0
0
GCPcloud~10 mins

IAM deny policies in GCP - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - IAM deny policies
User Request
Check IAM Allow Policies
Check IAM Deny Policies
Allow Access
Deny Access
End
When a user makes a request, GCP first checks allow policies, then deny policies. If any deny policy matches, access is denied immediately.
Execution Sample
GCP
resource: projects/my-project
policy:
  rules:
    - deniedPermissions: ["storage.buckets.delete"]
      deniedPrincipals: ["*"]
This deny policy blocks deletion of storage buckets in the project.
Process Table
StepActionPermission CheckedDeny Policy MatchAccess Decision
1User requests to delete a storage bucketstorage.buckets.deleteYesDenied
2User requests to read a storage bucketstorage.buckets.getNoAllowed
3User requests to create a storage bucketstorage.buckets.createNoAllowed
4User requests to delete a VM instancecompute.instances.deleteNoAllowed
5User requests to delete a storage bucket againstorage.buckets.deleteYesDenied
💡 Access denied immediately when deny policy matches; otherwise allowed if no deny matches.
Status Tracker
VariableStartAfter 1After 2After 3After 4After 5
Permission Requested-storage.buckets.deletestorage.buckets.getstorage.buckets.createcompute.instances.deletestorage.buckets.delete
Deny Policy Match-YesNoNoNoYes
Access Decision-DeniedAllowedAllowedAllowedDenied
Key Moments - 2 Insights
Why is access denied even if the allow policy permits the action?
Because deny policies have higher priority. As shown in execution_table step 1, even if allow exists, deny match causes immediate denial.
What happens if no deny policy matches the requested permission?
Access is allowed if allow policies permit it, as seen in steps 2, 3, and 4 of the execution_table.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 3. What is the access decision for creating a storage bucket?
ADenied
BPending
CAllowed
DUnknown
💡 Hint
Check the 'Access Decision' column for step 3 in the execution_table.
At which step does the deny policy cause access to be denied?
AStep 4
BStep 1
CStep 2
DStep 3
💡 Hint
Look for 'Yes' in 'Deny Policy Match' column in the execution_table.
If the deny policy is removed, what would happen at step 1?
AAccess would be allowed
BAccess would still be denied
CAccess decision would be unknown
DAccess would be delayed
💡 Hint
Refer to variable_tracker and execution_table to see deny policy effect on access.
Concept Snapshot
IAM Deny Policies in GCP:
- Deny policies explicitly block permissions.
- Evaluated after allow policies.
- If deny matches, access is denied immediately.
- Useful to enforce strict security rules.
- Deny policies override allow policies.
Full Transcript
When a user requests access to a resource, GCP first checks if the allow policies permit the action. Then it checks deny policies. If any deny policy matches the requested permission, access is denied immediately, regardless of allow policies. For example, a deny policy blocking 'storage.buckets.delete' will prevent users from deleting storage buckets even if they have allow permissions. If no deny policy matches, access is granted if allowed. This ensures strict control over sensitive actions.