You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This lesson consolidates IAM best practices across all the topics covered in this course. Following these practices will help you build a secure, manageable, and auditable GCP environment.
The most important principle in IAM: grant only the minimum permissions needed for the task.
| Action | Detail |
|---|---|
| Use predefined roles | They are scoped to specific services and tasks |
| Create custom roles | When predefined roles grant too many permissions |
| Avoid basic roles | roles/editor and roles/owner grant thousands of unnecessary permissions |
| Use IAM Recommender | Identifies permissions that have not been used and suggests downgrades |
| Use IAM Conditions | Grant time-limited or context-aware access |
| Review regularly | Audit access quarterly and revoke unused permissions |
# Check IAM Recommender for a project
gcloud recommender recommendations list \
--project=my-project \
--location=global \
--recommender=google.iam.policy.Recommender
Never assign roles to individual users when managing more than a handful of people:
BAD:
roles/storage.admin → user:alice@co.com
roles/storage.admin → user:bob@co.com
roles/storage.admin → user:carol@co.com
(Must update IAM for every joiner/leaver)
GOOD:
roles/storage.admin → group:storage-admins@co.com
(Add/remove members in the group — IAM stays constant)
| Group | Purpose | Typical Role |
|---|---|---|
gcp-org-admins@ | Organisation administrators | roles/resourcemanager.organizationAdmin |
gcp-billing-admins@ | Billing management | roles/billing.admin |
gcp-security-admins@ | Security operations | roles/iam.securityAdmin |
gcp-network-admins@ | Network configuration | roles/compute.networkAdmin |
gcp-developers@ | Development access | Service-specific predefined roles |
gcp-data-analysts@ | Data access | roles/bigquery.dataViewer |
gcp-sre@ | Production operations | roles/compute.instanceAdmin.v1 |
roles/editorroles/iam.serviceAccountUser to control who can attach a SAconstraints/iam.disableServiceAccountKeyCreation# Block SA key creation organisation-wide
gcloud resource-manager org-policies enable-enforce \
constraints/iam.disableServiceAccountKeyCreation \
--organization=123456789
# Find all SA keys in a project
gcloud iam service-accounts list --project=my-project \
--format="value(email)" | while read sa; do
echo "Keys for: $sa"
gcloud iam service-accounts keys list --iam-account="$sa" \
--managed-by=user
done
Set organisation policies early and enforce them consistently:
| Policy | Constraint | Why |
|---|---|---|
| No SA keys | iam.disableServiceAccountKeyCreation | Eliminates key leakage risk |
| Domain restriction | iam.allowedPolicyMemberDomains | Prevents granting access to external accounts |
| No public IPs | compute.vmExternalIpAccess | Forces use of Cloud NAT / bastion hosts |
| Region restriction | gcp.resourceLocations | Enforces data residency |
| Uniform bucket access | storage.uniformBucketLevelAccess | Prevents complex ACL configurations |
| No public buckets | storage.publicAccessPrevention | Prevents accidental data exposure |
1. Admin Activity logs → always on, free
2. Data Access logs → enable for sensitive services:
- Cloud Storage
- BigQuery
- Secret Manager
- Cloud SQL
- IAM
3. Export all audit logs to a centralised security project
4. Set up alerting for:
- IAM policy changes
- Service account key creation
- Resource deletion
- Access from unusual locations
# Create an alert for IAM policy changes
gcloud logging metrics create iam-policy-changes \
--description="IAM policy changes" \
--log-filter='protoPayload.methodName="SetIamPolicy"'
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.