Skip to main content

lacework-global-232

1.1 Use Corporate Login Credentials (Manual)

Profile Applicability

• Level 1

Description

Use corporate login credentials instead of personal accounts, such as Gmail accounts.

Rationale

It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.

Impact

There will be increased overhead as maintaining accounts will now be required. For smaller organizations, this will not be an issue, but will balloon with size.

Audit

For each Google Cloud Platform project, list the accounts that have been granted access to that project:

gcloud projects get-iam-policy PROJECT_ID

Also list the accounts added on each folder: 

gcloud resource-manager folders get-iam-policy FOLDER_ID

And list your organization's IAM policy: 

gcloud organizations get-iam-policy ORGANIZATION_ID

No email accounts outside the organization domain should be granted permissions in the IAM policies. This excludes Google-owned service accounts.

Remediation

Follow the documentation and setup corporate login accounts.

Prevention: To ensure that Identity and Access Management (IAM) permissions to its Google Cloud projects, folders or organization are not granted to email addresses outside the organization, turn on the Organization Policy for Domain Restricted Sharing. Learn more at: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains

References

https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#manage-identities
https://support.google.com/work/android/answer/6371476
https://cloud.google.com/sdk/gcloud/reference/organizations/get-iam-policy
https://cloud.google.com/sdk/gcloud/reference/beta/resource-manager/folders/get-iam-policy
https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains

Last updated on