My current situation is that users have been given default roles with excessive permissions. I would like to reduce the roles to allow access to only those Resources that the user has actually accessed in the past 3 months. At this time it's enough for me to know what Resource they accessed and not necessarily what they did when using the Resource.
How can this be done ? (preferably via gcloud cli)
In AWS I was able to do this with Cloud Trail -> Event History
You can get a log of resources accessed by users using Data Access audit logs. Data Access audit logs-- except for BigQuery Data Access audit logs-- are disabled by default because audit logs can be quite large, you must explicitly enable them.
Policy Analyzer lets you find out which principals (for example, users, service accounts, groups, and domains) have what access to which Google Cloud resources based on your IAM allow policies. To use Policy Analyzer, you create an analysis query, specify a scope for the analysis, and then run the query.
You can use a domain restriction constraint that can be used in organization policies to limit resource sharing based on domain. This constraint allows you to restrict the set of identities that are allowed to be used in Identity and Access Management policies.
Do note that the domain restriction constraint is not retroactive. Once a domain restriction is set, this limitation will apply to IAM policy changes made from that point forward, and not to any previous changes.