Your GCP identity perimeter, snapshotted.

Enterprise-grade, automated backup & recovery for Google Cloud IAM — IAM policies, service accounts, custom roles and organization policies. Protect against misconfiguration and accidental deletion at the project level.

IAM policiesService accountsCustom rolesOrg policiesEU-hosted

Why CYBBACK

One setIamPolicy away from disaster

Project-level snapshots

Capture the full identity surface of a GCP project in seconds. Multi-project support included.

Drift & integrity checks

Automatic comparison between consecutive backups. Get alerted on suspicious permission changes or role drift.

Granular restore

Restore a single role binding, a deleted service account, or roll back the entire project IAM state.

AES-256-GCM encryption

Service account credentials and backup files encrypted at rest. Master key in Google Secret Manager (EU).

Bring Your Own Bucket

Store backups on your S3-compatible storage. Your data, your provider, your region.

Native exports

Download backups as ZIP archives — JSON-formatted IAM bindings, role definitions and service account metadata.

What gets backed up

Your project IAM in 4 layers

IAM policiesAll bindings: principal → role on the project

Service accountsEmail, displayName, description, disabled state

Custom rolesRole definitions with included permissions

Org policiesConstraints applied at the project level

Conditions & expressionsCEL conditions on bindings

Project metadataName, ID, billing account, labels

Workload IdentityFederation pools and providers metadata

Audit configsPer-service Cloud Audit Logs settings

Technical specifications

Built on Cloud IAM API

Authentication	Google service account JSON key with project-level read/write IAM permissions — encrypted in CYBBACK vault
APIs used	Cloud IAM API · Cloud Resource Manager API · Service Usage API · Org Policy API
Required IAM roles	Backup: roles/iam.securityReviewer. Restore: roles/iam.securityAdmin + roles/serviceusage.serviceUsageAdmin
Backup mode	Full snapshot per run. IAM state is small — full backups are fast and trivially comparable
Frequency	Manual, daily, weekly, or custom cron expression
Storage backend	Default: CYBBACK secure storage (EU). Optional: BYOB — any S3-compatible provider
Encryption at rest	AES-256-GCM, optional per-user toggle. Manifest excluded from encryption
Restore granularity	Resource type · individual binding · individual service account · individual role
Restore options	Dry-run · merge · overwrite · per-resource selection
Native exports	JSON archives in ZIP — IAM bindings, role definitions, SA metadata
Drift detection	3 severity levels (info / warning / critical). Custom thresholds for binding count, SA count, role permission changes
Notifications	In-app · email · Slack · webhooks
Hosting region	Google Cloud — europe-west1 (Belgium)

Trust & compliance

Security you can prove

GDPR-alignedEU residency, DPA on request

AES-256-GCMIndustry-standard encryption

Audit logsEvery action is traceable

EU hostingBelgium (europe-west1)

Start your free trial

Connect a GCP project in under 5 minutes and snapshot its full IAM state today.

Start free trial