Review and manage identity risks

As an IAM administrator, you can review and manage identity risks across your organization, folder, or project from the Google Cloud console by using the Security Insights dashboard.

The Security Insights dashboard lets you do the following:

• Review vulnerable human, non-human, and group identities.

• View the type and severity of identity risks associated with an organization, folder, or project.

• Prioritize and remediate issues with actionable insights for both Google Cloud and other third-party identity providers.

Before you begin

To get the permissions that you need to review and manage identity risks, ask your administrator to grant you the following IAM roles on the organization, folder, or project that you want to review and manage identity risks for:

• Review identity risks: IAM Recommender Viewer (roles/recommender.iamViewer)
• Apply or dismiss recommendations: IAM Recommender Admin (roles/recommender.iamAdmin)

Review identity risks

1. In the Google Cloud console, go to the IAM & Admin > Security Insights page.

   Go to Security Insights

2. Select the organization, folder, or project that you want to review the identity risks for.

   The Security Insights dashboard displays the following widgets for the selected resource:

   • Identity risk overview: Shows the total number of identities with one or more role bindings; the total number of risky identities across human, non-human, and group identities; and their respective severity levels.

     The total number of identities is the sum of unique identities in the allow policies that are attached to the selected resource. This number doesn't include the identities from the allow policies that are attached to the child resources of the selected resource. For example, if your selected resource is an organization, then the identities from the allow policies that are attached to its individual folders or projects are not included.

   • Risks by finding category: Shows risky identities that are listed based on category such as Unused IAM role or IAM role has excessive permissions.

     The total number of findings in the Risks by finding category widget might differ from the number of insights in other widgets. This difference occurs because multiple insights of the same severity for the same resource are grouped into a single finding in other widgets.

   • Top risky groups: Shows groups with the highest excessive permissions.

   • Top risky human identities: Shows human identities with the highest excessive permissions.

   • Top risky non-human identities: Shows non-human identities with the highest excessive permissions.

   • Active IAM recommendations trend: Shows active role recommendations for a specified time period.

Manage identity risks

You can view insights and recommendations to manage the risks that are associated with an identity.

To manage identity risks, do the following from any widget on the dashboard:

1. For a risky identity, click the number of insights in the Insights column.

2. In the Insights pane, to filter insights by type, select the required type from the list.

3. Depending on whether a recommendation is available for an insight, you can either view its details or view its recommendation.

   • For an insight without a recommendation, click View details.

     The Permissions pane provides details on the insight.

   • For an insight with a recommendation, click View recommendation.

     The Recommendation pane provides details about the suggested role removal or replacement.

4. To apply or dismiss the recommendation, click Apply or Dismiss.

   It takes time for access changes to propagate through the system. To learn how long it takes, on average, for access changes to propagate, see Access change propagation.

What's next

• Learn about how to investigate identity and access findings.
• Learn about role recommendations.