Insights
Table of contents
IAM Policy Insights
This sheet lists the active IAM Policy Insights by querying the IAM Policy Insights from the organization and all projects and folders in the organization. These insights are more detailed than the IAM recommendations.
Below are several IAM Policy Insight gcloud
commands used to generate a similar output to this sheet for each level (ie. organization, folders, projects) in GCP resource hierarchy.
Organization:
gcloud recommender insights list --organization=$ORGANIZATION_ID --billing-project=$OPERATING_PROJECT \
--insight-type=google.iam.policy.Insight \
--filter="stateInfo.state=ACTIVE" --location=global
Folders:
gcloud beta asset list --organization=$ORGANIZATION_ID --content-type='resource' \
--asset-types='cloudresourcemanager.googleapis.com/Folder' \
--format="value(resource.data.name.segment(1))" | xargs -t -I {} \
gcloud recommender insights list --folder={} --billing-project=$OPERATING_PROJECT \
--insight-type=google.iam.policy.Insight \
--filter="stateInfo.state=ACTIVE" --location=global
Projects:
gcloud projects list --format="value(projectId)" | xargs -t -I {} \
gcloud recommender insights list --project={} --billing-project=$OPERATING_PROJECT \
--insight-type=google.iam.policy.Insight \
--filter="stateInfo.state=ACTIVE" --location=global
Asset Insights
This sheet lists the active Asset Insights from all projects in the organization. There are several insight subtypes with this insight, please take a look at their descriptions as they provide incredibly useful information on IAM members external to your organizations (eg. an @gmail.com user address with EXTERNAL_MEMBER
) with access to your resources, as well as IAM policies with deactivated users (ie. TERMINATED_MEMBER
), or the allUsers
and allAuthenticatedUsers
principles.
The iam.allowedPolicyMemberDomains
organization policy can be used to reduce many of these insight subtypes by restricting IAM policies with members external to the organization including the allUsers
and allAuthenticatedUsers
principles (ie. PUBLIC_IAM_POLICY
).
Along with this organization policy it is highly recommended to enable limiting third-party OAuth app access to your Google Cloud APIs through the Google Workspace Admin console for your organization to prevent third-party OAuth apps from using your Google Cloud administrator privileges unrestricted.
Below is an Asset Insight gcloud
command used to generate a similar output to this sheet.
gcloud projects list --format="value(projectId)" | xargs -t -I {} \
gcloud recommender insights list --project={} --billing-project=$OPERATING_PROJECT \
--insight-type=google.cloudasset.asset.Insight \
--filter="stateInfo.state=ACTIVE" --location=global
Lateral Movement Insights
This sheet lists the active Lateral Movement Insights from all projects in the organization. These insights are useful for finding chains of actAs
permissions allowing for cross-project impersonation of service accounts. For more details on exploiting lateral movement in GCP, see Allison Donovan (@matter_of_cat) and Dylan Ayrey (@InsecureNature)’s Blackhat talk Lateral Movement & Privilege Escalation in GCP; Compromise Organizations without Dropping an Implant.
The iam.disableCrossProjectServiceAccountUsage
orgnaization policy can be used to restrict lateral movement by restricting cross project service account IAM bindings.
Below is an Lateral Movement Insight gcloud
command used to generate a similar output to this sheet.
gcloud projects list --format="value(projectId)" | xargs -t -I {} \
gcloud recommender insights list --project={} --billing-project=$OPERATING_PROJECT \
--insight-type=google.iam.policy.LateralMovementInsight \
--filter="stateInfo.state=ACTIVE" --location=global
Service Account Insights
This sheet lists the active Service Account Insights from all projects in the organization. These insights are useful for finding service accounts to safely disable or delete based on historical usage.
Below is an Service Account Insight gcloud
command used to generate a similar output to this sheet.
gcloud projects list --format="value(projectId)" | xargs -t -I {} \
gcloud recommender insights list --project={} --billing-project=$OPERATING_PROJECT \
--insight-type=google.iam.serviceAccount.Insight \
--filter="stateInfo.state=ACTIVE" --location=global
Firewall Insights
This sheet lists the active Firewall Insights when enabled from all projects in the organization. Firewall Insights are not enabled by default as they have a unique pricing and are not free. Follow the prerequisites for enabling Firewall Insights, by enabling the Firewall Insights API, Firewall Rule Logging on individual firewall rules, enabling the chosen insight type, and configuring an observation period. These insights are useful for removing redundant firewall rules (ie. shadowed rules), removing unused firewall rules (ie. allow rules with no hits), and reducing the protocols and ports of firewall rules based on historical usage (eg. rules with unused attributes and overly permissive IP address or port ranges).
Below is an Firewall Insight gcloud
command used to generate a similar output to this sheet.
gcloud projects list --format="value(projectId)" | xargs -t -I {} \
gcloud recommender insights list --project={} --billing-project=$OPERATING_PROJECT \
--insight-type=google.compute.firewall.Insight \
--filter="stateInfo.state=ACTIVE" --location=global