Skip to main content

πŸ“ Consumer Google Accounts are used 🟒

  • Contextual name: πŸ“ Consumer Google Accounts are used 🟒
  • ID: /ce/ca/google/iam/corporate-login-credentials
  • Located in: πŸ“ Google IAM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-z-79f4ab881

Description​

Open File

Description​

Use corporate login credentials instead of consumer accounts, such as Gmail accounts.

Rationale​

It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as consumer accounts, should not be used for business purposes.

Impact​

There will be increased overhead as maintaining accounts will now be required. For smaller organizations, this will not be an issue, but will balloon with size.

Audit​

For each Google Cloud Platform project, list the accounts that have been granted access to that project:

From Google Cloud CLI​
 gcloud projects get-iam-policy PROJECT_ID

Also list the accounts added on each folder:

 gcloud resource-manager folders get-iam-policy FOLDER_ID

And list your organization's IAM policy:

 gcloud organizations get-iam-policy ORGANIZATION_ID

No email accounts outside the organization domain should be granted permissions in the IAM policies. This excludes Google-owned service accounts.

... see more

Remediation​

Open File

Remediation​

Remove all consumer Google accounts from IAM policies. Follow the documentation and setup corporate login accounts.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.1.0 β†’ πŸ’Ό 1.1 Ensure that corporate login credentials are used11
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 1.1 Ensure that corporate login credentials are used - Level 1 (Automated)11
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 1.1 Ensure that Corporate Login Credentials are Used - Level 1 (Manual)11
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 1.1 Ensure that Corporate Login Credentials are Used - Level 1 (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management17
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-2 Identification and Authentication (Organizational Users) (L)(M)(H)613
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-4 Identifier Management (L)(M)(H)111
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61420
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-4 Identifier Management (L)(M)(H)1
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)120
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-2 Identification and Authentication (Organizational Users) (L)(M)(H)63
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-4 Identifier Management (L)(M)(H)11
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)420
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.1 User registration and de-registration11
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions48
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4351
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions8
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.22
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.2