Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts

Setup multi-factor authentication for Google Cloud Platform accounts. Multi-factor authentication requires more than one mechanism to authenticate a user. This secures your logins from attackers exploiting stolen or weak credentials.

Risk Level: High
Cloud Entity: GCP IAM User
CloudGuard Rule ID: D9.GCP.IAM.03
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

GcpIamUser should have userData.isEnforcedIn2Sv=true

REMEDIATION

From Portal

  1. Go to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.
  2. Choose the PERMISSIONS tab, then select View by PRINCIPALS
  3. Copy the email address of the user account that you want to examine
  4. Go to Google Account console at https://myaccount.google.com and sign in using the email address copied at the previous step to access the appropriate user account.
  5. In the navigation bar, select Security.
  6. On the Security page, in the Signing in to Google section, check 2-Step Verification configuration setting status. set the status to On.
  7. Repeat steps no. 3 - 6 for each user account that you want to examine, created for the selected GCP project.

Note: if the role fails because the IAMUser userData is null -

  1. It might be because you didn't connect your Google Workspace (G-Suite) account to CloudGuard.
    This can be done through CloudGuard console -> Assets -> Environments -> <Your GCP Project> -> Add GSuite
  2. The IAMUser is not part of your organization - which is not recommended, and probably should be removed from your GCP.

References

  1. Guide for users to enable MFA: https://support.google.com/accounts/answer/185839
  2. https://cloud.google.com/identity/solutions/enforce-mfa
  3. https://support.google.com/a/answer/9176657

GCP IAM User

An IAM user is an entity that you create in GCP to represent the person or service that uses it to interact with GCP.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP Dashboard System Ruleset
  • GCP HIPAA
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0