Best Practice for GCP and GSuite Authentication and Authorization?

[ask dev]

With regard to Google Cloud Platform (GCP) and G Suite.

What are the current best practices when setting up service Authentication and Authorization for: owners, administrators, developers, end-users, etc.?

For example, in AWS I would never use the Root account instead having a separate ("bastion") IAM account that other service accounts/groups could query to retrieve transient tokens to authorize actions. Besides restricting the various accounts/groups to least privilege. I would further ensure CloudWatch is logging all access and configured to both alert and possibly execute a Lambda script on suspicious activities.

I would appreciate as specific advise as possible[1], since I'm not aware of all the features and configurations available to GCP/G Suite.

[1] admittedly my example isn't representative of this, but that is because I don't have much experience in AWS either.

[George (Google Cloud Support)]

Hello,

Projects provide an isolation boundary, except where interconnects are explicitly granted, between the Cloud Platform resources used by your organization. Users and groups can be granted different roles, such as viewer, editor, and owner, for different projects. To assign roles, you can use the IAM & Admin page in the Cloud Platform Console or the Cloud IAM API. This API currently doesn't allow you to create custom roles and assign permissions to those roles.

Further, you can delegate control over who has access to a particular project. Users granted the ownerrole can grant and revoke access for users, groups, and service accounts.

You can find more information about the best practices for enterprise organizations in this help center article.

I hope this helps.

Sincerely,

George

[ask dev]

Thanks for the response and the references.

What recommendations would you have for managing and securing the organizational root account?

Can I just use it the first time to define a group of owners able to create/manage projects and billing administrators, and thereafter never need to explicitly access root again?

[George (Google Cloud Support)]

Hello,

I will answer your questions inline:

On Monday, December 26, 2016 at 10:33:07 PM UTC-5, ask dev wrote:

Thanks for the response and the references.

What recommendations would you have for managing and securing the organizational root account?

I would suggest adding a two-step verification for that specific account. 

Can I just use it the first time to define a group of owners able to create/manage projects and billing administrators, and thereafter never need to explicitly access root again?

Yes, and you can limit the access to each user in the project by using the Cloud Identity and Access Management (IAM).

[ask dev]

Thanks again George, I really appreciate the confirmation.

[ask dev]

I was looking for a way to delegate project creation to another user, but didn't see any option to do so. Would this be crossing the project "isolation boundary" as stated earlier?

If so, to clarify that mean only the primary "root" account can create projects, but the administration of which can be delegated to other users who are only able to access that project?

[Faizan (Google Cloud Support)]

Hello,

In order to have an access to create and delete project the user needs to have IAM role/owner. This role will provide the user with the permission to all the resources in the organization. Detailed information on Cloud resource manager IAM roles can be found on this link[1].

I hope that helps.

Faizan

[1] https://cloud.google.com/resource-manager/docs/access-control-proj#permissions_and_roles