Risk Level: High
Cloud Entity: GCP IAM User
CloudGuard Rule ID: D9.GCP.IAM.20
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

GcpIamUser where userData.suspended=true should have userData.lastLoginTime after(-6,'months')

REMEDIATION

From Portal

Go to Admin console : https://admin.google.com
From the Admin console Home page, go to Users.
In the Users list, find the user.
Point to the user you want to delete and click Moreand thenDelete user
Depending on your privileges as an admin, choose an option:

Delegated admins : To confirm that you understand the impact of deleting the account, check the boxes.
or
Super admins: To transfer ownership of user content:
If you don't want to transfer the user's data, next to Data in other apps, select Don't transfer data.
If you do want to transfer the user's data:
a. Next to Data in other apps, select Transfer.
b. In the Search for a user field, enter the name or email address of the user to whom you want to transfer the files deleted users files.
c. Under Select data to transfer, check the boxes next to each option you want.

Click Delete User.

References

https://support.google.com/a/answer/33314

GCP IAM User

An IAM user is an entity that you create in GCP to represent the person or service that uses it to interact with GCP.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CloudGuard Best Practices
GCP GDPR Readiness
GCP LGPD regulation
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5
GCP PCI-DSS 4.0