Profile Applicability:
Level 2
Description:
Enable Security Key Enforcement for all Google Cloud Platform (GCP) admin accounts to enhance account security.
Rationale:
Admin accounts with the Organization Administrator role have the highest privileges in GCP and should be safeguarded with the strongest form of multi-factor authentication (MFA): Security Keys. Unlike weaker second factors such as SMS or OTP, Security Keys use encrypted signatures for authentication, ensuring that login credentials cannot be phished.
Impact:
Losing access to a security key may result in account lockout.
It is crucial to configure backup security keys to mitigate this risk.
Default Value:
By default, Security Key Enforcement is not enabled for Organization Administrator accounts.
Audit Steps:
Identify Organization Administrators: Run the following command to retrieve the IAM policy for your organization:
gcloud organizations get-iam-policy <ORGANIZATION_ID>
Look for users assigned the role roles/resourcemanager.organizationAdmin.
Manually confirm that Security Key Enforcement is enabled for each admin account.
Remediation Steps:
Identify all users with the Organization Administrator role.
Configure Security Key Enforcement for each admin account using the Google Cloud Security Key Setup Guide.