Profile Applicability:

Level 2

Description:

Enable Security Key Enforcement for all Google Cloud Platform (GCP) admin accounts to enhance account security.

Rationale:

Admin accounts with the Organization Administrator role have the highest privileges in GCP and should be safeguarded with the strongest form of multi-factor authentication (MFA): Security Keys. Unlike weaker second factors such as SMS or OTP, Security Keys use encrypted signatures for authentication, ensuring that login credentials cannot be phished.

Impact:

  • Losing access to a security key may result in account lockout.

  • It is crucial to configure backup security keys to mitigate this risk.

Default Value:

By default, Security Key Enforcement is not enabled for Organization Administrator accounts.

Audit Steps:
Identify Organization Administrators: Run the following command to retrieve the IAM policy for your organization:

gcloud organizations get-iam-policy <ORGANIZATION_ID>

  1. Look for users assigned the role roles/resourcemanager.organizationAdmin.

  2. Manually confirm that Security Key Enforcement is enabled for each admin account.


Remediation Steps:

  1. Identify all users with the Organization Administrator role.

  2. Configure Security Key Enforcement for each admin account using the Google Cloud Security Key Setup Guide.

References:

  1. Google Cloud Security Key Setup Guide

  2. Benefits of Security Keys for Enhanced Account Security

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

6.3 Require MFA for Externally-Exposed Applications

Enforce MFA for all externally accessible enterprise or third-party applications. MFA through directory services or SSO is sufficient.

16.3 Require Multi-Factor Authentication

Enforce MFA for all user accounts, whether managed on-premises or by a third-party provider, to enhance security.