GCP IAM Watcher: Lightweight Monitoring for Google Cloud IAM Changes

Identity and Access Management (IAM) sits at the core of every cloud security program. The roles and permissions granted to users, service accounts, and groups directly define what they can access - and therefore how much damage can be done if credentials are misused.

That’s why monitoring IAM changes is a critical part of a defense-in-depth strategy. A single misconfigured role binding can expose sensitive data, weaken compliance posture, or enable lateral movement in the event of compromise.

To help address this, I built gcp-iam-watcher - a lightweight serverless control that detects IAM policy changes in Google Cloud and sends alerts to Slack (and email). It’s not a full SIEM replacement, but it’s a perfect day-to-day security monitoring control: fast to deploy, easy to extend, and gives teams immediate visibility into what’s changing. For broad coverage and advanced detection engineering, you’ll still want to integrate with a SIEM or a cloud-native analytics platform, but this tool fills an important operational gap.

The Problem

IAM is the backbone of cloud security. Unfortunately, it’s also one of the easiest areas to misconfigure:

• Overly permissive roles may lead to data exposure.

• Privilege escalation risks grow as more service accounts are added.

• Multiple teams working on the same project may not fully understand IAM nuances.

Each IAM change is effectively a change in attack surface. For example, granting roles/editor to a service account might open the door to privilege escalation or unintended lateral movement. Without monitoring, these risks remain invisible until it’s too late.

Architecture

The solution uses native Google Cloud components to stay lightweight and cost-effective:

• Asset Feed vs Log Sink: Feeds are the preferred method, but they fall short with Bucket resources (missing prior states). In this case, I use Audit Log sinks for more reliable detection.

• Pub/Sub: Provides scalable, asynchronous event delivery.

• Cloud Function: Executes the watcher code: parsing IAM diffs, deducing new IAM grants and formatting notifications.

• Slack / Email: Delivers real-time alerts where teams actually collaborate. Custom destinations can be built (see README).

This architecture ensures that every IAM policy binding change is captured, processed, and surfaced to security teams in minutes.

Usage Demo

Here’s what the tool looks like in action:

A developer adds a new IAM role binding in Google Cloud. Within seconds, a Slack notification appears.

The notification includes:

• Resource affected (e.g., project, bucket, service account)

• Role added

• Principals gaining access

• Link back to GCP logs for investigation

Selecting “Browse Audit Logs” opens Cloud Logging pre-filtered to the relevant permission grant audit logs:

Use Cases

• Better awareness of IAM changes: Deliver real-time notifications to security teams, enabling rapid response to potential misconfigurations or unauthorized access grants.

• Improved security posture: Reduce the risk of privilege escalation and unintended access by continuously monitoring IAM policy changes across projects.

• Proactive guidance for teams: Help developers and operations teams adopt IAM best practices by surfacing timely alerts and contextual recommendations during their day-to-day work.

Takeaways

Managing IAM in GCP can be daunting, especially when multiple teams contribute without deep IAM expertise. Tools like gcp-iam-watcher provide lightweight, real-time visibility that helps organizations spotting dangerous role grants early, reducing the risk of misconfigurations going unnoticed and complementing larger security monitoring systems with a targeted control.

If you’d like to try it out, the code is available here: https://github.com/ttauveron/gcp-iam-watcher