Insights & Conversation: IAM Deny Validation

swapnil978 · 03-27-2025 08:20 PM

Hi Everyone,

I'm working on a use case and would love to gather insights from the forum. I’d like to explore different perspectives on this scenario and understand the role of IAM Deny in comparison to Just-In-Time (JIT) access.

I'll try to provide as much detail as possible. This scenario may apply to some organizations but not necessarily all.

Use Case:

In Google Cloud Platform (GCP), roles are defined at the organization level and assigned to identities within a hierarchy. To minimize risk, I have transitioned high-privilege access bindings from being assigned directly to users/principals to a JIT model, since long-term access poses security vulnerabilities.

Future Perspective:

Instead of simply moving to JIT (which is a fair alternative to long-term access), could we build IAM Deny policies to explicitly restrict actions that should not be performed and then use JIT for permitted tasks? (Considering that IAM Deny is already available).

If access bindings are already transitioned to JIT, where and why does IAM Deny become relevant?
What role does IAM Deny play in enhancing IAM security, and does this specific use case fit into it?

Example Scenario:

User 1 (myself) previously held the BigQuery Data Admin Role and had access to PII data via a Highly Privileged (HP) Role.
To enhance security, the organization decided to restrict continuous access to PII data.
As a result, my IAM permissions were moved to a JIT model, allowing access only when explicitly needed, instead of persistent access.

Key Question:

Instead of transitioning to JIT access, could IAM Deny be used to enforce these restrictions?
Would this be a better alternative, or is JIT the more appropriate solution in this case?

Looking forward to your thoughts and discussions!

- Swapnil

-Rhett

Hi @swapnil978,

Thanks for sharing your thoughts about IAM Deny and opening this discussion space.

Just a heads up, project deployments on Google Cloud can depend on multiple factors such as architecture, scale, availability requirements, compliance requirements, cloud spend budget and more. This means that there could be many different approaches to cloud solutions that are ultimately based on your business needs.

If you’re interested in learning more about using JIT for your organization on GCP, you might want to take a look at JIT Groups. I would also recommend sharing your post and ideas on the the following Google Cloud channels:

Instead of simply moving to JIT (which is a fair alternative to long-term access), could we build IAM Deny policies to explicitly restrict actions that should not be performed and then use JIT for permitted tasks? (Considering that IAM Deny is already available).

For your suggestion, I would recommend creating a Feature Request ticket on our issue tracker with the details of your use case. Do note that there isn’t a timeframe specifically given for feature implementation. Instead, we wait for a feature to have a handful of stars and, hopefully, comments from several users about how the feature would be useful.

If access bindings are already transitioned to JIT, where and why does IAM Deny become relevant?
What role does IAM Deny play in enhancing IAM security, and does this specific use case fit into it?

JIT addresses the "when" of access, while IAM Deny addresses the "what" (specifically, "what not"). They are complementary tools, and using IAM Deny even when JIT is implemented provides robust, layered security by enforcing non-negotiable boundaries.

Instead of transitioning to JIT access, could IAM Deny be used to enforce these restrictions?
Would this be a better alternative, or is JIT the more appropriate solution in this case?

For the goal of replacing persistent access with temporary access for the BigQuery Data Admin role (which includes PII access), I would recommend using JIT as it can mitigate the risk of persistent, high-privilege access. IAM Deny is better suited for enforcing absolute, non-negotiable restrictions on specific permissions, acting as a safety net alongside other access controls like JIT.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.