Skip to main content


1.1 Use Corporate Login Credentials (Manual)

Profile Applicability

• Level 1


Use corporate login credentials instead of personal accounts, such as Gmail accounts.


It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.


There will be increased overhead as maintaining accounts will now be required. For smaller organizations, this will not be an issue, but will balloon with size.


For each Google Cloud Platform project, list the accounts that have been granted access to that project:

gcloud projects get-iam-policy PROJECT_ID

Also list the accounts added on each folder:

gcloud resource-manager folders get-iam-policy FOLDER_ID 

And list your organization's IAM policy:

gcloud organizations get-iam-policy ORGANIZATION_ID

No email accounts outside the organization domain should be granted permissions in the IAM policies. This excludes Google-owned service accounts.


Follow the documentation and setup corporate login accounts.

Prevention: To ensure that Identity and Access Management (IAM) permissions to its Google Cloud projects, folders or organization are not granted to email addresses outside the organization, turn on the Organization Policy for Domain Restricted Sharing. Learn more at: