Large organizations often have an extensive set of Google Cloud policies to control resources and manage access. Policy Intelligence tools help you understand and manage your policies to proactively improve your security configuration.
The following sections explain what you can do with Policy Intelligence tools.
Understand policies and usage
There are several Policy Intelligence tools that help you understand what access your policies allow and how the policies are being used.
Analyze access
Cloud Asset Inventory provides Policy Analyzer for IAM allow policies, which lets you find out what principals have access to which Google Cloud resources based on your IAM allow policies.
Policy Analyzer helps you answer questions like the following:
- "Who has any access to this IAM service account?"
- "What roles and permissions does this user have on this BigQuery dataset?"
- "Which BigQuery datasets does this user have permission to read?"
By helping you answer these questions, Policy Analyzer lets you effectively administer access. You can also use Policy Analyzer for audit-related and compliance-related tasks.
To learn more about Policy Analyzer for allow policies, see Policy Analyzer overview.
To learn how to use Policy Analyzer for allow policies, see Analyzing IAM policies.
Analyze organization policies
Policy Intelligence provides Policy Analyzer for Organization Policy, which you can use to create an analysis query to get information on both custom and predefined organization policies.
You can use Policy Analyzer to return a list of organization policies with a particular constraint and the resources to which those policies are attached.
To learn how to use Policy Analyzer for Organization Policy, see Analyze existing organization policies.
Troubleshoot access issues
To help you understand and remedy access issues, Policy Intelligence offers the following troubleshooters:
- Policy Troubleshooter for Identity and Access Management
- VPC Service Controls troubleshooter
- Policy Troubleshooter for Chrome Enterprise Premium
Access troubleshooters help answer "why" questions like the following:
- "Why does this user have the
bigquery.datasets.create
permission on this BigQuery dataset?" - "Why isn't this user able to view the allow policy of this Cloud Storage bucket?"
To learn more about these troubleshooters, see Access-related troubleshooters.
Understand service account usage and permissions
Service accounts are a special type of principal that you can use to authenticate applications in Google Cloud.
To help you understand service account usage, Policy Intelligence offers the following features:
Activity Analyzer: Activity Analyzer lets you see when your service accounts and keys were last used to call a Google API. To learn how to use Activity Analyzer, see View recent usage for service accounts and keys.
Service account insights: Service account insights are a type of insight that identify which service accounts in your project have not been used in the past 90 days. To learn how to manage service account insights, see Find unused service accounts.
To help you understand service account permissions, Policy Intelligence offers lateral movement insights. Lateral movement insights are a type of insight that identify roles that allow a service account in one project to impersonate a service account in another project. For more information about lateral movement insights, see How lateral movement insights are generated. To learn how to manage lateral movement insights, see Identify service accounts with lateral movement permissions.
Lateral movement insights are sometimes linked to role recommendations. Role recommendations suggest actions that you can take to remediate the issues identified by lateral movement insights.
Improve your policies
You can improve your IAM allow policies by using role recommendations. Role recommendations help you enforce the principle of least privilege by ensuring that principals have only the permissions that they actually need. Each role recommendation suggests that you remove or replace an IAM role that gives your principals excess permissions.
To learn more about role recommendations, including how they're generated, see Enforce least privilege with role recommendations.
To learn how to manage role recommendations, see one of the following guides:
- Review and apply role recommendations for projects, folders, and organizations
- Review and apply role recommendations for Cloud Storage buckets
- Review and apply role recommendations for BigQuery datasets
Prevent policy misconfigurations
There are several Policy Intelligence tools that you can use to see how changes to policies will impact your organization. After you see the effect of the changes, you can decide whether or not to make them.
Test changes to access-related policies
To let you see how a change to an access-related policy might affect your princpals' access, Policy Intelligence provides the following policy simulators:
- Policy Simulator for allow policies
- Policy Simulator for deny policies
- Policy Simulator for principal access boundary policies
Each of these simulators lets you see how a change to a policy of that type would affect access for your principals before you commit to making the change. Each simulator only evaluates one policy type—they don't take into account whether other types of policies would permit or block access.
Test organization policy changes
Policy Simulator for Organization Policy lets you preview the impact of a new custom constraint or organization policy that enforces a custom constraint before it is enforced on your production environment.
Policy Simulator provides a list of resources that violate the proposed policy before it is enforced, allowing you to reconfigure those resources, request exceptions, or change the scope of your organization policy, all without disrupting your developers or bringing down your environment.
To learn how to use Policy Simulator to test changes to organization policies, see Test organization policy changes with Policy Simulator.