IAM & Access Control

Overview

HIPAA's Access Control standard (45 CFR § 164.312(a)) requires that only authorized users can access PHI. On GCP, this is enforced through IAM, MFA, and service account controls.

1. Principle of Least Privilege

Every user, service account, and application must have only the permissions required to perform its specific function — nothing more.

Do Not Use Primitive Roles

Primitive roles (Owner, Editor, Viewer) are overly broad and grant access to all GCP APIs. They must not be assigned in a PHI project.

# Audit current bindings — look for roles/owner, roles/editor, roles/viewer
gcloud projects get-iam-policy YOUR_PHI_PROJECT_ID \
  --flatten="bindings[].members" \
  --format="table(bindings.role,bindings.members)"

Remove any primitive role bindings found:

gcloud projects remove-iam-policy-binding YOUR_PHI_PROJECT_ID \
  --member="user:[email protected]" \
  --role="roles/editor"

2. Recommended IAM Role Assignments

Persona	Recommended Role(s)
Cloud SQL DBA	`roles/cloudsql.admin` (restricted to DBA only)
Cloud Run Deployer	`roles/run.developer`
Cloud Run Viewer	`roles/run.viewer`
Log Viewer	`roles/logging.viewer`
Security Auditor	`roles/iam.securityReviewer` + `roles/viewer` (read-only)
KMS Key Admin	`roles/cloudkms.admin` (separate from data access)
Secret Manager Reader	`roles/secretmanager.secretAccessor`
Monitoring Viewer	`roles/monitoring.viewer`

Separation of Duties

The person who manages encryption keys (KMS Admin) must not be the same person who accesses the data.
The person who configures audit logs must not be able to delete them.

3. Multi-Factor Authentication (MFA)

MFA is required for all accounts that can access PHI or PHI infrastructure.

Enforce MFA via Google Workspace / Cloud Identity

Go to Google Admin Console > Security > 2-Step Verification.
Set enforcement to "On for everyone" with no exceptions for the PHI domain.
Allow only hardware security keys (YubiKey) or authenticator apps — disable SMS-based 2FA.

# Verify 2FA enforcement policy via Cloud Identity API (requires Admin SDK)
# Use Google Admin Console as the authoritative UI

Document MFA Policy

Record in your security policy:

MFA is mandatory for all human accounts
SMS/phone-based 2FA is prohibited for PHI access
Lost device procedure and recovery codes must follow the Incident Response plan

4. Service Accounts

Service accounts are used by Cloud Run services, Cloud SQL proxy clients, and other automated processes.

4.1 Use Workload Identity (Preferred)

Workload Identity eliminates the need for downloadable service account keys. Cloud Run uses a dedicated per-service service account, which is bound to specific IAM roles.

# Create a dedicated service account for the Cloud Run service
gcloud iam service-accounts create phi-app-sa \
  --display-name="PHI App Cloud Run SA" \
  --project=YOUR_PHI_PROJECT_ID

# Grant only what the service needs
gcloud projects add-iam-policy-binding YOUR_PHI_PROJECT_ID \
  --member="serviceAccount:phi-app-sa@YOUR_PHI_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/cloudsql.client"

gcloud projects add-iam-policy-binding YOUR_PHI_PROJECT_ID \
  --member="serviceAccount:phi-app-sa@YOUR_PHI_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"

4.2 Service Account Key Management (If Keys Are Required)

If service account keys cannot be avoided:

# Create a key (last resort — prefer Workload Identity)
gcloud iam service-accounts keys create key.json \
  --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com

# List existing keys to audit age
gcloud iam service-accounts keys list \
  --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com

Rotate keys every 90 days maximum
Store keys in Secret Manager, never in code repositories or environment variables
Delete keys that are no longer in use

4.3 Disable Default Service Account

The Compute Engine default service account is created automatically and has broad permissions. Disable it in your PHI project:

# Disable the default compute service account
gcloud iam service-accounts disable \
  [email protected] \
  --project=YOUR_PHI_PROJECT_ID

4.4 Service Account Audit

# List all service accounts in the project
gcloud iam service-accounts list --project=YOUR_PHI_PROJECT_ID

# For each SA, list its keys and IAM bindings
gcloud iam service-accounts keys list \
  --iam-account=SA_EMAIL \
  --project=YOUR_PHI_PROJECT_ID

5. Access Context Manager

Access Context Manager lets you define access levels based on context (IP address, device compliance, user identity) and enforce them on GCP resources.

# Create an access level requiring corporate network + MFA
gcloud access-context-manager levels create corporate-access \
  --policy=YOUR_POLICY_ID \
  --title="Corporate Access Level" \
  --basic-level-spec=access_level.yaml

access_level.yaml example:

conditions:
  - ipSubnetworks:
      - 203.0.113.0/24    # Your corporate IP range
    requireScreenlock: true
    requireCorpOwned: true

6. IAM Audit and Review Schedule

Activity	Frequency
Review IAM policy bindings	Quarterly
Audit service account keys age	Monthly
Verify MFA compliance	Monthly
Review access logs for anomalies	Weekly
Full access review by Compliance Officer	Annually

Automated IAM Audit Script

#!/bin/bash
# audit_iam.sh — Run monthly to check for compliance drift

PROJECT_ID="YOUR_PHI_PROJECT_ID"

echo "=== Checking for primitive role assignments ==="
gcloud projects get-iam-policy $PROJECT_ID \
  --flatten="bindings[].members" \
  --format="table(bindings.role,bindings.members)" | \
  grep -E "roles/owner|roles/editor|roles/viewer"

echo "=== Listing all service accounts ==="
gcloud iam service-accounts list --project=$PROJECT_ID

echo "=== Checking for service account keys older than 90 days ==="
gcloud iam service-accounts list --project=$PROJECT_ID --format="value(email)" | \
while read SA; do
  echo "Keys for: $SA"
  gcloud iam service-accounts keys list --iam-account=$SA --project=$PROJECT_ID
done

7. Access Control Documentation Requirements

Maintain records of:

All users and their roles (access matrix)
Date of last access review
Any access exceptions granted (with business justification and expiry date)
Termination/offboarding procedures ensuring immediate access revocation

Next: Cloud Run →

Overview​

1. Principle of Least Privilege​

Do Not Use Primitive Roles​

2. Recommended IAM Role Assignments​

Separation of Duties​

3. Multi-Factor Authentication (MFA)​

Enforce MFA via Google Workspace / Cloud Identity​

Document MFA Policy​

4. Service Accounts​

4.1 Use Workload Identity (Preferred)​

4.2 Service Account Key Management (If Keys Are Required)​

4.3 Disable Default Service Account​

4.4 Service Account Audit​

5. Access Context Manager​

6. IAM Audit and Review Schedule​

Automated IAM Audit Script​

7. Access Control Documentation Requirements​