> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/gcp/gws_in_group.md). # GWS\_IN\_GROUP ## Summary | | | | -------------------------- | ------------------------------- | | **FSProtect ACL Alias** | GWS\_IN\_GROUP | | **GCP Alias** | Entity Relation (Structural) | | **Affected Object Types** | Users, Service Accounts, Groups | | **Exploitation Certainty** | Certain | ## Description `GWS_IN_GROUP` is a structural edge representing that a GCP identity (user or service account) is a **member of a Google Group**. Google Groups are used in GCP IAM as a way to grant roles to many identities at once — instead of binding a role directly to each user, a role is bound to a group, and all group members inherit the permissions. **Key properties:** * A single identity can be a member of multiple groups. * Group membership is managed in **Google Workspace** (or Cloud Identity), not directly in GCP IAM — it is not visible in the GCP IAM console by default. * Groups can be nested: a group can be a member of another group, creating transitive membership chains. * External users (Gmail addresses, federated identities) can be added to Google Groups. ## Identification ### GCP Console 1. Open **Google Admin Console** (`admin.google.com`) → **Directory** → **Groups**. 2. Search for groups with GCP IAM bindings. 3. Review group membership — any member inherits all GCP IAM roles bound to the group. 4. In **GCP Console** → **IAM & Admin** → **IAM**, group bindings appear as `Group` under `Type` column. ### gcloud CLI ```bash # List all members of a specific group GROUP_EMAIL="engineering-team@example.com" gcloud identity groups memberships list \ --group-email=$GROUP_EMAIL \ --format="table(preferredMemberKey.id, roles[0].name)" ``` ## Exploitation There is no direct exploit path for this edge. `GWS_IN_GROUP` indicates that an identity is a member of a group, representing a relationship rather than an exploitable permission. The privileges inherited through group membership depend on what permissions are assigned to that group. ## Mitigation No specific mitigation is required for this edge, as it represents a membership relationship. However, organizations should regularly audit group memberships to ensure only authorized identities are members of sensitive groups. ## Detection Detect group membership changes in audit logs. 1. Open **Google Admin Console** (`admin.google.com`) → **Groups Enterprise Log Events** → **Group Enterprise Log Events**. 2. Look for membership changes for groups. Alert on: * External member addition to a group that holds GCP IAM roles. * Group membership changes for groups with IAM bindings. * Membership additions outside business hours or from unexpected admin accounts. ## References * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/gcp/gws_in_group.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.