Skip to main content

๐Ÿ›ก๏ธ Consumer Google Accounts are used๐ŸŸขโšช

  • Contextual name: ๐Ÿ›ก๏ธ Consumer Google Accounts are used๐ŸŸขโšช
  • ID: /ce/ca/google/iam/corporate-login-credentials
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-z-79f4ab881

Descriptionโ€‹

Open File

Descriptionโ€‹

Use corporate login credentials instead of consumer accounts, such as Gmail accounts.

Rationaleโ€‹

It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as consumer accounts, should not be used for business purposes.

Impactโ€‹

There will be increased overhead as maintaining accounts will now be required. For smaller organizations, this will not be an issue, but will balloon with size.

Auditโ€‹

For each Google Cloud Platform project, list the accounts that have been granted access to that project:

From Google Cloud CLIโ€‹
 ```sh
 gcloud projects get-iam-policy {{project-id}}
 ```

Also list the accounts added on each folder:

 ```sh
 gcloud resource-manager folders get-iam-policy {{folder-id}}
 ```

And list your organization's IAM policy:

 ```sh
 gcloud organizations get-iam-policy {{organization-id}}
 ```

No email accounts outside the organization domain should be granted permissions in the IAM policies. This excludes Google-owned service accounts.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

Remove all consumer Google accounts from IAM policies. Follow the documentation and setup corporate login accounts.

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ CIS GCP v1.1.0 โ†’ ๐Ÿ’ผ 1.1 Ensure that corporate login credentials are used11no data
๐Ÿ’ผ CIS GCP v1.2.0 โ†’ ๐Ÿ’ผ 1.1 Ensure that corporate login credentials are used - Level 1 (Automated)11no data
๐Ÿ’ผ CIS GCP v1.3.0 โ†’ ๐Ÿ’ผ 1.1 Ensure that Corporate Login Credentials are Used - Level 1 (Manual)11no data
๐Ÿ’ผ CIS GCP v2.0.0 โ†’ ๐Ÿ’ผ 1.1 Ensure that Corporate Login Credentials are Used - Level 1 (Manual)1no data
๐Ÿ’ผ CIS GCP v3.0.0 โ†’ ๐Ÿ’ผ 1.1 Ensure that Corporate Login Credentials are Used - Level 1 (Manual)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ User Account Management9no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ IA-2 Identification and Authentication (Organizational Users) (L)(M)(H)614no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ IA-4 Identifier Management (L)(M)(H)111no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)61437no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ IA-4 Identifier Management (L)(M)(H)1no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)137no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ IA-2 Identification and Authentication (Organizational Users) (L)(M)(H)64no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ IA-4 Identifier Management (L)(M)(H)11no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)437no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.2.1 User registration and de-registration11no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.2.3 Management of privileged access rights312no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-5: Protections against data leaks are implemented4791no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization43no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-03: Users, services, and hardware are authenticated53no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected187no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
๐Ÿ’ผ NIST SP 800-53 Revision 4 โ†’ ๐Ÿ’ผ AC-3 ACCESS ENFORCEMENT102no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.5no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 7.1.3 Assign access based on individual personnel's job classification and function.5no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.22no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.5no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.2no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.5no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.2no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-4 Identifies and Authenticates Users46no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-9 Manages Credentials for Infrastructure and Software34no data