Ensure Essential Contacts is Configured for Organization

It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.Many Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.

Risk Level: Low
Cloud Entity: GCP EssentialContact
CloudGuard Rule ID: D9.GCP.OPE.05
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

EssentialContact should not have notificationCategorySubscriptions isEmpty()

REMEDIATION

From Portal

  1. Go to Essential Contacts by visiting https://console.cloud.google.com/iam-admin/essential-contacts
  2. Make sure the organization appears in the resource selector at the top of the page. The resource selector tells you what project, folder, or organization you are currently managing contacts for.
  3. Click +Add contact
  4. In the Email and Confirm Email fields, enter the email address of the contact.
  5. From the Notification categories drop-down menu, select the notification categories that you want the contact to receive communications for.
  6. Click Save

From Command Line

  1. To add an organization Essential Contacts run a command:
gcloud essential-contacts create --email="EMAIL" --notification-categories="NOTIFICATION_CATEGORIES" --organization="ORGANIZATION_ID"

From TF

  1. In your template use resource: google_essential_contacts_contact. Use the arguments email=Your email ID and notification_category_subscription= List of notification categories that you want the contact to receive communications for
    See below example template;
resource "google_essential_contacts_contact" "contact" {
	parent = "projects/project_id"
	email = "[email protected]"
	language_tag = "en-GB"
	notification_category_subscriptions = ["ALL"]
}

References

  1. https://workbench.cisecurity.org/sections/811635/recommendations/1926676
  2. https://cloud.google.com/resource-manager/docs/managing-notification-contacts

GCP EssentialContact

Many Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP NIST 800-53 Rev 5