Restrict our G-Suite email / service account of our project so that the user cannot add them to his personal GCP project

Question

We basically have a use case where user should not be able to take data out of our GCP project. So, we want that the user should not be able to add his GCP credentials provided by us to his personal GCP project. Then, upload the data to his personal project.

So, is there anyway we can restrict our G-Suite email and/or service account of our project so that the user cannot add them to his personal GCP project.

Thanks!!

Answer 1

So, is there anyway we can restrict our G-Suite email and/or service account of our project so that the user cannot add them to his personal GCP project.

The answer is not possible and also does not apply to data theft .

If one of your users has credentials with IAM roles to access your data, you cannot prevent him from accessing that data short of removing those privileges. He can download data to his workstation and then upload it someplace else.

I think you are misunderstanding IAM users. If a user adds his "work" user email address to his personal Google Cloud Account, that does not grant him additional access to your account. It just means that he can use one credential to access more than one account. That person would not benefit or bypass your security. He could speed things up by doing cloud->cloud data copies instead of download/upload. Then end result is still data loss/theft.

Given that this is a concern, turn on Google Cloud Audit Logging and monitor what your users do. Use Cloud Functions to analyze the logs and alert on activity that concerns you.

Separate you data via separate projects. Only allow users to access data related to their job scope. There are many techniques that you can implement. However, if you do not trust an employee you have a different problem to manage.