explainx.ainewsletter3.4k
auditing-gcp-iam-permissions

auditing-gcp-iam-permissions

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/auditing-gcp-iam-permissions
0 commentsdiscussion
summary

Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.

skill.md
name
auditing-gcp-iam-permissions
description
'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender. '
domain
cybersecurity
subdomain
cloud-security
tags
- cloud-security - gcp - iam - permissions-audit - service-accounts - policy-analyzer
version
'1.0'
author
mahipal
license
Apache-2.0
nist_csf
- PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01

Auditing GCP IAM Permissions

When to Use

  • When performing security assessments of GCP organization or project IAM configurations
  • When identifying service accounts with excessive permissions or unused access
  • When compliance requirements mandate review of access controls and role assignments
  • When investigating potential lateral movement through IAM misconfigurations
  • When reducing the blast radius of compromised credentials by scoping down permissions

Do not use for VPC firewall rule auditing (use network security tools), for GKE RBAC auditing (use Kubernetes-specific RBAC tools), or for real-time threat detection on IAM actions (use SCC Event Threat Detection).

Prerequisites

  • GCP organization or project with roles/iam.securityReviewer and roles/cloudAsset.viewer
  • gcloud CLI authenticated with appropriate permissions
  • Cloud Asset API enabled (gcloud services enable cloudasset.googleapis.com)
  • IAM Recommender API enabled (gcloud services enable recommender.googleapis.com)
  • Policy Analyzer API enabled (gcloud services enable policyanalyzer.googleapis.com)

Workflow

Step 1: Enumerate IAM Bindings Across the Organization

List all IAM bindings at organization, folder, and project levels to understand the full access landscape.

# Organization-level IAM bindings
gcloud organizations get-iam-policy ORG_ID \
  --format=json > org-iam-policy.json

# Search all IAM policies across the organization
gcloud asset search-all-iam-policies \
  --scope=organizations/ORG_ID \
  --format="table(resource, policy.bindings.role, policy.bindings.members)" \
  --limit=500

# Find all users and service accounts with Owner role
gcloud asset search-all-iam-policies \
  --scope=organizations/ORG_ID \
  --query="policy:roles/owner" \
  --format="table(resource, policy.bindings.members)"

# Find all bindings using primitive roles (Owner, Editor, Viewer)
gcloud asset search-all-iam-policies \
  --scope=organizations/ORG_ID \
  --query="policy:roles/owner OR policy:roles/editor" \
  --format=json | python3 -c "
import json, sys
data = json.load(sys.stdin)
for result in data:
    resource = result.get('resource', '')
    for binding in result.get('policy', {}).get('bindings', []):
        role = binding.get('role', '')
        if role in ['roles/owner', 'roles/editor']:
            for member in binding.get('members', []):
                print(f'{resource} | {role} | {member}')
"

Step 2: Audit Service Accounts and Their Keys

Identify service accounts with excessive permissions, user-managed keys, and unused accounts.

# List all service accounts in a project
gcloud iam service-accounts list \
  --project=PROJECT_ID \
  --format="table(email, displayName, disabled)"

# Check for user-managed keys (should be minimized)
for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do
  keys=$(gcloud iam service-accounts keys list \
    --iam-account="$sa" \
    --managed-by=user \
    --format="table(name.basename(),validAfterTime,validBeforeTime)")
  if [ -n "$keys" ]; then
    echo "=== $sa ==="
    echo "$keys"
  fi
done

# Find service accounts with admin roles across all projects
gcloud asset search-all-iam-policies \
  --scope=organizations/ORG_ID \
  --query="policy.bindings.members:serviceAccount AND (policy:roles/owner OR policy:roles/editor OR policy:admin)" \
  --format="table(resource, policy.bindings.role, policy.bindings.members)"

# Check service account IAM policies (who can impersonate)
for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do
  echo "=== $sa ==="
  gcloud iam service-accounts get-iam-policy "$sa" --format=json 2>/dev/null
done

Step 3: Use IAM Recommender to Identify Excess Permissions

Leverage GCP's IAM Recommender to find roles that grant more access than actually used.

