I’m working on setting up the Response Integrations for GCP (i.e. Google Cloud Compute, Google Cloud API, etc).
I’m missing a piece of knowledge on how GCP role permissions work across the organization.
SecOps setup is in GCP project, we’ll call it “SecureLand”. SIEM/ SOAR migrations have occurred to move to IAM. I created a service account in there, did the work of setting it up for workload federation, did the iam.serviceAccountTokenCreator steps. Created the custom roles in “SecureLand” and assigned to the SA and setup the integrations via Workload Identity Email.
The question » Do these custom roles need to be assigned at the Org Level or is there some inherited “hand waving” that happens because its done in the “SecureLand” project where SecOps is setup? Under normal situations I would say a role granted in the “SecureLand” project doesn’t allow acting in other Projects.
Example: There is an alert that flags “dev_vm” having malware in GCP Project “DevLand”, which is another Project in the same Org as “SecureLand”. Would a playbook/ action be able to take action in the “DevLand” project?
