Reduce risk with automated policy controls
Recommender: discover and remediate excessive permissions
Permissions management can be a time-consuming task without the right tools in place. IAM Recommender helps admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. For example, if a set of permissions hasn’t been used in 90 days, the tool will recommend that you revoke the role. And, if only a subset of a role's permissions hasn’t been used in 90 days, the feature will recommend that you grant a specific, less-permissive role that best fits the access pattern. This results in a smaller attack surface and reduces risk.
Policy Troubleshooter: quickly resolve access control issues
When a user is denied access to a resource, it can be time-consuming to diagnose the problem. Policy Troubleshooter enables security administrators to understand why requests were denied and helps them modify policies to grant the appropriate access. With Policy Troubleshooter, users can visualize all the policies that grant or deny access to API calls, see which specific policies blocked the call, and review an explanation of why the blocked call took place. The Policy Troubleshooter tool makes it easy and efficient for admins to understand why someone does not have access to a resource and identifies the best way to remediate.
Policy Analyzer: understand who has access to resources
When running compliance reports or doing security checks, it can be hard to quickly find answers to important questions around access. But with a few simple clicks in Policy Analyzer, you can answer access questions such as, “Who has access to this resource and what can they do?” Policy Analyzer automates challenging tasks like group expansion and role to permission expansion while accounting for the resource and policy hierarchy.
Policy Simulator: Safely roll out policy changes
Making changes to a user’s or service account’s access introduces risk, including the potential of breaking apps or disrupting developer productivity. Policy Simulator helps you understand the impact of IAM policy changes before they’re made. It examines a user's activity logs over the last 90 days to ensure you’re not revoking access that might be necessary, so you can roll out policy changes safely.