Enforce least privilege with recommendations

This page provides an overview of the Cloud IAM recommender. The Cloud IAM recommender helps you enforce the principle of least privilege by ensuring that members have only the permissions that they actually need.

How the Cloud IAM recommender works

Cloud IAM uses Recommender to compare project-level role grants with the permissions that each member used during the past 90 days. If you grant a project-level role to a member, and the member does not use all of that role's permissions, then the Cloud IAM recommender is likely to recommend that you revoke the role. If necessary, the Cloud IAM recommender also recommends less permissive roles as a replacement.

The Cloud IAM recommender also uses machine learning to identify permissions that a member is likely to need in the future, even if the member did not use those permissions in the past 90 days.

The Cloud IAM recommender does not apply recommendations automatically. Instead, you must review each recommendation, then either apply or dismiss the recommendation.

The Cloud IAM recommender evaluates only role grants that were made at the project level, and that have existed for at least 90 days. It does not evaluate any of the following items:

Permissions used by each member

To create recommendations, the Cloud IAM recommender identifies the permissions that each member used in the past 90 days. There are a few ways in which a member can use a permission:

  • Directly, by calling an API that requires the permission

    For example, the roles.list method in the Cloud IAM REST API requires the iam.roles.list permission. When you call the roles.list method, you use the iam.roles.list permission.

  • Indirectly, by using the Google Cloud Console to work with Google Cloud resources

    For example, in the Cloud Console, you can edit a Compute Engine virtual machine (VM) instance, which requires different permissions based on which settings you change. However, the Cloud Console also displays the existing settings, which requires the compute.instances.get permission.

    As a result, when you edit a VM instance in the Cloud Console, you use the compute.instances.get permission.

Machine learning

Sometimes, a member might need permissions not used in the last 90 days in order to do their job. To identify the additional permissions a member is likely to need, the Cloud IAM recommender uses a machine learning (ML) model.

The Cloud IAM recommender's machine learning model is trained on multiple sets of signals:

  • Common co-occurrence patterns in the observed history: The fact that a user used permission A, B, and C in the past provides a hint that A, B, and C might be related in some way and that they are needed together to carry out a task on Google Cloud. If the ML model observes this pattern frequently enough, the next time a different user uses permission A and B, the model will suggest that the user might need permission C as well.

  • Domain knowledge as encoded in the role definitions: Cloud IAM provides hundreds of different predefined roles that are service-specific. If a predefined role contains a set of permissions, it is a strong signal that those permissions should be granted together.

In addition to these signals, the model also uses word embedding to calculate how semantically similar the permissions are. Semantically similar permissions will be "close" to each other after embedding, and more likely to be granted together. For example, bigquery.datasets.get and bigquery.tables.list will be very close to each other after embedding.

All data used in the Cloud IAM recommender machine learning pipeline has k-anonymity, meaning that individuals in the anonymized data set cannot be re-identified. To achieve this level of anonymity, we drop all personally identifiable information (PII) such as the user ID related to each permission usage pattern. Then we drop all usage patterns that do not show up frequently enough across Google Cloud. The global model is trained on this anonymized data.

The global model can be further customized for each organization using federated learning, a machine learning process that trains machine learning models without exporting data.

Audit logging

When you apply or dismiss a recommendation, Cloud IAM recommender creates a log entry. You can view these entries in the Cloud IAM recommender, or you can view them in your Google Cloud audit logs.

Other types of access controls

Some Google Cloud services provide access controls that are separate from Cloud IAM. For example, Cloud Storage provides access control lists (ACLs), and Google Kubernetes Engine (GKE) supports Kubernetes role-based access control (RBAC).

The Cloud IAM recommender analyzes only Cloud IAM access controls. If you use other types of access controls, take extra care when you review your recommendations, and consider how those access controls relate to your Cloud IAM policies.

Examples of role recommendations

The following examples show the types of recommendations that you can receive.

Revoke an existing role

The user fuyo@example.com was granted a custom role on a project. The custom role includes one permission, iam.serviceAccounts.actAs, which gives fuyo@example.com the ability to act as a service account. However, during the past 90 days, fuyo@example.com hasn't acted as a service account in that project.

Therefore, the Cloud IAM recommender suggests that you revoke the custom role from fuyo@example.com:

Replace an existing role

A service account was granted the Owner role (roles/owner) on a project. This primitive role includes more than 2,500 permissions and grants almost unlimited access to a project. However, during the past 90 days, the service account has used only a few hundred permissions.

Therefore, the Cloud IAM recommender suggests that you revoke the Owner role and replace it with a combination of four other roles, which removes thousands of overgranted permissions:

Add permissions suggested by machine learning

A service account was granted the Editor role (roles/editor) on a project. This primitive role includes more than 2,000 permissions and grants extensive access to a project. However, during the past 90 days, the service account has used fewer than 10 permissions.

The Cloud IAM recommender suggests that you revoke the Editor role and replace it with the Storage Object Admin role (storage.objectAdmin), which grants full control of objects in a Cloud Storage bucket. This change removes thousands of overgranted permissions.

This role includes several permissions that the service account did not use in the past 90 days. However, using machine learning, the Cloud IAM recommender predicts that the service account will need these permissions in the future.

The Cloud IAM recommender uses a Machine learning icon to identify these additional permissions. In this example, the resourcemanager.projects.get permission was recommended based on machine learning:

Required permissions

This section describes the Cloud IAM permissions that you need in order to work with the Cloud IAM recommender.

View recommendations

To view recommendations from the Cloud IAM recommender, you must have the following permissions for the project you are viewing:

  • iam.roles.get
  • iam.roles.list
  • recommender.iamPolicyRecommendations.get
  • recommender.iamPolicyRecommendations.list
  • resourcemanager.projects.getIamPolicy

To gain these permissions while following the principle of least privilege, ask your administrator to grant you the following predefined roles:

  • Role Viewer (roles/iam.roleViewer)
  • Either IAM Recommender Viewer (roles/recommender.iamViewer) or IAM Security Reviewer (roles/iam.securityReviewer)

Alternatively, your administrator can grant you a different role that includes the required permissions, such as a custom role or a more permissive predefined role.

Apply and dismiss recommendations

To apply and dismiss recommendations from the Cloud IAM recommender, you must have the following permissions for the project you are managing:

  • iam.roles.get
  • iam.roles.list
  • recommender.iamPolicyRecommendations.get
  • recommender.iamPolicyRecommendations.list
  • recommender.iamPolicyRecommendations.update
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy

To gain these permissions while following the principle of least privilege, ask your administrator to grant you the following predefined roles:

  • Role Viewer (roles/iam.roleViewer)
  • IAM Recommender Admin (roles/recommender.iamAdmin)
  • Project IAM Admin (roles/resourcemanager.projectIamAdmin)

Alternatively, your administrator can grant you a different role that includes the required permissions, such as a custom role or a more permissive predefined role.

What's next