Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
14Dashboards
621Benchmarks
202Queries
2Variables
GitHub

Control: 1.1 Ensure that Corporate Login Credentials are Used

Description

Use corporate login credentials instead of personal accounts, such as Gmail accounts.

It is recommended fully-managed corporate Google accounts be used for increased visibility, auditing, and controlling access to Cloud Platform resources. Email accounts based outside of the user's organization, such as personal accounts, should not be used for business purposes.

Remediation

Remove all consumer Google accounts from IAM policies. Follow the documentation and setup corporate login accounts.

Prevention

To ensure that no email addresses outside the organization can be granted IAM permissions to its Google Cloud projects, folders or organization, turn on the Organization Policy for Domain Restricted Sharing. Learn more at: https://cloud.google.com/resource-manager/docs/organization-policy/restrictingdomains (Page 16)

Default Value

By default, no email addresses outside the organization's domain have access to its Google Cloud deployments, but any user email account can be added to the IAM policy for Google Cloud Platform projects, folders, or organizations.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v300_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v300_1_1 --share

SQL

This control uses a named query:

-- Please note: The table gcp_organization requires the resourcemanager.organizations.get permission to retrieve organization details.
with user_with_access as (
  select
    distinct split_part(m, ':', 2) as member,
    project,
    _ctx,
    location
  from
    gcp_iam_policy,
    jsonb_array_elements(bindings) as b,
    jsonb_array_elements_text(b -> 'members') as m
  where
    m like 'user:%'
)
select
  case when (select count(*) from gcp_organization) = 0 then a.project else a.member end as resource,
  case
    when (select count(*) from gcp_organization) = 0 then 'info'
    when org.display_name is null then 'alarm'
    else 'ok'
  end as status,
  case
    when (select count(*) from gcp_organization) = 0 then 'Plugin authentication mechanism does not have organization viewer permission.'
    when org.display_name is null then a.member || ' uses non-corporate login credentials.'
    else a.member || ' uses corporate login credentials.'
  end as reason
  , a.project as project
from
  user_with_access as a
  left join gcp_organization as org on split_part(a.member, '@', 2) = org.display_name
  limit case when (select count(*) from gcp_organization) = 0 then 1 end;

Tags

benchmark = cis
category = Compliance
cis_item_id = 1.1
cis_level = 1
cis_section_id = 1
cis_type = manual
cis_version = v3.0.0
plugin = gcp
service = GCP/IAM