Auditing GCP IAM Permissions

When to Use

• When performing security assessments of GCP organization or project IAM configurations
• When identifying service accounts with excessive permissions or unused access
• When compliance requirements mandate review of access controls and role assignments
• When investigating potential lateral movement through IAM misconfigurations
• When reducing the blast radius of compromised credentials by scoping down permissions

Do not use for VPC firewall rule auditing (use network security tools), for GKE RBAC auditing (use Kubernetes-specific RBAC tools), or for real-time threat detection on IAM actions (use SCC Event Threat Detection).

Prerequisites

• GCP organization or project with roles/iam.securityReviewer and roles/cloudAsset.viewer
• gcloud CLI authenticated with appropriate permissions
• Cloud Asset API enabled (gcloud services enable cloudasset.googleapis.com)
• IAM Recommender API enabled (gcloud services enable recommender.googleapis.com)
• Policy Analyzer API enabled (gcloud services enable policyanalyzer.googleapis.com)