IAM recommender best practices

We recommend the following best practices for managing IAM recommender recommendations.

For more information about the IAM recommender, see the IAM recommender overview.

Getting started with recommendations

The following best practices can help you get started with the IAM recommender.

  • Begin with an initial cleanup of over-granted permissions. Initially, you might see a very large number of recommendations, especially if many members have highly permissive roles like Editor. Take the time to address all recommendations in your project or organization to ensure that all of your members have the appropriate roles.

    When doing this initial cleanup, prioritize the following types of recommendations:

    • Recommendations that reduce permissions for service accounts. By default, all default service accounts are granted the highly permissive Editor role on projects. Other service accounts that you manage might also have been granted highly permissive roles. All over-granted permissions increase your security risk, including overly privileged service accounts, so we recommend prioritizing overly privileged service accounts during your initial cleanup.

    • Recommendations that help prevent privilege escalation. Roles that allow members to act as a service account (iam.serviceAccounts.actAs) or to get or set the IAM policy for a resource can potentially allow a member to escalate their own privilege. Prioritize recommendations relating to these roles.

    • When you find an over-privileged member in one project, check other projects for recommendations involving that member. If a member has been granted an overly permissive role in one project, it is possible that they have been granted overly permissive roles in other projects as well. Review recommendations for the member across multiple projects to globally reduce the member's access to the appropriate level.

  • After the initial cleanup, check your recommendations regularly. We recommend that you check your recommendations at least once a week. This check will usually take much less time than the initial cleanup, because you will only need to address recommendations for changes that have occurred since the last cleanup or check.

    Regularly checking permissions reduces the work required for each check, and can help you proactively identify and remove inactive users, as well as continue to downscope permissions for active users.

Best practices for working with recommendations

If you use the Recommender API or the recommender commands for the gcloud tool to manage recommendations, make sure to update the state of recommendations that you apply. This allows you to keep track of your recommendations and ensures that the changes you make appear in your recommendations logs.

Best practices for applying recommendations automatically

To manage your recommendations more efficiently, you might want to automate the process of applying recommendations. If you decide to use automation, keep the following points in mind.

The IAM recommender tries to provide recommendations that will not cause breaking changes in access. For example, we will never recommend a role that excludes permissions that a member has used, passively or actively, in the last 90 days. We also use machine learning to identify other permissions that the user is likely to need.

However, we cannot guarantee that our recommendations will never cause breaking changes in access—it is possible that applying a recommendation will result in a member being unable to access a resource that they need. We recommend reviewing How the IAM recommender works and deciding how much automation you are comfortable with. For example, you might decide to apply most recommendations automatically, but require a manual review for recommendations that add or remove a certain number of permissions, or that involve granting or revoking a specific role.

What's next