1.1 Ensure that Corporate Login Credentials are Used

Information

Use corporate login credentials instead of consumer accounts, such as Gmail accounts.

Rationale:

It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as consumer accounts, should not be used for business purposes.

Impact:

There will be increased overhead as maintaining accounts will now be required. For smaller organizations, this will not be an issue, but will balloon with size.

Solution

Remove all consumer Google accounts from IAM policies. Follow the documentation and setup corporate login accounts.
Prevention:
To ensure that no email addresses outside the organization can be granted IAM permissions to its Google Cloud projects, folders or organization, turn on the Organization Policy for Domain Restricted Sharing. Learn more at: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains

Default Value:

By default, no email addresses outside the organization's domain have access to its Google Cloud deployments, but any user email account can be added to the IAM policy for Google Cloud Platform projects, folders, or organizations.

See Also

https://workbench.cisecurity.org/benchmarks/11843

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1), CSCv7|16.2

Plugin: GCP

Control ID: 5c98123b34dbbdd5b5466d2ea917fa78c55127f8093200042c87d5936a3dda04