Profile Applicability:
Level 2
Description:
Enable Security Key Enforcement for all Google Cloud Platform (GCP) admin accounts to enhance account security.
Rationale:
Admin accounts with the Organization Administrator role have the highest privileges in GCP and should be safeguarded with the strongest form of multi-factor authentication (MFA): Security Keys. Unlike weaker second factors such as SMS or OTP, Security Keys use encrypted signatures for authentication, ensuring that login credentials cannot be phished.
Impact:
Losing access to a security key may result in account lockout.
It is crucial to configure backup security keys to mitigate this risk.
Default Value:
By default, Security Key Enforcement is not enabled for Organization Administrator accounts.
Remediation:
Test Plan:
Identify Organization Administrators: Run the following command to retrieve the IAM policy for your organization:
gcloud organizations get-iam-policy <ORGANIZATION_ID>
Look for users assigned the role roles/resourcemanager.organizationAdmin.
Manually confirm that Security Key Enforcement is enabled for each admin account.
Identify all users with the Organization Administrator role.
Configure Security Key Enforcement for each admin account using the Google Cloud Security Key Setup Guide.
Backout Plan:
Step 1: Disable Security Key Enforcement (Temporarily)
If necessary, temporarily disable enforcement:
gcloud identity accounts update-mfa-policy \ --disable-enforce \ --organization-id ORGANIZATION_ID
Step 2: Restore User Access (If Impacted)
Re-add affected users if access was removed:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member="user:RESTORED_EMAIL" \ --role="roles/resourcemanager.organizationAdmin"
Step 3: Notify Users & Adjust Policies
Inform affected admins about the change.
Review IAM policies to ensure that only necessary accounts retain admin privileges.