You can use Privileged Access Manager (PAM) to control just-in-time temporary privilege elevation for select principals, and to view audit logs afterwards to find out who had access to what and when.
To allow temporary elevation, you create an entitlement in Privileged Access Manager, and add the following attributes to it:
A set of principals who are allowed to request a grant against the entitlement.
Whether a justification is required for that grant.
A set of roles to temporarily grant. IAM conditions can be set on the roles.
The maximum duration a grant can last.
Optional: Whether requests need approval from a select set of principals, and whether those principals need to justify their approval.
Optional: Additional stakeholders to be notified about important events, such as grants and pending approvals.
A principal that's been added as a requester to an entitlement can request a grant against that entitlement. If successful, they are granted the roles listed in the entitlement until the end of the grant duration, after which the roles are revoked by Privileged Access Manager.
Use cases
To effectively use Privileged Access Manager, start by identifying specific use cases and scenarios where it can address your organization's needs. Tailor your Privileged Access Manager entitlements based on these use cases and necessary requirements and controls. This involves mapping out the users, roles, resources, and durations involved, along with any necessary justifications and approvals.
While Privileged Access Manager can be used as a general best practice to grant temporary rather than permanent privileges, here are some scenarios where it may be commonly used:
Grant emergency access: Allow select emergency responders to perform critical tasks without having to wait for approval. You can mandate justifications for additional context on why the emergency access is needed.
Control access to sensitive resources: Tightly control access to sensitive resources, requiring approvals and business justifications. Privileged Access Manager can also be used to audit how this access was used—for example, when granted roles were active for a user, which resources were accessible during that time, the justification for access, and who approved it.
For example, you can use Privileged Access Manager to do the following:
Give developers temporary access to production environments for troubleshooting or deployments.
Give support engineers access to sensitive customer data for specific tasks.
Give database administrators elevated privileges for maintenance or configuration changes.
Help secure service accounts: Instead of permanently granting roles to service accounts, allow service accounts to self-elevate and assume roles only when needed for automated tasks.
Manage access for contractors and extended workforce: Grant contractors or members of the extended workforce temporary, time-bound access to resources, with approvals and justifications required.
Capabilities and limitations
The following sections describe the different capabilities and limitations of Privileged Access Manager.
Supported resources
Privileged Access Manager supports creating entitlements and requesting grants for projects, folders, and organizations. If you want to limit access to a subset of resources within a project, folder, or organization, you can add IAM Conditions to the entitlement. Privileged Access Manager supports all condition attributes except resource tags.
Supported roles
Privileged Access Manager supports predefined roles and custom roles. Basic roles are not supported.
Supported identities
Privileged Access Manager supports all types of identities, including Cloud Identity, Workforce Identity Federation, and Workload Identity Federation.
Audit logging
Privileged Access Manager events, such as creation of entitlements, requisition or review of grants, are logged to Cloud Audit Logs. For a complete list of events that Privileged Access Manager generates logs for, see the Privileged Access Manager audit logging documentation. To learn how to view these logs, see Audit entitlement and grant events in Privileged Access Manager.
Grant retention
Grants are automatically deleted from Privileged Access Manager
30 days after they are denied, revoked, or have expired
or ended. Logs for grants are kept in Cloud Audit Logs for the
log retention duration of the _Required bucket.
To learn how to view these logs, see
Audit entitlement and grant events in Privileged Access Manager.
Privileged Access Manager and IAM policy modifications
Privileged Access Manager manages temporary access by adding and removing role bindings from resources' IAM policies. If these role bindings are modified by something other than Privileged Access Manager, then Privileged Access Manager might not work as expected.
To avoid this issue, we recommend doing the following:
- Don't manually modify role bindings that are managed by Privileged Access Manager.
- If you use Terraform to manage your IAM policies, ensure that you're using non-authoritative resources instead of authoritative resources. This ensures that Terraform won't override Privileged Access Manager role bindings, even if they aren't in the declarative IAM policy configuration.
Notifications
Privileged Access Manager can notify you about various events happening in Privileged Access Manager as described in the following sections.
Email notifications
Privileged Access Manager sends emails notifications to the relevant stakeholders for an entitlement and grant changes. The sets of recipients are as follows:
Eligible requesters of an entitlement:
- Email addresses of Cloud Identity users and groups specified as requesters in the entitlement
- Manually configured email addresses in the entitlement: When using
Google Cloud console, these email addresses are listed in the
Notify about an eligible entitlement field in the
Additional notifications section of the entitlement. When using
the gcloud CLI or the REST API, these email addresses are listed
in the
requesterEmailRecipientsfield.
Grant approvers for an entitlement:
- Email addresses of Cloud Identity users and groups specified as approvers in the entitlement.
- Manually configured email addresses in the entitlement: When using the
Google Cloud console, these email addresses are listed in the
Notify when a grant is pending approval field in the
Additional notifications section of the entitlement. When using the
gcloud CLI or the REST API, these email addresses are listed in
the
approverEmailRecipientsfield of the approval workflow steps.
Administrator of the entitlement:
- Manually configured email addresses in the entitlement: When using the
Google Cloud console, these email addresses are listed in the
Notify when access is granted field in the Additional notifications
section of the entitlement. When using the gcloud CLI or the
REST API, these email addresses are listed in the
adminEmailRecipientsfield.
- Manually configured email addresses in the entitlement: When using the
Google Cloud console, these email addresses are listed in the
Notify when access is granted field in the Additional notifications
section of the entitlement. When using the gcloud CLI or the
REST API, these email addresses are listed in the
Requester of a grant:
- Email address of the grant requester if they are a Cloud Identity user.
- Additional email addresses added by the requester while requesting the
grant: When using Google Cloud console, these email addresses are listed
in the Email addresses to receive updates about this grant field. When
using gcloud CLI or the REST API, these email addresses
are listed in the
additionalEmailRecipientsfield.
Privileged Access Manager sends emails to these email addresses for the following events:
| Recipients | Event |
|---|---|
| Eligible requesters of an entitlement | When the entitlement is created and becomes available for use |
| Grant approvers for an entitlement | When a grant is requested and it requires approval |
| Requester of a grant |
|
| Administrator of the entitlement |
|
Pub/Sub notifications
Privileged Access Manager is integrated with Cloud Asset Inventory.
You can use Cloud Asset Inventory feeds
feature to receive notifications about all grant changes through
Pub/Sub. The asset type to use for grants is
privilegedaccessmanager.googleapis.com/Grant.