turbot/steampipe-mod-gcp-compliance

Control: 1.1 Ensure that Corporate Login Credentials are Used

Description

Use corporate login credentials instead of personal accounts, such as Gmail accounts.

It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.

Remediation

Remove all consumer Google accounts from IAM policies. Follow the documentation and setup corporate login accounts.

Prevention

To ensure that no email addresses outside the organization can be granted IAM permissions to its Google Cloud projects, folders or organization, turn on the Organization Policy for Domain Restricted Sharing. Learn more at: https://cloud.google.com/resource-manager/docs/organization-policy/restrictingdomains (Page 16)

Default Value

By default, no email addresses outside the organization's domain have access to its Google Cloud deployments, but any user email account can be added to the IAM policy for Google Cloud Platform projects, folders, or organizations.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v300_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v300_1_1 --share

SQL

This control uses a named query:

-- Please note: The table gcp_organization requires the resourcemanager.organizations.get permission to retrieve organization details.
with user_with_access as (
select
distinct split_part(m, ':', 2) as member,
project,
_ctx,
location
from
gcp_iam_policy,
jsonb_array_elements(bindings) as b,
jsonb_array_elements_text(b -> 'members') as m
where
m like 'user:%'
)
select
case when (select count(*) from gcp_organization) = 0 then a.project else a.member end as resource,
case
when (select count(*) from gcp_organization) = 0 then 'info'
when org.display_name is null then 'alarm'
else 'ok'
end as status,
case
when (select count(*) from gcp_organization) = 0 then 'Plugin authentication mechanism does not have organization viewer permission.'
when org.display_name is null then a.member || ' uses non-corporate login credentials.'
else a.member || ' uses corporate login credentials.'
end as reason
, a.project as project
from
user_with_access as a
left join gcp_organization as org on split_part(a.member, '@', 2) = org.display_name
limit case when (select count(*) from gcp_organization) = 0 then 1 end;

Tags