Ensure Essential Contacts are defined for your Google Cloud organization
Many Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.
Risk Level: High
Cloud Entity: GCP EssentialContact
CloudGuard Rule ID: D9.GCP.IAM.30
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
EssentialContact should not have notificationCategorySubscriptions isEmpty()
REMEDIATION
From Portal
- Sign in to the Google Cloud Management Console and click on the deployment selector from the top navigation bar.
- Select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.
- Navigate to Cloud Identity and Access Management (IAM) console.
- In the main navigation panel, choose Essential Contacts. Choose ADD CONTACT from the console top menu to configure essential contacts for your GCP organization.
- In the Add a contact configuration box, perform the following actions:
a. For Email and Confirm Email, provide the email address of the contact will receive critical notifications for the selected GCP organization
b. Select the following categories from the Notification Categories section to send corresponding notifications to the email address configured at the previous step: Suspension, Security, Technical, and Legal. Alternatively, you can just select the All category to receive all possible messages and notifications.
c. Choose SAVE to apply the configuration changes.
From Command Line
Run following command to define essential contacts for the following notification categories:
suspension, security, technical, and legal
Note: You can also set the --notification-categories parameter to all to receive all possible messages and notifications.
gcloud beta essential-contacts create --email=EMAIL --language=LANGUAGE --notification-categories=[NOTIFICATION_CATEGORIES] [--folder=FOLDER | --organization=ORGANIZATION | --project=PROJECT] [GCLOUD_WIDE_FLAG]
References
- https://cloud.google.com/resource-manager/docs/organization-resource-management
- https://cloud.google.com/resource-manager/docs/managing-notification-contacts
- https://cloud.google.com/sdk/gcloud/reference/beta/essential-contacts/create
GCP EssentialContact
Many Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.
Compliance Frameworks
- GCP CloudGuard Best Practices
- GCP NIST 800-53 Rev 5
Updated 9 months ago