GCP: Just-in-time Privileges elevation via PAM

The importance of Just In Time Privileges in Production Environment

Access to resources in a production environment is a double-edged sword. On one hand, it’s necessary for maintaining and operating critical infrastructure; on the other hand, unrestricted access can lead to catastrophic consequences if not properly managed.

Without effective Just In Time Privileges:

• Data Breaches: Unmonitored and excessive access can lead to sensitive data being exposed or stolen, either by insiders or external attackers who gain control of privileged accounts. For example, a user with IAM admin access can give access to resources on your cloud provider (for example GCP) to other people (inside or outside your organization)
• Service Disruption: Unauthorized changes to critical systems can result in downtime, loss of data, or degraded service performance, impacting customers and damaging the company's reputation. A mistake can be done manually if devops have editor or admin rights given all the time (database destruction…)
• Compliance Risks: Many industries are subject to strict regulations around data protection and access control. Failure to properly manage privileged access can lead to non-compliance, resulting in heavy fines and legal liabilities.

What were the options before PAM on GCP

Before PAM, GCP provided several options that was in the best case, not as secured, and in the worst case, very difficult to make it work in a real world scenario:

• Create specific group and bind specific roles to it. Then you can add and remove users to this group when needed. This solution is cumbersome if people do not have any interface or automation to manage groups and users.
• Create conditionals role bindings. This allows to enforce time-based controls. The drawbacks of this solution are:
  • No real audit and justification when the user have higher privileged
  • It is only time based
• Service Account impersonation. This solution allows a user to impersonate a service account with higher rights. The impersonation is similar to AWS assume role.
  • It is not usable in the Google Console (only CLI or Apps)
  • You need to add conditionals in order to enforce time base access
  • You cannot control the duration of the access.
• Just In Time Access application. This solution is the solution that looks like the most to GCP PAM. It is an open source project that ca be deployed as a Cloud Run. It allows user to request access to specific roles to a project. The application uses conditionals role binding behind the scene. The drawbacks of the solution is:
  • You need to run it and manage it (As it is a solution that controls the access to your projects, you need to be cautious on the security of this solution
  • Audit logs of the application are not by default gathered with GCP audit logs
  • You cannot make approval based grants

And here comes PAM

Overview

PAM is here to provide a solution to all drawbacks presented in the previous chapter. This GCP product was publish as preview in April 2024 and was released in GA in September 2024.

PAM allows to manage just in time access defined by an Google Cloud administrator directly through the GCP console.

PAM provides the following configurations:

• Manage who can ask for privileged escalation, who can approve or not a request
• Select what role is available for each grant.
• Allows auto-validation access for emergency teams, in case of critical incident.
• Audit actions done during the privileged escalation.
• Allow time based access (Business hours for specific team…)

In more details

The object to manage just in time elevation are called entitlements . They are composed of multiple attributes:

• Set of principals that can requests grants (can be a user, a group, service accounts…)
• Enable or not justifications
• List of roles linked to the Grant (they cannot be based roles, i.e. neither Editor nor Owner, but custom roles can be used)
• Maximum duration of the grant
• Enable approval or not.
• List of Approvers
• List of notifications emails

The entitlements are linked to an Organization, a Folder or a Project.

What about the other Cloud Providers

Azure was the first

PAM solution looks very similar with Azure Privileged Identity Management. This service, available through Azure Entra ID since 2016, provides oversight and control over privileged accounts. It allows administrators to enforce just-in-time access, requiring users to request elevated privileges for specific tasks. These elevated roles are temporary and subject to approval workflows, reducing the risk of long-term, excessive access.

AWS is lacking behind

AWS does not provide any managed solution to tackle this problematic but points to external solutions to manage just in time access:

• Through AWS partners and Vendors that integrates with AWS Identity Center. This can be costly if you do not have already an account to those vendors, especially for small businesses
• They provided a non managed, opensource solution (like JIT Access from GCP). The solution is called TEAM. This means that you will need to pay the cost of the infrastructure of the solution behind (and it is based on DynamoDB, AWS Step Functions, Cognito, AWS Lambda…). But, TEAM allows to manage approvers and approvals through a specific workflows.

How to implement it

Setup with Terraform

Even if the service is only available as Pre GA, the google provider in terraform propose a resource to create a PAM Entitlement.

resource "google_privileged_access_manager_entitlement" "this" {

    entitlement_id = "my-entitlement"

    location = "global"

    max_request_duration = "14400s"

    parent = "projects/my-project-name

    requester_justification_config {

        unstructured{} // force to have a justification

    }

    eligible_users {

        principals = [ // list of principals that can ask for a privileged escalation

          "<group:run@theodo.com>"

        ]

    }

    privileged_access{

        gcp_iam_access{

            role_bindings{

                role = ""

            }

            resource = "//cloudresourcemanager.googleapis.com/projects/my-project-name"

            resource_type = "cloudresourcemanager.googleapis.com/Project"

        }

    }

    additional_notification_targets {

      admin_email_recipients     = [

        "admin@theodo.com",

      ]

      requester_email_recipients = [

        "all@theodo.com"

      ]

    }

/*    approval_workflow { // This section is needed if you want to have an approver.

	    manual_approvals {

	      require_approver_justification = true

	      steps {

	        approvals_needed          = 1

	        approver_email_recipients = [

	          "admin@theodo.com"

	        ]

	        approvers {

	          principals = [

	            "<group:admin@theodo.com>"

	          ]

	        }

	      }

	    }

	  }

*/

}

The precedent example is suitable for run team that need to intervene during non-working hours (in case of an production incident.

If you want to set approvers for each privileged access request, you need to comment the approval_workflow block. This pattern is suitable for development team that need to access or debug on production, to access specific data.

This resource need to add some rights to the PAM Service Agent if you want to deploy it fully without any human intervention.

resource "google_project_iam_member" "pam" {

  project = my_project_id

  role    = "roles/privilegedaccessmanager.serviceAgent"

  member  = "serviceAccount:service-org-${var.org_id}@gcp-sa-pam.iam.gserviceaccount.com"

}

How to request a privileged escalation

Once the entitlement is set, an eligible Principal can log to the Google Console. Go to the IAM & Admin > PAM

Create a request

Once activated, you can now access to the project with higher privileged rights

As an administrator, you can check the entitlements, the reason of each entitlements and check what was done during the session.

Conclusion

PAM offers a way to manage JIT access and allows balance between security and needs to have specific rights for incident intervention or production maintenance. We are implementing and testing this solution with one of our client and we will see how the development teams and interventions are reacting to this new feature.