Profile Applicability:

Level 1

Description:

Enable multi-factor authentication (MFA) for all non-service accounts in Google Cloud Platform (GCP) to enhance login security.

Rationale:

Requiring MFA adds an additional layer of security by requiring users to verify their identity through multiple methods. This protects accounts from attackers exploiting stolen or weak credentials.

Remediation:

Test Plan:

Using Google Cloud Console:

  1. Log in to Google Cloud Console at Google Cloud Console.

  2. Navigate to the Google Workspace Admin Console (admin.google.com).Use an administrator account with permissions to manage users.

                                                                     

  1. In the Admin Console, go to Security > Authentication > 2-Step Verification.

  2. Review the enforcement status of MFA for all users.

  3. Verify that 2-Step Verification is turned on and enforced for all non-service accounts.

     

Using Google Cloud CLI

  • List IAM Policies: Retrieve the IAM policies for your organization:(Replace ORGANIZATION_ID with your organization ID).  

    gcloud organizations get-iam-policy ORGANIZATION_ID

  1. Review the members field in the output to identify user accounts (e.g., user@example.com).

  2. Check 2-Step Verification Status: Use the Google Workspace Admin API to check if MFA is enabled for each account:

    • Install the Google Admin SDK.
    • Run the script to check MFA status for users.

Implementation:

Using Google Cloud Console

  1. Enable MFA:

    • In the Google Workspace Admin Console, go to Security > Authentication > 2-Step Verification.

    • Turn on 2-Step Verification if it is not already enabled.

  1. Enforce MFA:

    • Under 2-Step Verification, select Enforcement.

    • Choose On for everyone or specify organizational units if applicable.

    • Save the settings.

  2. Communicate with Users:

    • Notify users to complete their MFA setup. Provide a deadline for compliance.

Using Google Cloud CLI

  1. Enable MFA: Use the Admin SDK Directory API to enforce MFA for all users in your organization. For example:

    gcloud identity accounts update-mfa-policy \
--enforce \
--organization-id ORGANIZATION_ID

  • Replace ORGANIZATION_ID with your organization’s ID.

  1. Verify Enforcement: Check the status of MFA enforcement by running:

    gcloud identity accounts list-mfa-policies --organization-id ORGANIZATION_ID

  1. Communicate Requirements: Inform users of the MFA policy enforcement and provide guidance on completing the setup.


Backout Plan:

Step 1: Disable MFA Enforcement (Temporarily)

If necessary, temporarily disable MFA enforcement:

gcloud identity accounts update-mfa-policy \
--disable-enforce \
--organization-id ORGANIZATION_ID

Step 2: Restore User Access (If Impacted)

Re-add affected users if access was revoked:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="user:RESTORED_EMAIL" \
--role="ROLE"

Step 3: Notify Users & Adjust Policies

  • Communicate access restoration to impacted users.

Adjust IAM policies to ensure that only necessary accounts have permissions.


References:

  1. Securing GCP Accounts with MFA

  2. Google Account MFA Setup

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

6.3 Require MFA for Externally-Exposed Applications

Enforce MFA for all externally accessible enterprise or third-party applications. MFA via directory services or SSO is acceptable.

16.3 Require Multi-Factor Authentication

Enforce MFA for all user accounts across all systems, whether managed on-premises or by a third party.