In our previous blog posts, we explored leveraging Google Recommender for cost optimization. Now, let’s dive into identifying security issues within your Google Cloud Platform (GCP) environment using Google Recommender. If you missed the previous post on redirecting recommendations to BigQuery, I highly recommend giving it a read, as it lays out the groundwork for our current discussion.
Adhering to the principles of a zero trust policy, it’s crucial to ensure that individuals or service accounts only possess the permissions they truly require. Google Recommender plays a pivotal role in this aspect. By examining policy insights, if it’s flagged that a principal holds unnecessary permissions within their role, the IAM Recommender steps in to evaluate whether these permissions can be revoked or if there’s a more suitable role available. If revocation is possible, the IAM Recommender generates a recommendation to revoke the role. Alternatively, if there’s a better-suited role, it suggests replacing the existing one with the suggested role. This replacement could entail a new custom role, an existing custom role, or predefined roles.
If you’ve already redirected all recommendations to BigQuery, you can run the following query to gain insights into any surplus permissions held by individuals or service accounts. Furthermore, it will provide recommendations regarding roles that may need to be removed or replaced with more stringent alternatives.
SQL to find GCP IAM recommendation
SELECT
cloud_entity_type,
cloud_entity_id,
recommendation_details,
recommender_subtype,
JSON_VALUE(recommendation_details, "$.overview.member") AS user,
JSON_VALUE(recommendation_details, "$.overview.removedRole") AS existing_role,
JSON_QUERY_ARRAY(recommendation_details, "$.overview.addedRoles") AS new_role,
priority,
JSON_VALUE(recommendation_details, "$.overview.minimumObservationPeriodInDays") AS minimumObservationPeriodInDays
FROM
your_project.recommendations.recommendations_export`
WHERE
recommender = "google.iam.policy.Recommender"
AND state = "ACTIVE"
AND TIMESTAMP_TRUNC(_PARTITIONTIME, DAY) = (
SELECT
TIMESTAMP_TRUNC(MAX(_PARTITIONTIME), DAY)
FROM
your_project.recommendations.recommendations_export
)
- minimumObservationPeriodInDays: Additionally, it’s worth noting that the IAM Recommender only begins generating role recommendations once it has gathered a certain amount of permission usage data. By default, the minimum observation period is set to 90 days. However, for project-level role recommendations, you have the flexibility to manually adjust it to 30 or 60 days. If you wish to modify this setting, you can do so by visiting the following link: Configure Role Recommendations.
- cloud_entity_type: shows if issue is at org level, folder level or project level
- cloud_entity_id: shows you the id of the org, project or folder. you can use this id in you GCP console to search for particular entity.
- recommender_subtype: will show you weather to remove role or replace role with another role, or if someone service account is using default role.
- user: Principle (user or service account) for which recommandation has generated
- existing_role: show you the existing role
- new_role: role you should replace existing role with, in case when recommand_subtype is remove_role this would be empty.
- priority: priority of a particular recommandation.