Ensure that Corporate Login Credentials are Used

Organizations does not have any control over personal Gmail accounts. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources.

Risk Level: High
Cloud Entity: GCP IAM Policy
CloudGuard Rule ID: D9.GCP.IAM.02
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

GcpIamPolicy should not have bindings contain-any [ members contain-any ['%@gmail.com']]

REMEDIATION

From Portal

  1. Go to IAM & admin/IAM using https://console.cloud.google.com/iam-admin/iam
  2. Go to the Principals
  3. Identify the personal account, select it and click remove.

From Command Line

  1. Get the policy that you want to modify, and write it to a file:
gcloud projects get-iam-policy PROJECT_ID > PATH_TO_NEWLY_CREATED_FILE
  1. In the created file, detect the personal (gmail) account and delete it.
  2. Set the new iam policy of the project:
gcloud projects set-iam-policy PROJECT_ID PATH_TO_EDITED_FILE

References

  1. https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
  2. https://cloud.google.com/sdk/gcloud/reference/projects/set-iam-policy
  3. https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#manage-identities

GCP IAM Policy

You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CSA CCM v.3.0.1
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP CloudGuard SOC2 based on AICPA TSC 2017
  • GCP GDPR Readiness
  • GCP HIPAA
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2
  • GCP PCI-DSS 4.0