Get startedGet started for free

IAM best practices

1. IAM best practices

Let's talk about some IAM best practices to help you apply the concepts you just learned in your day-to-day work. First, leverage and understand the resource hierarchy. Specifically, use projects to group resources that share the same trust boundary. Check the policy granted on each resource and make sure you recognize the inheritance. Because of inheritance, use the principle of least privilege when granting roles. Finally, audit policies using Cloud audit logs and audit memberships of groups used in policies. Next, I recommend granting roles to groups instead of individuals. This allows you to update group membership instead of changing an IAM policy. If you do this, make sure to audit membership of groups used in policies and control the ownership of the Google group used in IAM policies. You can also use multiple groups to get better control. In the example on this slide, there is a Network Admin group. Some of those members also need a read_write role to a Cloud Storage bucket, but others need the read_only role. Adding and removing individuals from all three groups controls their total access. Therefore, groups are not only associated with job roles but can exist for the purpose of role assignment. Here are some best practices for using service accounts. As mentioned before, be very careful when granting the Service Account User's role because it provides access to all the resources that the service account has access to. Also, when you create a service account, give it a display name that clearly identifies its purpose, ideally using an established naming convention. As for keys, establish key rotation policies and methods and audit keys with the serviceAccount.keys.list method. Finally, I recommend using Identity-Aware Proxy, or IAP. IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls. Applications and resources protected by IAP can only be accessed through the proxy by users and groups with the correct IAM role. When you grant a user access to an application or resource by IAP, they're subject to the fine-grained access controls implemented by the product in use without requiring a VPN. IAP performs authentication and authorization checks when a user tries to access an IAP-secured resource as shown on the right.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.