PR.AC-1.1
  • PR.AC-1.2
  • PR.AC-1.3
  • PR.AC-4.1
  • PR.AC-4.2
  • PR.AC-4.3
  • PR.AC-6.1
  • PR.DS-5.1
  • PR.PT-3.1
Related information

Audit high-risk changes to Identity and Access Management (IAM)

Google control ID IAM-CO-7.1
Category Recommended
Description

Use Cloud Audit Logs to monitor for high-risk activity, such as accounts being granted high-risk roles like Organization Admin and Super Admin. Set up alerts for this type of activity.
Applicable products
  • Cloud Audit Logs
Related NIST-800-53 controls
  • AU-2
  • AU-3
  • AU-8
  • AU-9
Related CRI profile controls
  • DM.ED-7.1
  • DM.ED-7.2
  • DM.ED-7.3
  • DM.ED-7.4
  • PR.IP-1.4
Related information

Optional common controls

You can optionally implement the following controls based on your organization's requirements.

Configure Context-Aware Access for Google consoles

Google control ID IAM-CO-8.2
Category Optional
Description

With Context-Aware Access, you can create granular access control security policies for applications based on attributes such as user identity, location, device security status, and IP address. We recommend that you use Context-Aware Access to restrict access to the the Google Cloud console (https://console.cloud.google.com/) and the Google Admin console (https://admin.cloud.google.com).
Applicable products
  • Cloud Identity
  • Context-Aware Access
Related NIST-800-53 controls
  • AC-3
  • AC-12
  • AC-17
  • AC-20
  • SC-7
  • SC-8
Related CRI profile controls
  • PR.AC-3.1
  • PR.AC-3.2
  • PR.AC-4.1
  • PR.AC-4.2
  • PR.AC-4.3
  • PR.AC-5.1
  • PR.AC-5.2
  • PR.AC-6.1
  • PR.AC-7.1
  • PR.AC-7.2
  • PR.DS-2.1
  • PR.DS-2.2
  • PR.DS-5.1
  • PR.PT-4.1
  • DE.CM-1.1
  • DE.CM-1.2
  • DE.CM-1.3
  • DE.CM-1.4
Related information

What's next