# List IAM role recommendations for a project
gcloud recommender recommendations list \
  --project=PROJECT_ID \
  --recommender=google.iam.policy.Recommender \
  --location=global \
  --format="table(name, description, priority, stateInfo.state)"

# Get detailed recommendation
gcloud recommender recommendations describe RECOMMENDATION_ID \
  --project=PROJECT_ID \
  --recommender=google.iam.policy.Recommender \
  --location=global \
  --format=json

# List insights about IAM usage
gcloud recommender insights list \
  --project=PROJECT_ID \
  --insight-type=google.iam.policy.Insight \
  --location=global \
  --format="table(name, description, severity, category)"

# Apply a recommendation (after review)
gcloud recommender recommendations mark-claimed RECOMMENDATION_ID \
  --project=PROJECT_ID \
  --recommender=google.iam.policy.Recommender \
  --location=global \
  --etag=ETAG

Step 4: Analyze Effective Permissions with Policy Analyzer

Use Policy Analyzer to determine effective access for specific principals or resources.

# Check who has access to a specific resource
gcloud asset analyze-iam-policy \
  --organization=ORG_ID \
  --full-resource-name="//storage.googleapis.com/projects/_/buckets/sensitive-data-bucket" \
  --format="table(identityList.identities, accessControlLists.accesses.role)"

# Check what resources a specific user can access
gcloud asset analyze-iam-policy \
  --organization=ORG_ID \
  --identity="user:[email protected]" \
  --format="table(accessControlLists.resources.fullResourceName, accessControlLists.accesses.role)"

# Check who can perform a specific action
gcloud asset analyze-iam-policy \
  --organization=ORG_ID \
  --full-resource-name="//cloudresourcemanager.googleapis.com/projects/PROJECT_ID" \
  --permissions="iam.serviceAccounts.actAs,iam.serviceAccountKeys.create" \
  --format="table(identityList.identities, accessControlLists.accesses.permission)"

# Find all principals with allUsers or allAuthenticatedUsers access
gcloud asset search-all-iam-policies \
  --scope=organizations/ORG_ID \
  --query="policy:allUsers OR policy:allAuthenticatedUsers" \
  --format="table(resource, policy.bindings.role, policy.bindings.members)"

Step 5: Check for Domain-Wide Delegation and Impersonation Risks

Identify service accounts with domain-wide delegation and impersonation capabilities.

# Check for service accounts with domain-wide delegation
# (Requires Admin SDK access to list delegated accounts)
gcloud iam service-accounts list --project=PROJECT_ID --format=json | python3 -c "
import json, sys
accounts = json.load(sys.stdin)
for sa in accounts:
    email = sa.get('email', '')
    # Check if the SA has domain-wide delegation enabled
    # This requires Admin SDK API access
    print(f'SA: {email} - Check admin.google.com for delegation status')
"

# Find service accounts that other identities can impersonate
for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do
  policy=$(gcloud iam service-accounts get-iam-policy "$sa" --format=json 2>/dev/null)
  if echo "$policy" | python3 -c "
import json, sys
p = json.load(sys.stdin)
for b in p.get('bindings', []):
    if b['role'] in ['roles/iam.serviceAccountTokenCreator', 'roles/iam.serviceAccountUser']:
        print(f'  {b[\"role\"]}: {b[\"members\"]}')
" 2>/dev/null; then
    echo "=== Impersonation risk: $sa ==="
  fi
done

Step 6: Generate Audit Report and Apply Remediation

Compile findings and implement recommended permission reductions.

# Remove primitive role and replace with predefined role
gcloud projects remove-iam-policy-binding PROJECT_ID \
  --member="user:[email protected]" \
  --role="roles/editor"

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="user:[email protected]" \
  --role="roles/compute.viewer"

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="user:[email protected]" \
  --role="roles/storage.objectViewer"

# Delete unused service account keys
gcloud iam service-accounts keys delete KEY_ID \
  --iam-account=SA_EMAIL

# Disable unused service accounts
gcloud iam service-accounts disable SA_EMAIL --project=PROJECT_ID

Key Concepts

TermDefinition
Primitive RoleLegacy GCP roles (Owner, Editor, Viewer) that grant broad permissions across all services, not recommended for production
Predefined RoleGCP-managed role scoped to specific services and actions, providing more granular access than primitive roles
IAM RecommenderGCP ML-based service that analyzes actual permission usage and suggests role reductions to achieve least privilege
Policy AnalyzerTool for analyzing effective IAM access across the organization hierarchy, answering who-can-access-what queries
Service Account KeyUser-managed credential for service account authentication, a security risk as keys can be exported and do not auto-expire
Domain-Wide DelegationGrants a service account the ability to impersonate any user in the Google Workspace domain, a significant privilege escalation risk

