Ensure 'Access Approval' is 'Enabled'

GCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects. You can then select users within your organization who can approve these requests through giving them a security role in IAM. All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve. This adds an additional control and logging of who in your organization approved/denied these requests.Controlling access to your information is one of the foundations of information security. Google Employees do have access to your organizations' projects for support reasons. With Access Approval, organizations can then be certain that their information is accessed by only approved Google Personnel.

Risk Level: Low
Cloud Entity: GCP Project
CloudGuard Rule ID: D9.GCP.LOG.30
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

Project should have (not accessApprovalSettings.notificationEmails isEmpty()) and (accessApprovalSettings.enrolledServices with [cloudProduct='all' ])

REMEDIATION

From Portal

  1. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the Security Menu. Select Access Approval in the middle of the column that opens.
  2. The status will be displayed here. On this screen, there is an option to click Enroll. If it is greyed out and you see an error bar at the top of the screen that says Access Transparency is not enabled please view the corresponding reference within this section to enable it.
  3. In the second screen click Enroll.

A) Grant an IAM Group or User the role with permissions to Add Users to be Access Approval message Recipients

  1. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the IAM and Admin. Select IAM in the middle of the column that opens.
  2. Click the blue button the says +add at the top of the screen.
  3. In the principals field, select a user or group by typing in their associated email address.
  4. Click on the role field to expand it. In the filter field enter Access Approval Approver and select it.
  5. Click save.

B) Add a Group or User as an Approver for Access Approval Requests

  1. As a user with the Access Approval Approver permission, within the project where you wish to add an email address to which request will be sent, click on the Navigation hamburger menu in the top left. Hover over the Security Menu. Select Access Approval in the middle of the column that opens.
  2. Click Manage Settings
  3. Under Set up approval notifications, enter the email address associated with a Google Cloud User or Group you wish to send Access Approval requests to. All future access approvals will be sent as emails to this address.

From Command Line

  1. To update all services in an entire project, run the following command from an account that has permissions as an 'Approver for Access Approval Requests'
gcloud access-approval settings update --project=PROJECT_NAME --enrolled_services=all --notification_emails='[email protected]'
  1. Determine if Access Approval is Enabled.From within the project you wish to audit, run the following command.
gcloud access-approval settings get

FROM TF
Use resource google_project_access_approval_settings. Make sure you set the values for arguments as below;
notification_emails = ["[email protected]"]
cloud_product = "all"

resource "google_project_access_approval_settings" "project_access_approval" {
	project_id          = "my-project-name"
	notification_emails = ["[email protected]"]
	
	enrolled_services {
		cloud_product = "all"
		enrollment_level = "BLOCK_ALL"
	}
}

References

  1. https://workbench.cisecurity.org/sections/811636/recommendations/1547149
  2. https://cloud.google.com/cloud-provider-access-management/access-approval/docs/overview
  3. https://cloud.google.com/cloud-provider-access-management/access-approval/docs/review-approve-access-requests-custom-keys
  4. https://cloud.google.com/sdk/gcloud/reference/access-approval/settings/update
  5. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_access_approval_settings

GCP Project

A project organizes all your Google Cloud Platform resources. A project consists of a set of users; a set of APIs; and billing, authentication, and monitoring settings for those APIs. So, for example, all of your Cloud Storage buckets and objects, along with user permissions for accessing them, reside in a project. You can have one project, or you can create multiple projects and use them to organize your Google Cloud Platform resources, including your Cloud Storage data, into logical groups

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5