Skip to main content

๐Ÿ›ก๏ธ Google Organization Essential Contacts is not configured๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Organization Essential Contacts is not configured๐ŸŸข
  • ID: /ce/ca/google/iam/essential-contacts-for-organization
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Descriptionโ€‹

Open File

Descriptionโ€‹

It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.

Rationaleโ€‹

Many Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.

Impactโ€‹

There is no charge for Essential Contacts except for the 'Technical Incidents' category that is only available to premium support customers.

Auditโ€‹

From Google Cloud Consoleโ€‹
  1. Go to Essential Contacts by visiting https://console.cloud.google.com/iam-admin/essential-contacts
  2. Make sure the organization appears in the resource selector at the top of the page. The resource selector tells you what project, folder, or organization you are currently managing contacts for.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Google Cloud Consoleโ€‹

  1. Go to Essential Contacts by visiting https://console.cloud.google.com/iam-admin/essential-contacts
  2. Make sure the organization appears in the resource selector at the top of the page. The resource selector tells you what project, folder, or organization you are currently managing contacts for.
  3. Click +Add contact
  4. In the Email and Confirm Email fields, enter the email address of the contact.
  5. From the Notification categories drop-down menu, select the notification categories that you want the contact to receive communications for.
  6. Click Save

From Google Cloud CLIโ€‹

  1. To add an organization Essential Contacts run a command:

    gcloud essential-contacts create --email="<EMAIL>" \

    --notification-categories="<NOTIFICATION_CATEGORIES>" \

    --organization=<ORGANIZATION_ID>

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ CIS GCP v1.3.0 โ†’ ๐Ÿ’ผ 1.16 Ensure Essential Contacts is Configured for Organization - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v2.0.0 โ†’ ๐Ÿ’ผ 1.16 Ensure Essential Contacts is Configured for Organization - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v3.0.0 โ†’ ๐Ÿ’ผ 1.16 Ensure Essential Contacts is Configured for Organization - Level 1 (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ General Access Controls11no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ IR-6 Incident Reporting (L)(M)(H)21013no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ IR-6 Incident Reporting (L)(M)(H)1no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ IR-6 Incident Reporting (L)(M)(H)213no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.5 Contact with authorities23no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.6 Contact with special interest23no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.20 Addressing information security within supplier agreements23no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.24 Information security incident management planning and preparation23no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ RS.CO-1: Personnel know their roles and order of operations when a response is needed1no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind8no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RC.CO-03: Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders1no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved18no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved18no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.AN-08: An incident's magnitude is estimated and validated1no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.CO-02: Internal and external stakeholders are notified of incidents31no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.CO-03: Information is shared with designated internal and external stakeholders19no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.MA-01: The incident response plan is executed in coordination with relevant third parties once an incident is declared1no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.MA-02: Incident reports are triaged and validated25no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.MA-03: Incidents are categorized and prioritized1no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.MA-04: Incidents are escalated or elevated as needed1no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ IR-6 Incident Reporting31no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC2.3-1 Communicates to External Parties1no data