For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-as7.md. A documentation index is available at /llms.txt.

GCP principal has a large permissions gap

gcp

Description

To mitigate the impact of credential exposure or compromise, IAM bindings should be scoped down to the least level of privilege needed to perform their responsibilities. This rule identifies when a principal’s granted permissions are significantly broader than what it has used previously. Datadog considers a permissions gap to be large when the number of unused permissions is greater than 40% of the total permissions count.

Rationale

By comparing the GCP audit log activity for a principal with the permissions its IAM bindings grant, Datadog can identify a permissions gap. Unused permissions represent unnecessary risk: if credentials are compromised, an attacker can use any permission the principal holds — not just the ones it normally uses. Reducing permissions to what are actually needed limits the blast radius of a potential compromise.

Remediation

Datadog recommends reducing the IAM permissions attached to the principal to the minimum necessary for it to fulfill its function. Use GCP IAM Recommender to generate least-privilege role suggestions based on past Cloud Audit Log activity. Remove or replace role bindings that contribute the unused permissions identified in this finding.