Project Launch: Building a Least-Privilege Auditor (Feedback Appreciated!)

Question

Hi everyone,I’m currently in the process of setting up my Google Cloud environment and awaiting my monthly innovator credits. In the meantime, I’m not letting the grass grow under my feet! I’m kicking off my first security-focused project: The Automated IAM "Least Privilege" Auditor.The Goal: I want to build a tool (using Python and Cloud Functions) that audits IAM policies across a project and flags any identities holding the primitive "Owner" or "Editor" roles where a more granular predefined role would suffice.While I wait for my credits to clear, I’m focusing on:	Mapping out the service account hierarchy.			Writing the logic to parse IAM policy JSON objects.			Designing a dashboard layout for security alerts.	My Questions for the Experts:	For a project like this, do you recommend pulling data via the Cloud Asset Inventory API or directly through IAM Policy calls?			Are there specific "hidden" permissions you've seen cause the most trouble in production environments?	I’m excited to share my progress and GitHub repo once the foundation is laid. Looking forward to your insights!

ErikaB · Answer

Hi ​@JillieThank you for reaching outand apologies for the delayed response.Looks like your questions are related to IAM (Identity and Access Management), which handles permissions for Google Cloud resources. This topic is better supported in the Google Developer Program forum than in our security product communities. To get the best help from experts in this domain, we recommend posting your question in the Google Developer Program forum. The experts there will be able to provide more targeted assistance.Hope this helps!xperts there will be able to provide more targeted assistance.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded