> For the complete documentation index, see [llms.txt](https://docs.balkan.id/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-google-cloud-platform-gcp.md).

# IAM Risk Analysis - Google Cloud Platform(GCP)

### Overview

This section outlines how Segregation of Duties (SoD) policies across Google Cloud Platform (GCP) are implemented, configured, validated, and operationalized within BalkanID IAM Risk Analyzer.

The objective is to transition organizations from periodic cloud access reviews and static IAM role audits to a continuous governance program where identity risks are automatically detected, analyzed, and remediated throughout the identity lifecycle.

Google Cloud IAM functions as the primary authorization control layer across the organization, folder, and project hierarchy. Access to resources is governed through:

* IAM roles (primitive, predefined, and custom)
* Organization, folder, and project hierarchy
* Identity federation through workforce and workload identities
* Service accounts and service account keys
* Cloud logging and monitoring controls
* External principals and third-party integrations

While this hierarchical model provides powerful and flexible access management, it can introduce privilege escalation paths, segregation conflicts, and identity lifecycle risks when roles are assigned without centralized governance.

BalkanID IAM Risk Analyzer continuously evaluates GCP identity relationships to detect:

* Segregation of Duties conflicts
* Privileged access governance violations
* Excessive IAM roles and primitive role assignments
* Identity lifecycle failures
* Service account governance risks

The result is a centralized risk view that allows organizations to enforce least privilege, secure role governance, and strong cloud identity controls.

### Implementation

**Phase 1:** Policy Definition & Baseline Establishment

Objective: Define and validate SoD policy scope across GCP IAM roles, hierarchical access inheritance, and identity lifecycle processes.

Activities include:

Identify identity governance areas in scope:

* Organization, folder, and project IAM bindings
* IAM roles (primitive, predefined, custom)
* Identity federation (Workforce Identity / Workload Identity)
* Service accounts and service account keys
* Logging and monitoring configurations
* External principals and third-party access

Define baseline toxic privilege combinations aligned to cloud governance best practices.

Categorize SoD rules by risk severity.

Validate rule logic against:

* IAM role assignments
* Organization, folder, and project inheritance
* Custom roles and permissions
* Service account privileges
* Logging and monitoring configurations

Outcome

A formally approved GCP SoD policy library ready for configuration within BalkanID IAM Risk Analyzer.

**Phase 2:** Rule Configuration in BalkanID IAM Risk Analyzer - Finding Rule for SoD  detection \
\
User-Generated Insights can be used for writing SoD Rules and can be aggregated into a finding for actionable risk alerts. Findings provide a broader risk context and are used to trigger automated workflows.

Example:

***Use Case 1*****:** IAM Role Administration vs Security Logging Controls

Cloud administrators often require permissions to deploy compute and storage resources.

If a single identity can both **provision infrastructure** and **modify billing configurations**, the identity may manipulate resource consumption or conceal cost anomalies.

Risk Impact

* Unauthorized resource provisioning
* Increased financial governance risk
* Potential cost manipulation or abuse

<figure><img src="/files/ktm0QAigfoigGIokJdcB" alt=""><figcaption></figcaption></figure>

***Use Case 2***: KMS Key Management vs  Encrypted Data Access

Cloud KMS protects sensitive data through encryption keys.

When an identity can both manage KMS keys and access encrypted data, the separation between cryptographic control and data access is weakened.

Risk Impact

* Unauthorized decryption of sensitive data
* Reduced separation of cryptographic duties
* Increased confidentiality risk

<figure><img src="/files/KZx5BksLGnTZnEB2uhjd" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/sRcy3iiHzN8HHvmHKJQE" alt=""><figcaption></figcaption></figure>

### Baseline SoD Rule Library&#x20;

| **Rules**                                                   | **Category**                                                                         |
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------ |
| SoD- IAM Administration vs Security Logging Controls        | <p></p><ul><li>Segregation of Duties</li><li>Cloud Security Governance</li></ul>     |
| SoD - Infrastructure Provisioning vs Billing Administration | <p></p><ul><li>Segregation of Duties</li><li>Financial Governance</li></ul>          |
| SoD- KMS Key Administration vs Encrypted Data Access        | <p></p><ul><li>Segregation of Duties</li><li>Cryptographic Controls</li></ul><p></p> |

### Control Mapping

| Framework      | Control ID | Control Title           |
| -------------- | ---------- | ----------------------- |
| SOC 2          | CC6        | Logical Access Controls |
| SOC 2          | CC6.3      | Authorization Changes   |
| ISO 27001      | A.9        | Access Control          |
| ISO 27001      | A.6        | Segregation of Duties   |
| NIST SP 800-53 | AC-5       | Separation of Duties    |
| NIST SP 800-53 | AC-2       | Account Management      |
| NIST SP 800-53 | AC-6       | Least Privilege         |

## Conclusion

Google Cloud Platform provides flexible and scalable access control capabilities through its hierarchical IAM model. However, effective governance is required to prevent privilege sprawl, segregation conflicts, and persistent access risks.

The findings identified highlight areas where cloud access controls may not be sufficiently designed or operating effectively, particularly in areas related to privileged role governance, service account management, and identity lifecycle processes.

Implementing continuous identity risk monitoring through BalkanID IAM Risk Analyzer enables organizations to detect and remediate these risks, strengthening cloud governance and reducing audit and security exposure.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-google-cloud-platform-gcp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.