2.15 Ensure 'Access Approval' is 'Enabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

GCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects. You can then select users within your organization who can approve these requests through giving them a security role in IAM. All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve. This adds an additional control and logging of who in your organization approved/denied these requests.

Rationale:

Controlling access to your information is one of the foundations of information security. Google Employees do have access to your organizations' projects for support reasons. With Access Approval, organizations can then be certain that their information is accessed by only approved Google Personnel.

Impact:

To use Access Approval your organization will need have enabled Access Transparency and have at one of the following support level: Enhanced or Premium. There will be subscription costs associated with these support levels, as well as increased storage costs for storing the logs. You will also not be able to turn the Access Transparency which Access Approval depends on, off yourself. To do so you will need to submit a service request to Google Cloud Support. There will also be additional overhead in managing user permissions. There may also be a potential delay in support times as Google Personnel will have to wait for their access to be approved.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Console:

From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the Security Menu. Select Access Approval in the middle of the column that opens.

The status will be displayed here. On this screen, there is an option to click Enroll. If it is greyed out and you see an error bar at the top of the screen that says Access Transparency is not enabled please view the corresponding reference within this section to enable it.

In the second screen click Enroll.

Grant an IAM Group or User the role with permissions to Add Users to be Access Approval message Recipients

From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the IAM and Admin. Select IAM in the middle of the column that opens.

Click the blue button the says +add at the top of the screen.

In the principals field, select a user or group by typing in their associated email address.

Click on the role field to expand it. In the filter field enter Access Approval Approver and select it.

Click save.

Add a Group or User as an Approver for Access Approval Requests

As a user with the Access Approval Approver permission, within the project where you wish to add an email address to which request will be sent, click on the Navigation hamburger menu in the top left. Hover over the Security Menu. Select Access Approval in the middle of the column that opens.

Click Manage Settings

Under Set up approval notifications, enter the email address associated with a Google Cloud User or Group you wish to send Access Approval requests to. All future access approvals will be sent as emails to this address.

From CLI:

To update all services in an entire project, run the following command from an account that has permissions as an 'Approver for Access Approval Requests'

gcloud access-approval settings update --project=<project name> --enrolled_services=all --notification_emails='<email recipient for access approval requests>@<domain name>'

Default Value:

By default Access Approval and its dependency of Access Transparency are not enabled.

See Also

https://workbench.cisecurity.org/files/3817