Tools to understand service account usage

There are several different tools that you can use to understand authentication activities for service accounts and keys. This page describes the available tools and their intended uses.

If you want to see how service accounts are using their permissions and identify over-privileged service accounts, use role recommendations. For more information, see Overview of role recommendations.

Authentication activities

Whenever a service account or key is used to call a Google API, including an API that is not part of Google Cloud, it generates an authentication activity. To understand service account usage, you can track these authentication activities using the tools described on this page.

Authentication activities include both successful and failed API calls. For example, if an API call fails because the caller is not authorized to call that API, or because the request referred to a resource that does not exist, the action still counts as an authentication activity for the service account or key that was used for that API call.

Authentication activities for service account keys also include any time a system lists the keys while attempting to authenticate a request, even if the system doesn't use the key to authenticate the request. This behavior is most common when using signed URLs for Cloud Storage or when authenticating to third-party applications.

Cloud Storage HMAC authentication keys do not generate authentication activities for either service accounts or service account keys.

Activity Analyzer

Policy Intelligence's Activity Analyzer lets you view the most recent authentication activities for your service accounts and service account keys. The date of the most recent authentication activity is determined based on US and Canadian Pacific Standard Time (UTC-8), even when Pacific Daylight Time is in effect.

Use Activity Analyzer to identify unused service accounts and keys. With Activity Analyzer, you can use your own definition of what it means for a service account or key to be "unused." For example, some organizations might define "unused" as 90 days of inactivity, while others might define "unused" as 30 days of inactivity.

We recommend disabling or deleting these unused service accounts and keys because they create an unnecessary security risk.

To learn how to view service account authentication activities, see View recent usage for service accounts and keys.

Service account insights

Recommender provides service account insights, which identify the service accounts in your project have not been used for the past 90 days. Use service account insights to quickly identify unused service accounts. We recommend disabling or deleting these unused service accounts because they create an unnecessary security risk.

To learn how to use service account insights, see Find unused service accounts.

Service account usage metrics

Cloud Monitoring provides usage metrics for your service accounts and service account keys. Usage metrics report each authentication activity for your service accounts and service account keys.

Use service account usage metrics to track service account usage patterns over time. These patterns can help you identify anomalies, either automatically or manually.

To learn how to view service account usage metrics, see Monitor usage patterns for service accounts and keys in the IAM documentation.

Dormant service account detection

Event Threat Detection detects and reports when a dormant service account triggers an action. Dormant service accounts are service accounts that have been inactive for more than 180 days.

This feature is only available for Security Command Center Premium customers.

To learn how to view and remediate dormant service account action findings, see Investigating and responding to threats.