Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionauditing-gcp-iam-permissionsExecute the skills CLI command in your project's root directory to begin installation:
Fetches auditing-gcp-iam-permissions from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate auditing-gcp-iam-permissions. Access via /auditing-gcp-iam-permissions in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | auditing-gcp-iam-permissions |
| description | 'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender. ' |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - cloud-security - gcp - iam - permissions-audit - service-accounts - policy-analyzer |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
Do not use for VPC firewall rule auditing (use network security tools), for GKE RBAC auditing (use Kubernetes-specific RBAC tools), or for real-time threat detection on IAM actions (use SCC Event Threat Detection).
roles/iam.securityReviewer and roles/cloudAsset.viewergcloud services enable cloudasset.googleapis.com)gcloud services enable recommender.googleapis.com)gcloud services enable policyanalyzer.googleapis.com)List all IAM bindings at organization, folder, and project levels to understand the full access landscape.
# Organization-level IAM bindings
gcloud organizations get-iam-policy ORG_ID \
--format=json > org-iam-policy.json
# Search all IAM policies across the organization
gcloud asset search-all-iam-policies \
--scope=organizations/ORG_ID \
--format="table(resource, policy.bindings.role, policy.bindings.members)" \
--limit=500
# Find all users and service accounts with Owner role
gcloud asset search-all-iam-policies \
--scope=organizations/ORG_ID \
--query="policy:roles/owner" \
--format="table(resource, policy.bindings.members)"
# Find all bindings using primitive roles (Owner, Editor, Viewer)
gcloud asset search-all-iam-policies \
--scope=organizations/ORG_ID \
--query="policy:roles/owner OR policy:roles/editor" \
--format=json | python3 -c "
import json, sys
data = json.load(sys.stdin)
for result in data:
resource = result.get('resource', '')
for binding in result.get('policy', {}).get('bindings', []):
role = binding.get('role', '')
if role in ['roles/owner', 'roles/editor']:
for member in binding.get('members', []):
print(f'{resource} | {role} | {member}')
"
Identify service accounts with excessive permissions, user-managed keys, and unused accounts.
# List all service accounts in a project
gcloud iam service-accounts list \
--project=PROJECT_ID \
--format="table(email, displayName, disabled)"
# Check for user-managed keys (should be minimized)
for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do
keys=$(gcloud iam service-accounts keys list \
--iam-account="$sa" \
--managed-by=user \
--format="table(name.basename(),validAfterTime,validBeforeTime)")
if [ -n "$keys" ]; then
echo "=== $sa ==="
echo "$keys"
fi
done
# Find service accounts with admin roles across all projects
gcloud asset search-all-iam-policies \
--scope=organizations/ORG_ID \
--query="policy.bindings.members:serviceAccount AND (policy:roles/owner OR policy:roles/editor OR policy:admin)" \
--format="table(resource, policy.bindings.role, policy.bindings.members)"
# Check service account IAM policies (who can impersonate)
for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do
echo "=== $sa ==="
gcloud iam service-accounts get-iam-policy "$sa" --format=json 2>/dev/null
done
Leverage GCP's IAM Recommender to find roles that grant more access than actually used.
# List IAM role recommendations for a project
gcloud recommender recommendations list \
--project=PROJECT_ID \
--recommender=google.iam.policy.Recommender \
--location=global \
--format="table(name, description, priority, stateInfo.state)"
# Get detailed recommendation
gcloud recommender recommendations describe RECOMMENDATION_ID \
--project=PROJECT_ID \
--recommender=google.iam.policy.Recommender \
--location=global \
--format=json
# List insights about IAM usage
gcloud recommender insights list \
--project=PROJECT_ID \
--insight-type=google.iam.policy.Insight \
--location=global \
--format="table(name, description, severity, category)"
# Apply a recommendation (after review)
gcloud recommender recommendations mark-claimed RECOMMENDATION_ID \
--project=PROJECT_ID \
--recommender=google.iam.policy.Recommender \
--location=global \
--etag=ETAG
Use Policy Analyzer to determine effective access for specific principals or resources.
# Check who has access to a specific resource
gcloud asset analyze-iam-policy \
--organization=ORG_ID \
--full-resource-name="//storage.googleapis.com/projects/_/buckets/sensitive-data-bucket" \
--format="table(identityList.identities, accessControlLists.accesses.role)"
# Check what resources a specific user can access
gcloud asset analyze-iam-policy \
--organization=ORG_ID \
--identity="user:[email protected]" \
--format="table(accessControlLists.resources.fullResourceName, accessControlLists.accesses.role)"
# Check who can perform a specific action
gcloud asset analyze-iam-policy \
--organization=ORG_ID \
--full-resource-name="//cloudresourcemanager.googleapis.com/projects/PROJECT_ID" \
--permissions="iam.serviceAccounts.actAs,iam.serviceAccountKeys.create" \
--format="table(identityList.identities, accessControlLists.accesses.permission)"
# Find all principals with allUsers or allAuthenticatedUsers access
gcloud asset search-all-iam-policies \
--scope=organizations/ORG_ID \
--query="policy:allUsers OR policy:allAuthenticatedUsers" \
--format="table(resource, policy.bindings.role, policy.bindings.members)"
Identify service accounts with domain-wide delegation and impersonation capabilities.
