This document explains how to enable the IAM Recommender Response playbook in Security Command Center Enterprise to identify the over-permissioned identities and automatically and safely remove the excess permissions.
The IAM Recommender Response playbook functionality is powered by Google Security Operations.
Overview
The IAM recommender provides you with security insights that assess how your principals use resources and recommends you to take an action on the encountered insight. For example, when a permission was not used for the last 90 days, the IAM recommender highlights it as an excess permission and recommends you to remove it safely.
The IAM Recommender Response playbook uses the IAM recommender to scan your environment for the workload identities that possess excess permissions or service account impersonations. Instead of reviewing and applying recommendations manually in Identity and Access Management, enable the playbook to do it automatically in the Security Operations console.
Prerequisites
Before activating the IAM Recommender Response playbook, complete the following prerequisite steps:
- Create a custom IAM role and configure a specific permission for it.
- Define the Workload Identity Email value.
- Grant the custom role you've created to an existing principal.
Create a custom IAM role
In the Google Cloud console, go to the IAM Roles page.
Click Create role to create a custom role with permissions required for the integration.
For a new custom role, provide the Title, Description, and a unique ID.
Set the Role Launch Stage to General Availability.
Add the following permission to the created role:
resourcemanager.organizations.setIamPolicyClick Create.
Define the Workload Identity Email value
To define what identity to grant the custom role to, complete the following steps:
- In the Security Operations console, go to Response > Integrations Setup.
- In the integration Search field, type in
Google Cloud Recommender. - Click Configure Instance. The dialog window opens.
- Copy the value of the Workload Identity Email parameter to your
clipboard. The value must be in the following format:
username@example.com
Grant a custom role to an existing principal
After you grant your new custom role to a selected principal, they can change permissions for any user in your organization.
In the Google Cloud console, go to the IAM page.
In the Filter field, paste the Workload Identity Email value and search for the existing principal.
Click Edit principal. The dialog window opens.
In the Edit access pane under the Assign roles, click Add another role.
Select the custom role that you've created and click Save.
Enable playbook
By default, the IAM Recommender Response playbook is disabled. To use the playbook, enable it manually:
- In the Security Operations console, go to Response > Playbooks.
- In the playbook Search field, input
IAM Recommender. - In the search result, select the IAM Recommender Response playbook.
- In the playbook header, switch the toggle to enable the playbook.
- In the playbook header, click Save.
Configure the automatic approval flow
Changing the playbook settings is an advanced and optional configuration.
By default, every time the playbook identifies unused permissions, it awaits for you to approve or decline the remediation before completing the run.
To configure the playbook flow to automatically remove the unused permissions every time they are found without requesting your approval, complete the following steps:
- In the Security Operations console, go to Response > Playbooks.
- Select the IAM Recommender Response playbook.
- In the playbook building blocks, select the IAM Setup Block_1. The block
configuration window opens. By default, the remediation_mode parameter
is set to
Manual. - In the remediation_mode parameter field, enter
Automatic. - Click Save to confirm the new remediation mode settings.
- In the playbook header, click Save.
What's next?
- Learn more about playbooks in the Google SecOps documentation.