- remove admin access from the IAM and place only required permissions. - restrict public access from the API