# Check for service accounts with domain-wide delegation
# (Requires Admin SDK access to list delegated accounts)
gcloud iam service-accounts list --project=PROJECT_ID --format=json | python3 -c "
import json, sys
accounts = json.load(sys.stdin)
for sa in accounts:
email = sa.get('email', '')
# Check if the SA has domain-wide delegation enabled
# This requires Admin SDK API access
print(f'SA: {email} - Check admin.google.com for delegation status')
"
# Find service accounts that other identities can impersonate
for sa in $(gcloud iam service-accounts list --project=PROJECT_ID --format="value(email)"); do
policy=$(gcloud iam service-accounts get-iam-policy "$sa" --format=json 2>/dev/null)
if echo "$policy" | python3 -c "
import json, sys
p = json.load(sys.stdin)
for b in p.get('bindings', []):
if b['role'] in ['roles/iam.serviceAccountTokenCreator', 'roles/iam.serviceAccountUser']:
print(f' {b[\"role\"]}: {b[\"members\"]}')
" 2>/dev/null; then
echo "=== Impersonation risk: $sa ==="
fi
done
Compile findings and implement recommended permission reductions.
# Remove primitive role and replace with predefined role
gcloud projects remove-iam-policy-binding PROJECT_ID \
--member="user:[email protected]" \
--role="roles/editor"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="user:[email protected]" \
--role="roles/compute.viewer"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="user:[email protected]" \
--role="roles/storage.objectViewer"
# Delete unused service account keys
gcloud iam service-accounts keys delete KEY_ID \
--iam-account=SA_EMAIL
# Disable unused service accounts
gcloud iam service-accounts disable SA_EMAIL --project=PROJECT_ID
| Term | Definition |
|---|---|
| Primitive Role | Legacy GCP roles (Owner, Editor, Viewer) that grant broad permissions across all services, not recommended for production |
| Predefined Role | GCP-managed role scoped to specific services and actions, providing more granular access than primitive roles |
| IAM Recommender | GCP ML-based service that analyzes actual permission usage and suggests role reductions to achieve least privilege |
| Policy Analyzer | Tool for analyzing effective IAM access across the organization hierarchy, answering who-can-access-what queries |
| Service Account Key | User-managed credential for service account authentication, a security risk as keys can be exported and do not auto-expire |
| Domain-Wide Delegation | Grants a service account the ability to impersonate any user in the Google Workspace domain, a significant privilege escalation risk |
Context: An audit reveals that 60% of IAM bindings across the organization use primitive roles (Owner/Editor). The security team needs to migrate to predefined roles without disrupting developer workflows.
Approach:
gcloud asset search-all-iam-policies to inventory all primitive role bindingsPitfalls: Primitive roles include permissions across all GCP services, so replacing them requires multiple predefined roles. The Recommender may suggest overly restrictive roles if the observation period does not capture all use cases. Custom roles can fill gaps where no predefined role matches the exact permission set needed.
GCP IAM Permissions Audit Report
===================================
Organization: acme-org (ORG_ID: 123456789)
Projects Audited: 25
Audit Date: 2026-02-23
IAM BINDING SUMMARY:
Total bindings: 342
Using primitive roles: 205 (60%)
Using predefined roles: 112 (33%)
Using custom roles: 25 (7%)
CRITICAL FINDINGS:
[IAM-001] Service Account with Owner Role
SA: [email protected]
Role: roles/owner on project prod-project
User-Managed Keys: 3 (oldest: 14 months)
Remediation: Replace with specific predefined roles, delete old keys
[IAM-002] allAuthenticatedUsers Binding
Resource: gs://public-data-bucket
Role: roles/storage.objectViewer
Risk: Any Google account holder can read bucket contents
Remediation: Restrict to specific user groups or service accounts
SERVICE ACCOUNT HEALTH:
Total service accounts: 67
With user-managed keys: 23
Keys older than 90 days: 18
Unused accounts (90+ days): 12
With domain-wide delegation: 2
RECOMMENDER SUGGESTIONS:
Total recommendations: 45
Priority HIGH: 12
Estimated permissions reduced: 2,847 individual permissions
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
We added auditing-gcp-iam-permissions from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Keeps context tight: auditing-gcp-iam-permissions is the kind of skill you can hand to a new teammate without a long onboarding doc.
auditing-gcp-iam-permissions fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Registry listing for auditing-gcp-iam-permissions matched our evaluation — installs cleanly and behaves as described in the markdown.
auditing-gcp-iam-permissions reduced setup friction for our internal harness; good balance of opinion and flexibility.
I recommend auditing-gcp-iam-permissions for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Registry listing for auditing-gcp-iam-permissions matched our evaluation — installs cleanly and behaves as described in the markdown.
auditing-gcp-iam-permissions fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
auditing-gcp-iam-permissions reduced setup friction for our internal harness; good balance of opinion and flexibility.
We added auditing-gcp-iam-permissions from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 39