Stay organized with collections
Save and categorize content based on your preferences.
This document explains how to enable the IAM Recommender Response playbook
in Security Command Center Enterprise to identify the over-permissioned identities and
automatically and safely remove the excess permissions.
Overview
The IAM recommender provides you with security insights that
assess how your principals use resources and recommends you to take an action on
the encountered insight. For example, when a permission was not used for
the last 90 days, the IAM recommender highlights it as an excess
permission and recommends you to remove it safely.
The IAM Recommender Response playbook uses the IAM recommender
to scan your environment for the workload identities that possess excess
permissions or service account impersonations. Instead of reviewing and applying
recommendations
manually in Identity and Access Management, enable the playbook to do it automatically in
Security Command Center.
Prerequisites
Before activating the IAM Recommender Response playbook, complete the following
prerequisite steps:
Create a custom IAM role and configure a specific permission
for it.
Define the Workload Identity Email value.
Grant the custom role you've created to an existing principal.
Create a custom IAM role
In the Google Cloud console, go to the IAM Roles page.
In the Filter field, paste the Workload Identity Email value and
search for the existing principal.
Click editEdit principal. The
dialog window opens.
In the Edit access pane under the Assign roles, click
addAdd another role.
Select the custom role that you've created and click Save.
Enable playbook
By default, the IAM Recommender Response playbook is disabled. To use the
playbook, enable it manually:
In the Security Operations console, go to Response > Playbooks.
In the playbook Search field, input IAM Recommender.
In the search result, select the IAM Recommender Response playbook.
In the playbook header, switch the toggle to enable the playbook.
In the playbook header, click Save.
Configure the automatic approval flow
Changing the playbook settings is an advanced and optional configuration.
By default, every time the playbook identifies unused permissions, it awaits for
you to approve or decline the remediation before completing the run.
To configure the playbook flow to automatically remove the unused
permissions every time they are found without requesting your approval, complete
the following steps:
In the Google Cloud console, go to Response > Playbooks.
Select the IAM Recommender Response playbook.
In the playbook building blocks, select the IAM Setup Block_1. The block
configuration window opens. By default, the remediation_mode parameter
is set to Manual.
In the remediation_mode parameter field, enter Automatic.
Click Save to confirm the new remediation mode settings.
In the playbook header, click Save.
What's next?
Learn more about playbooks in the Google SecOps
documentation.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Automate IAM recommendations using playbooks\n\n| Enterprise [service tier](/security-command-center/docs/service-tiers)\n\nThis document explains how to enable the **IAM Recommender Response** playbook\nin Security Command Center Enterprise to identify the over-permissioned identities and\nautomatically and safely remove the excess permissions.\n\nOverview\n--------\n\nThe IAM recommender provides you with security insights that\nassess how your principals use resources and recommends you to take an action on\nthe encountered insight. For example, when a permission was not used for\nthe last 90 days, the IAM recommender highlights it as an excess\npermission and recommends you to remove it safely.\n\nThe **IAM Recommender Response** playbook uses the IAM recommender\nto scan your environment for the workload identities that possess excess\npermissions or service account impersonations. Instead of [reviewing and applying\nrecommendations](/policy-intelligence/docs/review-apply-role-recommendations#review-apply)\nmanually in Identity and Access Management, enable the playbook to do it automatically in\nSecurity Command Center.\n\nPrerequisites\n-------------\n\nBefore activating the **IAM Recommender Response** playbook, complete the following\nprerequisite steps:\n\n1. Create a custom IAM role and configure a specific permission for it.\n2. Define the **Workload Identity Email** value.\n3. Grant the custom role you've created to an existing principal.\n\n### Create a custom IAM role\n\n1. In the Google Cloud console, go to the **IAM Roles** page.\n\n [Go to IAM Roles](https://console.cloud.google.com/iam-admin/roles)\n2. Click **Create role** to create a custom role with the required permissions for\n the integration.\n\n3. For a new custom role, provide the **Title** , **Description** , and a unique\n **ID**.\n\n4. Set the **Role Launch Stage** to **General Availability**.\n\n5. Add the following permission to the created role:\n\n resourcemanager.organizations.setIamPolicy\n\n6. Click **Create**.\n\n### Define the Workload Identity Email value\n\nTo define what [identity](/iam/docs/workload-identities) to grant the custom\nrole to, complete the following steps:\n\n1. In the Google Cloud console, go to **Response \\\u003e Playbooks** to open the Security Operations console navigation.\n2. In the Security Operations console navigation, go to **Response \\\u003e\n Integrations Setup**.\n3. In the integration **Search** field, type in `Google Cloud Recommender`.\n4. Click settings **Configure Instance**. The dialog window opens.\n5. Copy the value of the **Workload Identity Email** parameter to your clipboard. The value must be in the following format: `username@example.com`\n\n### Grant a custom role to an existing principal\n\nAfter you grant your new custom role to a selected principal, they can change\npermissions for any user in your organization.\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n2. In the **Filter** field, paste the **Workload Identity Email** value and\n search for the existing principal.\n\n3. Click edit **Edit principal**. The\n dialog window opens.\n\n4. In the **Edit access** pane under the **Assign roles** , click\n add **Add another role**.\n\n5. Select the custom role that you've created and click **Save**.\n\nEnable playbook\n---------------\n\nBy default, the **IAM Recommender Response** playbook is disabled. To use the\nplaybook, enable it manually:\n\n1. In the Security Operations console, go to **Response \\\u003e Playbooks**.\n2. In the playbook **Search** field, input `IAM Recommender`.\n3. In the search result, select the **IAM Recommender Response** playbook.\n4. In the playbook header, switch the toggle to **enable the playbook**.\n5. In the playbook header, click **Save**.\n\n### Configure the automatic approval flow\n\nChanging the playbook settings is an advanced and optional configuration.\n\nBy default, every time the playbook identifies unused permissions, it awaits for\nyou to approve or decline the remediation before completing the run.\n\nTo configure the playbook flow to automatically remove the unused\npermissions every time they are found without requesting your approval, complete\nthe following steps:\n\n1. In the Google Cloud console, go to **Response \\\u003e Playbooks**.\n2. Select the **IAM Recommender Response** playbook.\n3. In the playbook building blocks, select the **IAM Setup Block_1** . The block configuration window opens. By default, the **remediation_mode** parameter is set to `Manual`.\n4. In the **remediation_mode** parameter field, enter `Automatic`.\n5. Click **Save** to confirm the new remediation mode settings.\n6. In the playbook header, click **Save**.\n\nWhat's next?\n------------\n\n- Learn more about [playbooks](/chronicle/docs/soar/respond/working-with-playbooks/whats-on-the-playbooks-screen) in the Google SecOps documentation."]]
