Google Cloud Platform Blog
Product updates, customer stories, and tips and tricks on Google Cloud Platform
IAM best practice guides available now
Tuesday, March 29, 2016
Google Cloud Identity & Access Managemen
t (IAM) service gives you additional capabilities to secure access to your
Google Cloud Platform
resources. To assist you when designing your IAM strategy, we've created a set of best practice guides.
The best practices guides include:
Using IAM Securely
Designing Resource Hierarchies
Understanding Service Accounts
The “
Using IAM Securely
” guide will help you to implement IAM controls securely by providing a checklist of best practices for the most common areas of concern when using IAM. It categorizes best practices into four sections:
Least privilege - A set of checks that assist you in restricting your users or applications to not do more than they're supposed to.
Managing Service Accounts and Service Account keys - Provides pointers to help you manage both securely.
Auditing - This covers practices that include reminding you to use
Audit logs
and
cloud logging roles
Policy Management - Some checks to ensure that you're implementing and managing your policies appropriately.
Cloud Platform resources are organized hierarchically and IAM policies can propagate down the structure. You're able to set IAM policies at the following levels of the resource hierarchy:
Organization level
. The Organization resource represents your company. IAM roles granted at this level are inherited by all resources under the organization.
Project level
. Projects represent a trust boundary within your company. Services within the same project have a default level of trust. For example, App Engine instances can access Cloud storage buckets within the same project. IAM roles granted at the project level are inherited by resources within that project.
Resource level
. In addition to the existing
Google Cloud Storage
and
Google BigQuery
ACL systems, additional resources such as
Google Genomics
Datasets and
Google Cloud Pub/Sub
topics support resource-level roles so that you can grant certain users permission to a single resource.
The diagram below illustrates an example of a Cloud Platform resource hierarchy:
The “
Designing Resource Hierarchies
” guide provides examples of what this means in practice and has a handy checklist to double-check that you're following best practice.
A Service Account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. The “
Understanding Service Accounts
” guide provides answers to the most common questions, like:
What resources can the service account access?
What permissions does it need?
Where will the code assuming the identity of the service account be running: on Google Cloud Platform or on-premises?
This guide discusses what the implications are of making certain decisions so that you have enough information to use Service Accounts safely and efficiently.
We’ll be producing more IAM best practice guides and are keen to hear from customers using IAM or wanting to use IAM on what additional content would be helpful. We’re also keen to hear if there are curated roles we haven’t thought of. We want Cloud Platform to be the most secure and the easiest cloud to use so your feedback is important to us and helps us shape our approach. Please share your feedback with us at:
GCP-iam-feedback@google.com
-
Posted by Grace Mollison, Solutions Architect
Free Trial
GCP Blogs
Big Data & Machine Learning
Kubernetes
GCP Japan Blog
Labels
Android
1
Announcement
15
Announcement Partners Technical Customers Compute Networking Storage Big Data & Analytics Developers Compute Engine Cloud Storage Cloud SQL Cloud BigTable
1
Announcements
1
api
2
app engine
50
Atmosphere Live
1
Big Data & Analytics
7
bigquery
15
BigTable
2
CDN
1
Cloud Console
2
Cloud Dataflow
5
Cloud Datastore
7
cloud endpoints
1
Cloud Pub/Sub
2
Cloud SDK
1
cloud sql
12
cloud storage
27
Cloudera
1
Compute
5
Compute Engine
56
container cluster
1
Container Engine
1
Container Registry
1
customer
59
Customers
4
Dataflow
4
DataLab
1
Dev Tools
1
developer tools
5
developer-insights
6
Developers
2
Developers Console
2
devfests
4
Disaster Recovery
1
Encryption Keys
1
ESG
1
Event
4
events
11
GA
1
Gaming
1
Go Client
1
Google App Engine
5
Google Apps
1
Google BigQuery
8
Google Cloud Deployment Manager
1
Google Cloud Networking
2
Google Cloud Platform
8
Google Cloud Storage
7
Google Compute Engine
9
Google Container Engine
1
gRPC
1
hadoop
3
Hardware
1
Helium
1
how to
2
IO2013
3
iOS
1
Kubernetes
15
Levyx
1
Local SSD
2
Logging
1
mapreduce
1
Media
3
Mobile
1
Nearline
1
networking
3
open source
98
PaaS Solution
1
Partner
12
Partners
2
Pricing
4
Products
15
Pub/Sub
2
Research
1
round-up
8
Security
12
Server
1
Siggraph
1
solutions
4
Startup
1
Storage
2
Tableau
1
TCO
1
Technical
23
weekly roundup
7
Windows
1
Wowza
1
Zync
3
Archive
2016
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Feed
Subscribe by email
Technical questions? Check us out on
Stack Overflow
.
Subscribe to
our monthly newsletter
.
Google
on
Follow @googlecloud
Follow
Follow
Follow