Skip to main content

πŸ“ Google Accounts are not configured with MFA 🟒

  • Contextual name: πŸ“ Google Accounts are not configured with MFA 🟒
  • ID: /ce/ca/google/iam/multi-factor-authentication
  • Located in: πŸ“ Google IAM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Description​

Open File

Description​

Setup multi-factor authentication for Google Cloud Platform accounts.

Rationale​

Multi-factor authentication requires more than one mechanism to authenticate a user. This secures user logins from attackers exploiting stolen or weak credentials.

Audit​

From Google Cloud Console​

For each Google Cloud Platform project, folder, or organization:

  1. Identify non-service accounts.
  2. Manually verify that multi-factor authentication for each account is set.

Default Value​

By default, multi-factor authentication is not set.

References​

  1. https://cloud.google.com/solutions/securing-gcp-account-u2f
  2. https://support.google.com/accounts/answer/185839

Remediation​

Open File

Remediation​

From Google Cloud Console​

For each Google Cloud Platform project:

  1. Identify non-service accounts.
  2. Setup multi-factor authentication for each account.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 1.2 Ensure that multi-factor authentication is enabled for all non-service accounts - Level 1 (Manual _ Not supported, requires a manual assessment)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - Level 1 (Manual)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - Level 1 (Manual)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - Level 1 (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Multi-Factor Authentication (MFA) Implementation16
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.2 Secure log-on procedures1
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.5 Secure authentication2
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1930
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization38
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated32
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties88
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)1312
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.23