Skip to main content

πŸ“ Google Organization Essential Contacts is not configured 🟒

  • Contextual name: πŸ“ Organization Essential Contacts is not configured 🟒
  • ID: /ce/ca/google/iam/essential-contacts-for-organization
  • Located in: πŸ“ Google IAM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.

Rationale​

Many Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.

Impact​

There is no charge for Essential Contacts except for the 'Technical Incidents' category that is only available to premium support customers.

Audit​

From Google Cloud Console​
  1. Go to Essential Contacts by visiting https://console.cloud.google.com/iam-admin/essential-contacts
  2. Make sure the organization appears in the resource selector at the top of the page. The resource selector tells you what project, folder, or organization you are currently managing contacts for.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to Essential Contacts by visiting https://console.cloud.google.com/iam-admin/essential-contacts
  2. Make sure the organization appears in the resource selector at the top of the page. The resource selector tells you what project, folder, or organization you are currently managing contacts for.
  3. Click +Add contact
  4. In the Email and Confirm Email fields, enter the email address of the contact.
  5. From the Notification categories drop-down menu, select the notification categories that you want the contact to receive communications for.
  6. Click Save

From Google Cloud CLI​

  1. To add an organization Essential Contacts run a command:

    gcloud essential-contacts create --email="<EMAIL>" \

    --notification-categories="<NOTIFICATION_CATEGORIES>" \

    --organization=<ORGANIZATION_ID>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 1.16 Ensure Essential Contacts is Configured for Organization - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 1.16 Ensure Essential Contacts is Configured for Organization - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 1.16 Ensure Essential Contacts is Configured for Organization - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό General Access Controls11
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IR-6 Incident Reporting (L)(M)(H)21013
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IR-6 Incident Reporting (L)(M)(H)1
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IR-6 Incident Reporting (L)(M)(H)213
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.5 Contact with authorities23
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.6 Contact with special interest23
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.20 Addressing information security within supplier agreements23
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.24 Information security incident management planning and preparation23
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-1: Personnel know their roles and order of operations when a response is needed1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind8
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-03: Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved18
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved18
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-08: An incident's magnitude is estimated and validated1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents30
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-03: Information is shared with designated internal and external stakeholders18
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-01: The incident response plan is executed in coordination with relevant third parties once an incident is declared1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated24
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-03: Incidents are categorized and prioritized1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-04: Incidents are escalated or elevated as needed1
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IR-6 Incident Reporting31
πŸ’Ό SOC 2 β†’ πŸ’Ό CC2.3-1 Communicates to External Parties1