GCP_PARENT_ORGANIZATION

Summary

FSProtect ACL Alias

GCP Alias

Entity Relation (Structural)

Affected Object Types

Organizations, Folders, Projects

Exploitation Certainty

Certain

Description

GCP_PARENT_ORGANIZATION is a structural edge representing that a folder or project sits directly under a GCP Organization as its parent in the resource hierarchy. Every GCP resource ultimately traces its lineage to an organization — this edge identifies the immediate parent-organization relationship for top-level folders and projects.

The GCP resource hierarchy roots at the organization node:

Organization  ←── GCP_PARENT_ORGANIZATION ─── Folder (top-level)
Organization  ←── GCP_PARENT_ORGANIZATION ─── Project (top-level, no folder)

This edge is distinct from GCP_IN_FOLDER (folder containment) because it specifically represents the organization as the direct parent, not a folder. Top-level folders and projects that sit directly under the org — without an intermediate folder — have a GCP_PARENT_ORGANIZATION edge rather than GCP_IN_FOLDER.

IAM bindings at the organization level are the most powerful in GCP — they cascade down through all folders and projects. GCP_PARENT_ORGANIZATION enables the graph to trace the full scope of org-level role bindings.

Identification

gcloud CLI

# List all top-level folders (direct children of the org)
ORG_ID=$(gcloud organizations list --format="value(name)" | head -1)
gcloud resource-manager folders list --organization=$ORG_ID \
  --format="table(name, displayName, createTime)"

# List all top-level projects (directly under the org, not in any folder)
gcloud projects list --filter="parent.type=organization AND parent.id=$(echo $ORG_ID | cut -d/ -f2)" \
  --format="table(projectId, name, projectNumber)"

# Get organization-level IAM bindings (highest blast radius)
gcloud organizations get-iam-policy $ORG_ID --format=json | \
  jq '.bindings[] | {role: .role, members: .members}'

GCP Console

Open GCP Console → IAM & Admin → Manage Resources.
The root of the tree is the Organization node — all items directly beneath it (folders and projects without a containing folder) have a GCP_PARENT_ORGANIZATION edge.
Org-level IAM bindings are set under IAM & Admin → IAM with the organization selected in the scope picker.

Exploitation

The organization is the ultimate security boundary in GCP. GCP_PARENT_ORGANIZATION exposes how close top-level resources are to the org root — which determines their exposure to org-level IAM bindings:

Org-level role blast radius: Any role binding at org scope (via GCP_ROLE_SCOPED_TO → org) affects every resource connected through GCP_PARENT_ORGANIZATION and the full GCP_IN_FOLDER hierarchy beneath it.
Org admin paths: Roles like roles/resourcemanager.organizationAdmin and roles/iam.securityAdmin at org scope create GCP_CAN_SET_ORG_IAMPOLICY edges targeting the org node. Compromising any identity with these edges gives full control of the entire GCP organization.
Org policy scope: Org-level organization policy constraints (controlled via GCP_CAN_DISABLE_ORG_POLICY) apply to all resources connected through this hierarchy.
Hierarchy sprawl: Many top-level projects with GCP_PARENT_ORGANIZATION (rather than being organized in folders) indicate poor resource governance, making it harder to apply consistent folder-level controls and access policies.

Mitigation

Minimize org-level IAM bindings — use folder- and project-level bindings wherever possible. Org-level bindings cascade to every resource in the organization.
Organize projects into folders — projects sitting directly under the org without a containing folder are harder to govern with folder-level controls. Move top-level projects into appropriately scoped folders.
Restrict org-level admin roles (roles/resourcemanager.organizationAdmin, roles/iam.securityAdmin, roles/owner) to break-glass accounts with just-in-time activation workflows.
Review top-level resource sprawl — a large number of projects or folders directly under the org indicates poor governance and makes it harder to apply consistent security controls.

Detection

Log Type

Method

Key Fields

Admin Activity

CreateProject MoveProject

Project created directly under org

Admin Activity

CreateFolder MoveFolder

Folder created directly under org

Admin Activity

SetIamPolicy

Org-level IAM binding changes

ORG_ID=$(gcloud organizations list --format="value(name)" | head -1)
gcloud logging read \
  'protoPayload.methodName="SetIamPolicy" AND resource.type="organization"' \
  --organization=$ORG_ID \
  --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.serviceData.policyDelta)"

Alert on:

New privileged role bindings added at org scope (SetIamPolicy on organization resource).
Projects or folders created or moved to be direct children of the organization.

References

https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#organizations
https://cloud.google.com/iam/docs/overview#cloud-iam-policy
https://cloud.google.com/resource-manager/docs/organization-policy/overview

PreviousGCP_PARENT_CUSTOMER NextGCP_PARENT_OU

Last updated 6 days ago

Was this helpful?