Hi everyone,
I’m currently in the process of setting up my Google Cloud environment and awaiting my monthly innovator credits. In the meantime, I’m not letting the grass grow under my feet! I’m kicking off my first security-focused project: The Automated IAM "Least Privilege" Auditor.
The Goal: I want to build a tool (using Python and Cloud Functions) that audits IAM policies across a project and flags any identities holding the primitive "Owner" or "Editor" roles where a more granular predefined role would suffice.
While I wait for my credits to clear, I’m focusing on:
-
Mapping out the service account hierarchy.
-
Writing the logic to parse IAM policy JSON objects.
-
Designing a dashboard layout for security alerts.
My Questions for the Experts:
-
For a project like this, do you recommend pulling data via the Cloud Asset Inventory API or directly through IAM Policy calls?
-
Are there specific "hidden" permissions you've seen cause the most trouble in production environments?
I’m excited to share my progress and GitHub repo once the foundation is laid. Looking forward to your insights!