GCP IAM
Analyzes GCP Identity and Access Management including IAM policy bindings, Identity Platform users, and service accounts. Identifies overprivileged roles, default service accounts, and unverified users.
Required Blueprints: GCP
Sightlines
| Sightline | Description |
|---|---|
| IAM Policy Bindings | Highlights IAM policy bindings with overprivileged roles (Owner or Editor) that should be replaced with granular pred... |
| Identity Platform Users | Surfaces Identity Platform users with unverified email addresses and shows email verification distribution. |
| Service Accounts | Identifies default service accounts (Compute Engine and App Engine defaults) automatically granted Editor permissions. |
Explorer Node Types
Use these node types in Explorer or KAI to query resources surfaced by this analyzer:
gcp.iam.IAMPolicyBinding, gcp.iam.ServiceAccount, gcp.identity.ActiveUser
Related Analyzers
- GCP Compute — Service accounts assigned to compute instances
- GCP Storage — Bucket access control via IAM policies
- GCP Database — Database authentication through IAM
- GCP Network — VPC access controlled by IAM bindings
- GCP DevOps — CI/CD service account permissions
Insight Feed Alerts
- Overprivileged IAM Bindings -- Bindings granting Owner or Editor roles at the project level (CIS GCP 1.1).
- Default Service Accounts In Use -- Default service accounts with overly broad Editor role (CIS GCP 2.1).
- Service Accounts With Admin Privileges -- Service accounts granted Editor or Owner roles (CIS GCP 1.5).
- Secrets Without Rotation Configured -- Secret Manager secrets without automatic rotation.
Cross-Blueprint Correlations
When the Google Workspace blueprint (BP-028) is also connected:
- Google Workspace Users to IAM Bindings -- Links Workspace users to GCP IAM bindings by email.
- Google Workspace Groups to IAM Bindings -- Links Workspace groups to GCP IAM bindings by group email.
- Identity Platform Users to Google Workspace Users -- Links Identity Platform users to Workspace accounts by email.
- Service Accounts to IAM Bindings -- Links service accounts to IAM bindings by service account email.