Skip to main content

πŸ›‘οΈ Consumer Google Accounts are used🟒βšͺ

  • Contextual name: πŸ›‘οΈ Consumer Google Accounts are used🟒βšͺ
  • ID: /ce/ca/google/iam/corporate-login-credentials
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-z-79f4ab881

Description​

Open File

Description​

Use corporate login credentials instead of consumer accounts, such as Gmail accounts.

Rationale​

It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as consumer accounts, should not be used for business purposes.

Impact​

There will be increased overhead as maintaining accounts will now be required. For smaller organizations, this will not be an issue, but will balloon with size.

Audit​

For each Google Cloud Platform project, list the accounts that have been granted access to that project:

From Google Cloud CLI​
 gcloud projects get-iam-policy PROJECT_ID

Also list the accounts added on each folder:

 gcloud resource-manager folders get-iam-policy FOLDER_ID

And list your organization's IAM policy:

 gcloud organizations get-iam-policy ORGANIZATION_ID

No email accounts outside the organization domain should be granted permissions in the IAM policies. This excludes Google-owned service accounts.

... see more

Remediation​

Open File

Remediation​

Remove all consumer Google accounts from IAM policies. Follow the documentation and setup corporate login accounts.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS GCP v1.1.0 β†’ πŸ’Ό 1.1 Ensure that corporate login credentials are used11no data
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 1.1 Ensure that corporate login credentials are used - Level 1 (Automated)11no data
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 1.1 Ensure that Corporate Login Credentials are Used - Level 1 (Manual)11no data
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 1.1 Ensure that Corporate Login Credentials are Used - Level 1 (Manual)1no data
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 1.1 Ensure that Corporate Login Credentials are Used - Level 1 (Manual)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-2 Identification and Authentication (Organizational Users) (L)(M)(H)614no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-4 Identifier Management (L)(M)(H)111no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61432no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-4 Identifier Management (L)(M)(H)1no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)132no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-2 Identification and Authentication (Organizational Users) (L)(M)(H)64no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-4 Identifier Management (L)(M)(H)11no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)432no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.1 User registration and de-registration11no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.3 Management of privileged access rights312no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization42no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated53no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties116no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-3 ACCESS ENFORCEMENT102no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.1.3 Assign access based on individual personnel's job classification and function.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.22no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.2no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges.5no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.2no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-4 Identifies and Authenticates Users46no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-9 Manages Credentials for Infrastructure and Software34no data