Policy Intelligence tools

Large organizations often have an extensive set of Google Cloud policies to control resources and manage access. Policy Intelligence tools help you understand and manage your policies to proactively improve your security configuration.

The following sections explain what you can do with Policy Intelligence tools.

Understand policies and usage

There are several Policy Intelligence tools that help you understand what access your policies allow and how the policies are being used.

Analyze access

Cloud Asset Inventory provides Policy Analyzer, which lets you find out what principals have access to which Google Cloud resources based on your IAM allow policies.

Policy Analyzer helps you answer questions like the following:

  • "Who has any access to this IAM service account?"
  • "What roles and permissions does this user have on this BigQuery dataset?"
  • "Which BigQuery datasets does this user have permission to read?"

By helping you answer these questions, Policy Analyzer lets you effectively administer access. You can also use Policy Analyzer for audit-related and compliance-related tasks.

To learn more about Policy Analyzer, see Policy Analyzer overview.

To learn how to use Policy Analyzer, see Analyzing IAM policies.

Troubleshoot access issues

To help you understand and remedy access issues, Policy Intelligence offers the following troubleshooters:

  • Policy Troubleshooter for Identity and Access Management allow policies
  • VPC Service Controls troubleshooter
  • Policy Troubleshooter for BeyondCorp Enterprise

Access troubleshooters help answer "why" questions like the following:

  • "Why does this user have the bigquery.datasets.create permission on this BigQuery dataset?"
  • "Why isn't this user able to view the allow policy of this Cloud Storage bucket?"

To learn more about these troubleshooters, see Access-related troubleshooters.

Understand service account usage and permissions

Service accounts are a special type of principal that you can use to authenticate applications in Google Cloud.

To help you understand service account usage, Policy Intelligence offers the following features:

  • Activity Analyzer: Activity Analyzer lets you see when your service accounts and keys were last used to call a Google API. To learn how to use Activity Analyzer, see View recent usage for service accounts and keys.

  • Service account insights: Service account insights are a type of insight that identify which service accounts in your project have not been used in the past 90 days. To learn how to manage service account insights, see Find unused service accounts.

To help you understand service account permissions, Policy Intelligence offers lateral movement insights. Lateral movement insights are a type of insight that identify roles that allow a service account in one project to impersonate a service account in another project. For more information about lateral movement insights, see How lateral movement insights are generated. To learn how to manage lateral movement insights, see Identify service accounts with lateral movement permissions.

Lateral movement insights are sometimes linked to role recommendations. Role recommendations suggest actions that you can take to remediate the issues identified by lateral movement insights.

Improve your policies

You can improve your IAM allow policies by using role recommendations. Role recommendations help you enforce the principle of least privilege by ensuring that principals have only the permissions that they actually need. Each role recommendation suggests that you remove or replace an IAM role that gives your principals excess permissions.

To learn more about role recommendations, including how they're generated, see Enforce least privilege with role recommendations.

To learn how to manage role recommendations, see Review and apply role recommendations for projects, folders, and organizations or Review and apply role recommendations for Cloud Storage buckets.

Prevent policy misconfigurations

Policy Simulator lets you see how a change to an IAM allow policy might impact a principal's access before you commit to making the change. You can use Policy Simulator to ensure that the changes you're making won't cause a principal to lose access that they need.

To find out how a change to an IAM allow policy might impact a principal's access, Policy Simulator determines which access attempts from the last 90 days have different results under the proposed allow policy and the current allow policy. Then, it reports these results as a list of access changes.

To learn more about Policy Simulator, see IAM Policy Simulator overview.

To learn how to use Policy Simulator to test role changes, see Test role changes with IAM Policy Simulator.