Suspended user account unused for more than 6 months
It is recommended to remove all suspended user accounts that have been unused for 6 months or more. Removing unused user accounts will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.
Risk Level: High
Cloud Entity: GCP IAM User
CloudGuard Rule ID: D9.GCP.IAM.20
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
GcpIamUser where userData.suspended=true should have userData.lastLoginTime after(-6,'months')
REMEDIATION
From Portal
- Go to Admin console : https://admin.google.com
- From the Admin console Home page, go to Users.
- In the Users list, find the user.
- Point to the user you want to delete and click Moreand thenDelete user
- Depending on your privileges as an admin, choose an option:
- Delegated admins : To confirm that you understand the impact of deleting the account, check the boxes.
or - Super admins: To transfer ownership of user content:
If you don't want to transfer the user's data, next to Data in other apps, select Don't transfer data.
If you do want to transfer the user's data:
a. Next to Data in other apps, select Transfer.
b. In the Search for a user field, enter the name or email address of the user to whom you want to transfer the files deleted users files.
c. Under Select data to transfer, check the boxes next to each option you want.
- Click Delete User.
References
GCP IAM User
An IAM user is an entity that you create in GCP to represent the person or service that uses it to interact with GCP.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CloudGuard Best Practices
- GCP GDPR Readiness
- GCP LGPD regulation
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
- GCP PCI-DSS 4.0
Updated over 1 year ago