---
title: GCP IAM policy has over-provisioned principals
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > GCP IAM policy has over-provisioned
  principals
---

# GCP IAM policy has over-provisioned principals
 
## Description{% #description %}

To mitigate the impact of credential exposure or compromise, IAM bindings should be scoped down to the least level of privilege needed to perform their responsibilities. This rule identifies when a principal's granted permissions are significantly broader than what it has used previously. Datadog considers a permissions gap to be large when the number of unused permissions is greater than 40% of the total permissions count.

## Rationale{% #rationale %}

By comparing the GCP audit log activity for a principal with the permissions its IAM bindings grant, Datadog can identify a permissions gap. Unused permissions represent unnecessary risk: if credentials are compromised, an attacker can use any permission the principal holds — not just the ones it normally uses. Reducing permissions to what are actually needed limits the blast radius of a potential compromise.

## Remediation{% #remediation %}

Datadog recommends reducing the IAM permissions attached to the principal to the minimum necessary for it to fulfill its function. Use GCP IAM Recommender to generate least-privilege role suggestions based on past Cloud Audit Log activity. Remove or replace role bindings that contribute the unused permissions identified in this finding.