Inquiry Regarding IAM Logging and Permission Analysis in GCP

Hello!

I am currently studying IAM (Identity and Access Management) and am in the process of developing code to analyze user logs for each cloud service provider (CSP) with the goal of assigning minimum necessary permissions.

For AWS, I was able to extract the list of permissions used by a user by leveraging CloudTrail, which records all events performed by users. Based on these logs, I could specify a desired time range and extract the list of permissions used by a user during that period.

However, in GCP, despite enabling data read access for all services in Cloud Audit Logs, I encountered a challenge. Events such as SetIamPolicy or CreateRole, which involve changes in data, are logged. However, actions related to reading, such as checking the list of roles, are not captured in the logs. Consequently, I faced difficulty in extracting the list of permissions used by a user based on logs.

As an alternative, I explored the usage of the Recommender API’s security statistics to extract the permissions used by a user. However, it appears that I cannot specify a time range for the data extraction, and it seems to retrieve all permissions used in the last 90 days. Is there a way to extract the list of permissions used during a specific period within the last 90 days?

Additionally, I would like to inquire about the timing when a new role assignment starts to be recorded in security statistics when assigning a user a new role. If a user is assigned a new role, from what point in time does this new role appear in the security statistics?

Moreover, I observed that there is no information in the security statistics for groups. Is it possible to extract the list of permissions used by users belonging to a specific group from the security statistics?

I am curious to know if reading actions are not logged by default in console logs or if there might have been an issue with my approach.

If it turns out that not all user events are logged, I would appreciate any guidance on alternative methods to extract the list of all permissions used by a user within a specified time range.

Thank you in advance for your assistance.

If the objective is to remove excess permissions, then IAM recommender is a great fit as it’s designed for that. It takes into account group memberships and custom roles; it recommends different actions like either removing or replacing a role (with another less permissive predefined or custom role) depending on the case in order to achieve least privilege. IAM recommender also leverages ML to help avoid removing a permission that’s not used but likely needed (See ML for policy insights). You can manually reduce the time range for scanning permissions usage from 90 days to 60 or 30 days (I haven’t tried it, but see instructions here).

If you want to observe actual permissions usage or do your own analysis, you can still explore the audit logs. Read Access audit logs should be explicitly enabled for the services you’re monitoring, including IAM. To use your example, listing roles (google.iam.admin.v1.ListRoles) is audited (whether accessed via console, api or gcloud) as long as Data Access logs (ADMIN_READ) is enabled. For a full list of audited IAM operations, refer to IAM audit logging docs. Note:

• There are multiple types of Data Access logs that you need to explicitly enable depending on what level of visibility you need: ADMIN_READ (read metadata), DATA_WRITE (write user data), DATA_READ (read user data)
• Data Access logs are enabled for specific services, and can be configured at the project, folder or organization level (see Enable Data Access audit logs)
• Actual audited operations depend on the actual service. Refer to service docs for their full list of audited operations per audit log type.

Data Access logs are high-volume and incur additional costs and therefore extra attention and tuning needed to manage the volume and associated cost. See Manage the volume of Data Access audit logs.

To analyze Data Access audit logs, you might find this blog post helpful along with these sample queries, as part of Community Security Analytics: https://github.com/GoogleCloudPlatform/security-analytics#data-usage - Feel free to suggest/implement your own security questions around permissions usage to the list and we can add it to the community!