Skip to main content

πŸ“ Consumer Google Accounts are used 🟒

  • Contextual name: πŸ“ Consumer Google Accounts are used 🟒
  • ID: /ce/ca/google/iam/corporate-login-credentials
  • Located in: πŸ“ Google IAM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-z-79f4ab881

Description​

Open File

Description​

Use corporate login credentials instead of consumer accounts, such as Gmail accounts.

Rationale​

It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as consumer accounts, should not be used for business purposes.

Impact​

There will be increased overhead as maintaining accounts will now be required. For smaller organizations, this will not be an issue, but will balloon with size.

Audit​

For each Google Cloud Platform project, list the accounts that have been granted access to that project:

From Google Cloud CLI​
 gcloud projects get-iam-policy PROJECT_ID

Also list the accounts added on each folder:

 gcloud resource-manager folders get-iam-policy FOLDER_ID

And list your organization's IAM policy:

 gcloud organizations get-iam-policy ORGANIZATION_ID

No email accounts outside the organization domain should be granted permissions in the IAM policies. This excludes Google-owned service accounts.

... see more

Remediation​

Open File

Remediation​

Remove all consumer Google accounts from IAM policies. Follow the documentation and setup corporate login accounts.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.1.0 β†’ πŸ’Ό 1.1 Ensure that corporate login credentials are used11
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 1.1 Ensure that corporate login credentials are used - Level 1 (Automated)11
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 1.1 Ensure that Corporate Login Credentials are Used - Level 1 (Manual)11
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 1.1 Ensure that Corporate Login Credentials are Used - Level 1 (Manual)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 1.1 Ensure that Corporate Login Credentials are Used - Level 1 (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management18
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-2 Identification and Authentication (Organizational Users) (L)(M)(H)613
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-4 Identifier Management (L)(M)(H)111
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61432
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-4 Identifier Management (L)(M)(H)1
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)132
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-2 Identification and Authentication (Organizational Users) (L)(M)(H)63
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-4 Identifier Management (L)(M)(H)11
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)432
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.1 User registration and de-registration11
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.3 Management of privileged access rights38
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1930
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1752
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4766
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization38
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated32
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties88
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-3 ACCESS ENFORCEMENT102
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.2
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.1.3 Assign access based on individual personnel's job classification and function.2
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.22
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.2
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-4 Identifies and Authenticates Users46
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-9 Manages Credentials for Infrastructure and Software34