Control: 1.3 Ensure that Security Key Enforcement is enabled for all admin accounts
Description
Setup Security Key Enforcement for Google Cloud Platform admin accounts.
Google Cloud Platform users with Organization Administrator roles have the highest level of privilege in the organization. These accounts should be protected with the strongest form of two-factor authentication: Security Key Enforcement. Ensure that admins use Security Keys to log in instead of weaker second factors like SMS or one-time passwords (OTP). Security Keys are actual physical keys used to access Google Organization Administrator Accounts. They send an encrypted signature rather than a code, ensuring that logins cannot be phished.
Remediation
- Identify users with the Organization Administrator role.
- Setup Security Key Enforcement for each account. Learn more at: https://cloud.google.com/security-key/
Default Value
By default, Security Key Enforcement is not enabled for Organization Administrators.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v200_1_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v200_1_3 --share
SQL
This control uses a named query:
manual_control