Stay organized with collectionsSave and categorize content based on your preferences.
This document explains how to enable theIAM Recommender Responseplaybook
in Security Command Center Enterprise to identify the over-permissioned identities and
automatically and safely remove the excess permissions.
Overview
The IAM recommender provides you with security insights that
assess how your principals use resources and recommends you to take an action on
the encountered insight. For example, when a permission was not used for
the last 90 days, the IAM recommender highlights it as an excess
permission and recommends you to remove it safely.
TheIAM Recommender Responseplaybook uses the IAM recommender
to scan your environment for the workload identities that possess excess
permissions or service account impersonations. Instead ofreviewing and applying
recommendationsmanually in Identity and Access Management, enable the playbook to do it automatically in
Security Command Center.
Prerequisites
Before activating theIAM Recommender Responseplaybook, complete the following
prerequisite steps:
Create a custom IAM role and configure a specific permission
for it.
Define theWorkload Identity Emailvalue.
Grant the custom role you've created to an existing principal.
Create a custom IAM role
In the Google Cloud console, go to theIAM Rolespage.
In theFilterfield, paste theWorkload Identity Emailvalue and
search for the existing principal.
ClickeditEdit principal. The
dialog window opens.
In theEdit accesspane under theAssign roles, clickaddAdd another role.
Select the custom role that you've created and clickSave.
Enable playbook
By default, theIAM Recommender Responseplaybook is disabled. To use the
playbook, enable it manually:
In the Security Operations console, go toResponse>Playbooks.
In the playbookSearchfield, inputIAM Recommender.
In the search result, select theIAM Recommender Responseplaybook.
In the playbook header, switch the toggle toenable the playbook.
In the playbook header, clickSave.
Configure the automatic approval flow
Changing the playbook settings is an advanced and optional configuration.
By default, every time the playbook identifies unused permissions, it awaits for
you to approve or decline the remediation before completing the run.
To configure the playbook flow to automatically remove the unused
permissions every time they are found without requesting your approval, complete
the following steps:
In the Google Cloud console, go toResponse>Playbooks.
Select theIAM Recommender Responseplaybook.
In the playbook building blocks, select theIAM Setup Block_1. The block
configuration window opens. By default, theremediation_modeparameter
is set toManual.
In theremediation_modeparameter field, enterAutomatic.
ClickSaveto confirm the new remediation mode settings.
In the playbook header, clickSave.
What's next?
Learn more aboutplaybooksin the Google SecOps
documentation.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Enterprise [service tier](/security-command-center/docs/service-tiers)\n\nThis document explains how to enable the **IAM Recommender Response** playbook\nin Security Command Center Enterprise to identify the over-permissioned identities and\nautomatically and safely remove the excess permissions.\n\nOverview\n\nThe IAM recommender provides you with security insights that\nassess how your principals use resources and recommends you to take an action on\nthe encountered insight. For example, when a permission was not used for\nthe last 90 days, the IAM recommender highlights it as an excess\npermission and recommends you to remove it safely.\n\nThe **IAM Recommender Response** playbook uses the IAM recommender\nto scan your environment for the workload identities that possess excess\npermissions or service account impersonations. Instead of [reviewing and applying\nrecommendations](/policy-intelligence/docs/review-apply-role-recommendations#review-apply)\nmanually in Identity and Access Management, enable the playbook to do it automatically in\nSecurity Command Center.\n\nPrerequisites\n\nBefore activating the **IAM Recommender Response** playbook, complete the following\nprerequisite steps:\n\n1. Create a custom IAM role and configure a specific permission for it.\n2. Define the **Workload Identity Email** value.\n3. Grant the custom role you've created to an existing principal.\n\nCreate a custom IAM role\n\n1. In the Google Cloud console, go to the **IAM Roles** page.\n\n [Go to IAM Roles](https://console.cloud.google.com/iam-admin/roles)\n2. Click **Create role** to create a custom role with the required permissions for\n the integration.\n\n3. For a new custom role, provide the **Title** , **Description** , and a unique\n **ID**.\n\n4. Set the **Role Launch Stage** to **General Availability**.\n\n5. Add the following permission to the created role:\n\n resourcemanager.organizations.setIamPolicy\n\n6. Click **Create**.\n\nDefine the Workload Identity Email value\n\nTo define what [identity](/iam/docs/workload-identities) to grant the custom\nrole to, complete the following steps:\n\n1. In the Google Cloud console, go to **Response \\\u003e Playbooks** to open the Security Operations console navigation.\n2. In the Security Operations console navigation, go to **Response \\\u003e\n Integrations Setup**.\n3. In the integration **Search** field, type in `Google Cloud Recommender`.\n4. Click settings **Configure Instance**. The dialog window opens.\n5. Copy the value of the **Workload Identity Email** parameter to your clipboard. The value must be in the following format: `username@example.com`\n\nGrant a custom role to an existing principal\n\nAfter you grant your new custom role to a selected principal, they can change\npermissions for any user in your organization.\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n2. In the **Filter** field, paste the **Workload Identity Email** value and\n search for the existing principal.\n\n3. Click edit **Edit principal**. The\n dialog window opens.\n\n4. In the **Edit access** pane under the **Assign roles** , click\n add **Add another role**.\n\n5. Select the custom role that you've created and click **Save**.\n\nEnable playbook\n\nBy default, the **IAM Recommender Response** playbook is disabled. To use the\nplaybook, enable it manually:\n\n1. In the Security Operations console, go to **Response \\\u003e Playbooks**.\n2. In the playbook **Search** field, input `IAM Recommender`.\n3. In the search result, select the **IAM Recommender Response** playbook.\n4. In the playbook header, switch the toggle to **enable the playbook**.\n5. In the playbook header, click **Save**.\n\nConfigure the automatic approval flow\n\nChanging the playbook settings is an advanced and optional configuration.\n\nBy default, every time the playbook identifies unused permissions, it awaits for\nyou to approve or decline the remediation before completing the run.\n\nTo configure the playbook flow to automatically remove the unused\npermissions every time they are found without requesting your approval, complete\nthe following steps:\n\n1. In the Google Cloud console, go to **Response \\\u003e Playbooks**.\n2. Select the **IAM Recommender Response** playbook.\n3. In the playbook building blocks, select the **IAM Setup Block_1** . The block configuration window opens. By default, the **remediation_mode** parameter is set to `Manual`.\n4. In the **remediation_mode** parameter field, enter `Automatic`.\n5. Click **Save** to confirm the new remediation mode settings.\n6. In the playbook header, click **Save**.\n\nWhat's next?\n\n- Learn more about [playbooks](/chronicle/docs/soar/respond/working-with-playbooks/whats-on-the-playbooks-screen) in the Google SecOps documentation."]]
