Secure IAM

Are you following the golden rules of IAM cloud security? Here are some guidelines to consider:

1. Adhere to Principle of Least Privilege
2. Avoid managing permissions for individual users; it's best to assign roles to groups instead.
3. Start by limiting default organization permissions, such as Project Creator and Billing Account Creator.
4. Use one identity provider and integrate other solutions with SSO.
5. Utilize folders to organize work in departments, such as similar projects or teams.
6. Avoid using basic roles unless absolutely necessary; predefined roles offer less administrative overhead.
7. Monitor and audit policy changes and project-level permission changes.

When it comes to service accounts, they should be used for server-to-server interactions, and users are responsible for private key security, with the public portion stored on the cloud. Short-lived credentials can be created for service accounts.

For authentication, SAML is an open standard that allows an identity provider to pass authorization credentials to a service provider.

Creating custom roles? Always grant permissions such as resourcemanager.projects.get/list as a pair, and be aware that the setIamPolicy permission for organization, folder, and project resources allows the user to grant all other permissions.

Lastly, consider using organization policies and constraints to define and apply restrictions to your cloud services. For example, you can disable VM serial port access or service account creation, or define trusted image projects. Stay safe and secure in the cloud!