🛡️ Google Accounts are not configured with MFA🟢⚪

• Contextual name: 🛡️ Google Accounts are not configured with MFA🟢⚪
• ID: /ce/ca/google/iam/multi-factor-authentication
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Similar Policies

• Cloud Conformity: Enable Multi-Factor Authentication for User Accounts

Description

Open File

Description

Setup multi-factor authentication for Google Cloud Platform accounts.

Rationale

Multi-factor authentication requires more than one mechanism to authenticate a user. This secures user logins from attackers exploiting stolen or weak credentials.

Audit

From Google Cloud Console

For each Google Cloud Platform project, folder, or organization:

1. Identify non-service accounts.
2. Manually verify that multi-factor authentication for each account is set.

Default Value

By default, multi-factor authentication is not set.

References

1. https://cloud.google.com/solutions/securing-gcp-account-u2f
2. https://support.google.com/accounts/answer/185839

Remediation

Open File

Remediation

From Google Cloud Console

For each Google Cloud Platform project:

1. Identify non-service accounts.
2. Setup multi-factor authentication for each account.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 1.2 Ensure that multi-factor authentication is enabled for all non-service accounts - Level 1 (Manual _ Not supported, requires a manual assessment)			1		no data
💼 CIS GCP v1.3.0 → 💼 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - Level 1 (Manual)			1		no data
💼 CIS GCP v2.0.0 → 💼 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - Level 1 (Manual)			1		no data
💼 CIS GCP v3.0.0 → 💼 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts - Level 1 (Manual)			1		no data
💼 Cloudaware Framework → 💼 Multi-Factor Authentication (MFA) Implementation			16		no data
💼 ISO/IEC 27001:2013 → 💼 A.9.4.2 Secure log-on procedures			1		no data
💼 ISO/IEC 27001:2022 → 💼 8.5 Secure authentication			2		no data
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes		19	34		no data
💼 NIST CSF v1.1 → 💼 PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions		4	13		no data
💼 NIST CSF v1.1 → 💼 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)		19	23		no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			42		no data
💼 NIST CSF v2.0 → 💼 PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions			13		no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated			53		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116		no data
💼 NIST SP 800-53 Revision 4 → 💼 IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)	13	1	2		no data
💼 PCI DSS v3.2.1 → 💼 8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.	2		4		no data