Control: 1.1 Ensure that corporate login credentials are used
Description
Use corporate login credentials instead of personal accounts, such as Gmail accounts.
It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.
Remediation
Follow the documentation and setup corporate login accounts.
Prevention
To ensure that no email addresses outside the organization can be granted IAM permissions to its Google Cloud projects, folders or organization, turn on the Organization Policy for Domain Restricted Sharing
. Learn more at: https://cloud.google.com/resource-manager/docs/organization-policy/restrictingdomains (Page 16)
Default Value
By default, no email addresses outside the organization's domain have access to its Google Cloud deployments, but any user email account can be added to the IAM policy for Google Cloud Platform projects, folders, or organizations.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v200_1_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v200_1_1 --share
SQL
This control uses a named query:
iam_user_uses_corporate_login_credentials