Profile Applicability:

Level 2

Description:

Google Cloud Platform (GCP) Access Approval ensures that explicit approval from your organization is required whenever Google support personnel request access to your projects. This process adds a layer of security and accountability, as only authorized individuals within your organization can approve or deny such requests.

Rationale:

Access Approval empowers organizations to maintain tighter control over their data by requiring explicit consent for access requests. This feature ensures that.

  • Only authorized Google personnel can access your resources.

  • Actions taken by Google employees are approved and logged.

  • Notifications are sent to designated approvers for transparency.

Impact:

  • Dependencies: Requires Access Transparency to be enabled.

  • Support Level: Your organization must have a Premium or Enhanced support plan.

  • Costs: Associated with the support plan and increased storage for logs.

  • Management Overhead: Requires additional effort to manage user permissions and approval processes.

  • Potential Delays: Support requests may take longer if approvals are pending.

Default Value:

Access Approval, and its dependency Access Transparency, are disabled by default.

Audit Steps:

Using Google Cloud Console:

  1. Check Access Transparency Status:

    • Navigate to IAM & Admin > Settings in the Google Cloud Console.

                       

  • Verify that Access Transparency is enabled.

                       

  1. Check Access Approval Status:

    • Go to Security > Access Approval in the Google Cloud Console.

                       

  • Confirm if Access Approval is enabled. If not, a prompt to enroll will appear.

                             

Using Google Cloud CLI:

Run the following command to check Access Approval status:

gcloud access-approval settings get

If the output indicates the Access Approval API is not enabled, you may see:

API [accessapproval.googleapis.com] not enabled on project [-----].

If Access Transparency is not enabled, you may encounter:

ERROR: (gcloud.access-approval.settings.get) FAILED_PRECONDITION: Precondition check failed.

Remediation Steps:

Using Google Cloud Console:

  1. Enable Access Transparency (if required):

    • Navigate to IAM & Admin > Settings and click Enable Access Transparency.

                                 

  1. Enroll in Access Approval:

    • Go to Security > Access Approval and click Enroll.

                             

  • Follow the prompts to complete enrollment.

  1. Assign Access Approval Approver Role:

    • Go to IAM & Admin > IAM and click + ADD.

                         

                           

  • Enter the email of the user or group to be added as an approver.

                             

  • Assign the role Access Approval Approver and click Save.

  1. Set Up Approval Notifications:

    • Go to Security > Access Approval and click Manage Settings.

                                 

  • Add the email address of the user or group to receive approval requests.

Using Google Cloud CLI:

Enable the Access Approval API:

gcloud services enable accessapproval.googleapis.com

Update Access Approval Settings:

gcloud access-approval settings update \
    --project=<PROJECT_NAME> \
    --enrolled_services=all \
    --notification_emails="<EMAIL>"


Additional Information:

  • Approvers must be logged in with a Google Cloud account associated with the configured notification email to approve requests.

  • Approval notifications are sent via email and can also be managed in the Access Approval section of the Security menu.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.3 Configure Data Access Control Lists

Apply access control lists based on the principle of least privilege.

14.6 Protect Information via ACLs

Enforce access controls on stored information to ensure only authorized individuals have access.