v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/gcp_compliance
Overview
12Dashboards
536Controls
201Queries
2Variables
GitHub

Control: 1.3 Ensure that Security Key Enforcement is enabled for all admin accounts

Description

Setup Security Key Enforcement for Google Cloud Platform admin accounts.

Google Cloud Platform users with Organization Administrator roles have the highest level of privilege in the organization. These accounts should be protected with the strongest form of two-factor authentication: Security Key Enforcement. Ensure that admins use Security Keys to log in instead of weaker second factors like SMS or one-time passwords (OTP). Security Keys are actual physical keys used to access Google Organization Administrator Accounts. They send an encrypted signature rather than a code, ensuring that logins cannot be phished.

Remediation

  1. Identify users with Organization Administrator privileges

    gcloud organizations get-iam-policy ORGANIZATION_ID

  2. Look for members granted the role "roles/resourcemanager.organizationAdmin".

  3. Manually verify that Security Key Enforcement has been enabled for each account. Setup Security Key Enforcement for each account. Learn more

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v120_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v120_1_3 --share

SQL

This control uses a named query:

manual_control

Tags

benchmark = cis
category = Compliance
cis_item_id = 1.3
cis_level = 2
cis_section_id = 1
cis_type = manual
cis_version = v1.2.0
plugin = gcp
service = GCP/IAM