Profile Applicability:
Level 1
Description:
It is recommended to use corporate login credentials instead of personal or consumer accounts (e.g., Gmail accounts) for accessing Google Cloud resources. Corporate accounts enhance visibility, enable better auditing, and provide centralized control over access to Cloud Platform resources.
Rationale:
Using corporate-managed accounts ensures that access to resources is aligned with the organization's policies. Personal accounts outside the organization's domain can pose risks, including unauthorized access, lack of audit trails, and challenges in enforcing security controls. By mandating corporate credentials, organizations can ensure consistency in access management, improve compliance, and reduce potential security vulnerabilities.
Impact:
Managing corporate accounts may require additional administrative overhead. While this may not significantly affect smaller organizations, it can become more complex as the organization grows in size.
Default Value:
By default, no external email addresses are granted access to the organization’s Google Cloud resources. However, consumer accounts can still be added to IAM policies unless restricted by an organization policy.
Audit Steps:
Using Google Cloud Console
Log in to Google Cloud Console at Google Cloud Console.
In the left-hand menu, go to IAM & Admin > IAM.
Check the Members column in the IAM page for email addresses.
Identify any external accounts (e.g., @gmail.com or @yahoo.com) that do not belong to your corporate domain (e.g., @yourcompany.com).
Switch to other projects by selecting the project dropdown at the top and repeat the process for all projects.
Using Google Cloud CLI
1. Run the following command to list IAM policies for a specific project: (Replace PROJECT_ID with your project ID)
gcloud projects get-iam-policy PROJECT_ID
2. To list IAM policies for a folder, run: (Replace FOLDER_ID with your folder ID)
gcloud resource-manager folders get-iam-policy FOLDER_ID
3. Run this command to retrieve the organization’s IAM policies: (Replace ORGANIZATION_ID with your organization ID)
gcloud organizations get-iam-policy ORGANIZATION_ID
4. In the output, check for any accounts outside your corporate domain (e.g., @gmail.com or @yahoo.com).
Remediation Steps:
Using Google Cloud Console
Remove Unauthorized Accounts:
Navigate to IAM & Admin > IAM.
Click the edit icon (pencil) next to the role of an unauthorized account.
Click Remove to delete the external account.
Confirm the changes.
Add Corporate Accounts:
Click the Add button.
Enter the email address of the corporate account (e.g., [email protected]).
Assign the appropriate role.
Click Save.
Repeat for All Projects:
Switch to other projects in the dropdown and repeat the steps above.
Using Google Cloud CLI
Remove Unauthorized Accounts: Run the following command to remove an unauthorized account:
gcloud projects remove-iam-policy-binding PROJECT_ID \ --member="user:UNAUTHORIZED_EMAIL" \ --role="ROLE"
Replace:
PROJECT_ID with the project ID.
UNAUTHORIZED_EMAIL with the email of the external user.
ROLE with the role assigned to that user.
Add Authorized Corporate Accounts: To add a corporate account, run:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member="user:CORPORATE_EMAIL" \ --role="ROLE"
Replace:
PROJECT_ID with the project ID.
CORPORATE_EMAIL with the corporate email address.
ROLE with the appropriate role for the user.
Repeat for Folders and Organization: Use similar commands for folders and organizations:
Folders:
gcloud resource-manager folders remove-iam-policy-binding FOLDER_ID \ --member="user:UNAUTHORIZED_EMAIL" \ --role="ROLE"
Organizations:
gcloud organizations remove-iam-policy-binding ORGANIZATION_ID \ --member="user:UNAUTHORIZED_EMAIL" \ --role="ROLE"
References:
1. Google Support - Corporate Account Management
2. gcloud projects get-iam-policy
3. gcloud folders get-iam-policy
4. gcloud organizations get-iam-policy
5. Restricting Domains in IAM
6. Organization Policy Constraints