Profile Applicability:

Level 1

Description:

Essential Contacts allow organizations to designate specific email addresses to receive important notifications from Google Cloud services. This ensures timely communication about technical, security, legal, and other critical information. Configuring Essential Contacts is recommended to improve notification management.

Rationale:

By default, Google Cloud notifications are sent to users with specific IAM roles. However, this method may result in missed notifications if roles are misconfigured or users are unavailable. Essential Contacts allow organizations to:

  • Specify exact recipients for notifications.

  • Ensure timely awareness of legal, security, and technical issues.

  • Streamline communication with Google Cloud services.

Impact:

There is no additional cost for configuring Essential Contacts, except for the Technical Incidents category, which requires a premium support plan.

Default Value:

By default, no Essential Contacts are configured. In their absence, Google Cloud sends notifications to users with the following IAM roles:

Audit Steps:

Using Google Cloud Console:

  1. Go to Essential Contacts:

                               

  2. Ensure the organization is selected in the resource selector at the top of the page.

                             

  1. Verify that email addresses are configured for the following categories:

    • Legal

    • Security

    • Suspension

    • Technical

    • Alternatively, ensure that an email address is configured for the All category, covering all notifications.

Using Google Cloud CLI:

List all configured Essential Contacts:

gcloud essential-contacts list --organization=<ORGANIZATION_ID>

  1. Confirm that at least one email address is assigned to the following categories:

    • LEGAL

    • SECURITY

    • SUSPENSION

    • TECHNICAL

    • Alternatively, ensure an address is configured for the ALL category.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to Essential Contacts:

                         

  1. Ensure the organization is selected in the resource selector.

  2. Click + Add Contact.

                                     

  1. Enter the email address in the Email and Confirm Email fields.

                                                       

  1. From the Notification Categories dropdown, select the relevant categories (e.g., Legal, Security, Suspension, Technical).

                                                       

  1. Click Save.

                                                                                       

Using Google Cloud CLI:

Add an Essential Contact:

gcloud essential-contacts create --email="<EMAIL>" \
  --notification-categories="<NOTIFICATION_CATEGORIES>" \
  --organization=<ORGANIZATION_ID>

Example:

gcloud essential-contacts create --email="security@example.com" \
  --notification-categories="SECURITY,TECHNICAL" \
  --organization=1234567890

  • Legal: roles/billing.admin

  • Security: roles/resourcemanager.organizationAdmin

  • Suspension: roles/owner

  • Technical: roles/owner

  • Technical Incidents: roles/owner

Backout Plan:

1. Restore Essential Contact Information (If Needed)

If an Essential Contact was mistakenly removed, re-add it using:

gcloud essential-contacts create --email="<EMAIL>" \
  --notification-categories="SECURITY,LEGAL" \
  --organization=<ORGANIZATION_ID>

2. Restore IAM Policy from Backup

If necessary, restore a previous IAM policy:

gcloud projects set-iam-policy PROJECT_ID policy-backup.json


References:

  1. Managing Notification Contacts

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

17.2 Establish and Maintain Contact Information

Maintain contact information for parties who need to be informed of security incidents. Verify annually for accuracy.

19.5 Maintain Incident Reporting Contacts

Maintain a list of external and internal contacts for reporting security incidents.