Profile Applicability:
Level 1
Description:
Essential Contacts allow organizations to designate specific email addresses to receive important notifications from Google Cloud services. This ensures timely communication about technical, security, legal, and other critical information. Configuring Essential Contacts is recommended to improve notification management.
Rationale:
By default, Google Cloud notifications are sent to users with specific IAM roles. However, this method may result in missed notifications if roles are misconfigured or users are unavailable. Essential Contacts allow organizations to:
Specify exact recipients for notifications.
Ensure timely awareness of legal, security, and technical issues.
Streamline communication with Google Cloud services.
Impact:
There is no additional cost for configuring Essential Contacts, except for the Technical Incidents category, which requires a premium support plan.
Default Value:
By default, no Essential Contacts are configured. In their absence, Google Cloud sends notifications to users with the following IAM roles:
Audit Steps:
Using Google Cloud Console:
Go to Essential Contacts:
Ensure the organization is selected in the resource selector at the top of the page.
Verify that email addresses are configured for the following categories:
Legal
Security
Suspension
Technical
Alternatively, ensure that an email address is configured for the All category, covering all notifications.
Using Google Cloud CLI:
List all configured Essential Contacts:
gcloud essential-contacts list --organization=<ORGANIZATION_ID>
Confirm that at least one email address is assigned to the following categories:
LEGAL
SECURITY
SUSPENSION
TECHNICAL
Alternatively, ensure an address is configured for the ALL category.
Remediation Steps:
Using Google Cloud Console:
Navigate to Essential Contacts:
- Ensure the organization is selected in the resource selector.
Click + Add Contact.
Enter the email address in the Email and Confirm Email fields.
From the Notification Categories dropdown, select the relevant categories (e.g., Legal, Security, Suspension, Technical).
Click Save.
Using Google Cloud CLI:
Add an Essential Contact:
gcloud essential-contacts create --email="<EMAIL>" \ --notification-categories="<NOTIFICATION_CATEGORIES>" \ --organization=<ORGANIZATION_ID>
Example:
gcloud essential-contacts create --email="[email protected]" \ --notification-categories="SECURITY,TECHNICAL" \ --organization=1234567890
Legal: roles/billing.admin
Security: roles/resourcemanager.organizationAdmin
Suspension: roles/owner
Technical: roles/owner
Technical Incidents: roles/owner
Backout Plan:
1. Restore Essential Contact Information (If Needed)
If an Essential Contact was mistakenly removed, re-add it using:
gcloud essential-contacts create --email="<EMAIL>" \ --notification-categories="SECURITY,LEGAL" \ --organization=<ORGANIZATION_ID>
2. Restore IAM Policy from Backup
If necessary, restore a previous IAM policy:
gcloud projects set-iam-policy PROJECT_ID policy-backup.json