Tools & Systems

  • gcloud CLI: Primary tool for querying and managing GCP IAM policies, service accounts, and role bindings
  • IAM Recommender: ML-based recommendation engine for reducing excessive permissions based on actual usage
  • Policy Analyzer: Organization-wide effective access analysis tool for understanding who can access what
  • Cloud Asset Inventory: Cross-project search for IAM policies and resource metadata
  • ScoutSuite: Multi-cloud auditing tool with GCP IAM-specific checks for role assignments and service accounts

Common Scenarios

Scenario: Reducing Primitive Role Usage Across a GCP Organization

Context: An audit reveals that 60% of IAM bindings across the organization use primitive roles (Owner/Editor). The security team needs to migrate to predefined roles without disrupting developer workflows.

Approach:

  1. Run gcloud asset search-all-iam-policies to inventory all primitive role bindings
  2. Use IAM Recommender to get ML-based suggestions for replacement predefined roles
  3. For each binding, use Policy Analyzer to understand what the principal actually accesses
  4. Create a mapping document: primitive role -> specific predefined roles needed
  5. Apply predefined roles alongside primitive roles for a testing period
  6. Monitor for access denied errors using Cloud Audit Logs
  7. Remove primitive roles after confirming no access issues over 2 weeks

Pitfalls: Primitive roles include permissions across all GCP services, so replacing them requires multiple predefined roles. The Recommender may suggest overly restrictive roles if the observation period does not capture all use cases. Custom roles can fill gaps where no predefined role matches the exact permission set needed.

Output Format

GCP IAM Permissions Audit Report
===================================
Organization: acme-org (ORG_ID: 123456789)
Projects Audited: 25
Audit Date: 2026-02-23

IAM BINDING SUMMARY:
  Total bindings:                    342
  Using primitive roles:             205 (60%)
  Using predefined roles:            112 (33%)
  Using custom roles:                 25 (7%)

CRITICAL FINDINGS:
[IAM-001] Service Account with Owner Role
  SA: [email protected]
  Role: roles/owner on project prod-project
  User-Managed Keys: 3 (oldest: 14 months)
  Remediation: Replace with specific predefined roles, delete old keys

[IAM-002] allAuthenticatedUsers Binding
  Resource: gs://public-data-bucket
  Role: roles/storage.objectViewer
  Risk: Any Google account holder can read bucket contents
  Remediation: Restrict to specific user groups or service accounts

SERVICE ACCOUNT HEALTH:
  Total service accounts:            67
  With user-managed keys:            23
  Keys older than 90 days:           18
  Unused accounts (90+ days):        12
  With domain-wide delegation:        2

RECOMMENDER SUGGESTIONS:
  Total recommendations:             45
  Priority HIGH:                     12
  Estimated permissions reduced:     2,847 individual permissions
how to use auditing-gcp-iam-permissions

How to use auditing-gcp-iam-permissions on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add auditing-gcp-iam-permissions
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/auditing-gcp-iam-permissions

The skills CLI fetches auditing-gcp-iam-permissions from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/auditing-gcp-iam-permissions

Reload or restart Cursor to activate auditing-gcp-iam-permissions. Access the skill through slash commands (e.g., /auditing-gcp-iam-permissions) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.639 reviews
  • Kwame Johnson· Dec 28, 2024

    We added auditing-gcp-iam-permissions from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Kaira Flores· Dec 24, 2024

    Keeps context tight: auditing-gcp-iam-permissions is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Dhruvi Jain· Dec 12, 2024

    auditing-gcp-iam-permissions fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Li Reddy· Dec 12, 2024

    Registry listing for auditing-gcp-iam-permissions matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Kwame Garcia· Nov 19, 2024

    auditing-gcp-iam-permissions reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Kaira Lopez· Nov 15, 2024

    I recommend auditing-gcp-iam-permissions for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Oshnikdeep· Nov 3, 2024

    Registry listing for auditing-gcp-iam-permissions matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Kaira Haddad· Nov 3, 2024

    auditing-gcp-iam-permissions fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Ganesh Mohane· Oct 22, 2024

    auditing-gcp-iam-permissions reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Alexander Li· Oct 22, 2024

    We added auditing-gcp-iam-permissions from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

showing 1-10 of 39

1 / 4