Security Readers and Security Admins in GCP

Also read - Built in Security related Managed Policies in AWS and GCP

GCP has over a few thousand built in (predefined) roles for a variety of activities.

Level 1 Access - Security Auditor Only (Read Only Roles)

Don't need to be an Org Owner or an Org Admin, but we would need:

roles/resourcemanager.organizationViewer
roles/iam.securityReviewer

The latter of these is an all inclusive, global security reader that is similar to AWS' SecurityAudit Managed Policy. It is a read-only predefined role.

Level 2 Access - Actual Remediation Tasks based on Security Command Center Findings

In order to perform remediation tasks, as well as spin up test resources (including new VPCs and resources within), these are some predefined GCP roles that would be needed:

Shared VPC Admin ( at the Org level)
Network Admin (at the Org level)
Security Admin (at the Org level)

Summary

GCP Roles can be a little intimidating (there's thousands to choose from). For Security related tasks, the roles described above are the most important ones in Google Cloud.

Also see Shared VPC Admin in GCP and Service Project Admins in GCP

Need Assistance with your AWS or GCP cloud strategy?

GCP OrgViewer, GCP Security Admin, GCP Security Reader, GCP Security Reviewer, Security Admin GCP, Security Command Center Remediation

1 Comment Already

Leave a Reply Cancel reply