Remediate excessive permissions with Privileged Access Manager

If the IAM recommender identifies that a principal has excessive permissions, you can remediate the finding by transitioning the principal's permanent role binding to a temporary, on-demand entitlement in Privileged Access Manager (PAM).

This approach lets you achieve a least privilege posture without the risk of permanently revoking access that might be needed for infrequent but critical tasks.

Before you begin

  1. Ensure that Privileged Access Manager is onboarded and enabled for the resource (project, folder, or organization) where the role is granted.
  2. Verify that you have the permissions required to complete this guide.

Required roles and permissions

To get the permissions that you need to complete the tasks in this guide, ask your administrator to grant you the following IAM roles on your Google Cloud project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to complete the tasks in this guide. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to complete the tasks in this guide:

  • To view role recommendations:
    • recommender.iamPolicyInsights.list
    • recommender.iamPolicyRecommendations.list
    • resourcemanager.projects.get
  • To create PAM entitlements:
    • privilegedaccessmanager.entitlements.create
    • privilegedaccessmanager.entitlements.list
    • privilegedaccessmanager.locations.list
    • privilegedaccessmanager.locations.get
    • resourcemanager.projects.get
    • resourcemanager.projects.setIamPolicy

You might also be able to get these permissions with custom roles or other predefined roles.

Transition a role to a Privileged Access Manager entitlement

When you transition a role to a Privileged Access Manager entitlement, IAM recommender coordinates with Privileged Access Manager to create an entitlement and remove the original permanent role binding. You can do this from either the Security Insights page or the IAM page in the Google Cloud console.

Security Insights

To transition a role from the Security Insights page, do the following:

  1. In the Google Cloud console, go to the IAM & Admin > Security Insights page.

    Go to Security Insights

  2. Locate the Top groups with excess permissions widget.

  3. For the group that you want to remediate permissions for, click the corresponding link in the Insights column.

  4. For the insight type that you want to address, click View recommendation.

  5. In the Overview page, select Remove role and grant on-demand access to the role.

  6. To create an entitlement with the required role, enter the required details, and click Apply. The Role and Resource fields in the form are pre-populated based on the recommendation. The Duration defaults to 8 hours. For detailed instructions, see Create entitlements.

    Privileged Access Manager creates a new entitlement based on your configuration and removes the permanent role binding from the resource's allow policy.

    Access changes take 1–2 minutes to take effect.

IAM

To transition a role from the IAM page, do the following:

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. In the list of principals, locate the group that you want to remediate permissions for.

  3. To view recommendations for that group principal, click the insight in the Security insights column.

  4. In the Overview page, select Remove role and grant on-demand access to the role.

  5. To create an entitlement with the required role, enter the required details, and click Apply. The Role and Resource fields in the form are pre-populated based on the recommendation. The Duration defaults to 8 hours. For detailed instructions, see Create entitlements.

    Privileged Access Manager creates a new entitlement based on your configuration and removes the permanent role binding from the resource's allow policy.

    Access changes take 1–2 minutes to take effect.

Revert a recommendation

To revert a recommendation, see Revert recommendations.

After you revert the recommendation, the system restores the original IAM binding and deletes the created Privileged Access Manager entitlement.

What's next