Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Corporate Login Credentials In Use

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudIAM-007

Ensure that corporate login credentials are used to access Google Cloud Platform (GCP) resources in order to follow cloud security best practices. In this way, all members within your organization can access Google Cloud services and resources using their corporate accounts, and your administrators can see and control these accounts through Google Admin console. The appropriate credentials required must be fully managed Google accounts tied to your corporate domain name through the Cloud Identity service. Cloud Identity is a stand-alone Identity-as-a-Service (IDaaS) service that provides GCP users access to many of the identity management capabilities provided by G Suite - a set of secure, cloud-native collaboration and productivity applications powered by Google. Signing up for Cloud Identity service provides a management layer over the Google accounts that are associated with your corporate (organization) domain name. Through the Cloud Identity management layer, you can enable or disable access to various Google solutions, including Google Cloud Platform (GCP), for your organization members. Signing up for Cloud Identity also creates an organization node for your domain, which helps map corporate structure and controls to your GCP resources via Google Cloud resource hierarchy.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Use only fully-managed corporate login credentials to access your Google Cloud Platform (GCP) resources for increased visibility, auditing, and secure access management. Personal accounts, available outside the organization's domain, such as Gmail accounts, should not be used for business purposes.

Audit

To determine the type of login credentials used to access your GCP resources and deployments, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console with the organizational unit credentials.

02 Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.

03 In the main navigation panel, select IAM.

04 Click on the deployment selector from the top navigation bar, choose the ALL tab to list all the existing deployments, then select the GCP organization, folder, or project that you want to examine.

05 On the IAM page, choose the PERMISSIONS tab and select PRINCIPALS to list all the member accounts available for the selected GCP organization/folder/project.

06 On the PRINCIPALS panel, check for any account members that use email addresses outside the organization's domain, such as Gmail addresses. If one or more member accounts are Gmail accounts, the access to the selected Google Cloud Platform (GCP) organization/folder/project can be made with both personal account credentials and corporate login credentials, therefore the access configuration is not compliant.

07 Repeat steps no. 4 – 6 for all the projects and folders available within the selected GCP organization, including the organization itself, to determine the types of login credentials used to access your GCP deployments and resources.

08 Repeat steps no. 1 – 7 for each Google Cloud Platform (GCP) organization deployed within your account.

Using GCP CLI

01 To check your GCP organizations IAM policies for email accounts outside the organization domains, perform the following operations:

  1. Run organizations list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the organizations created within your GCP account: 
    gcloud organizations list
  --format="table(name)"
  2. The command output should return the requested organization identifiers: 
    ID
123412341234
111122223333
  3. Run organizations get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter and custom query filters to describe the Access Management (IAM) policy assigned to the selected organization, in JSON format: 
    gcloud organizations get-iam-policy 123412341234
  --format=json
  4. The command output should return the organization's IAM policy: 
    {
  "bindings": [
    {
      "members": [
        "domain:cloudconformity.com"
      ],
      "role": "roles/billing.creator"
    },
    {
      "members": [
        "user:admin@cloudconformity.com"
      ],
      "role": "roles/resourcemanager.organizationAdmin"
    },
    {
      "members": [
        "domain:cloudconformity.com"
      ],
      "role": "roles/resourcemanager.projectCreator"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/owner"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

    The IAM policy returned by the organizations get-iam-policy command output should contain the member accounts that have access to the selected organization. Check for any account members that use email addresses outside the organization's domain, such as Gmail addresses (i.e. end in @gmail.com). If one or more member accounts are Gmail accounts, as shown in the example above, the access to the selected Google Cloud Platform (GCP) organization can be made with both personal account credentials and corporate login credentials, therefore the access configuration used is not compliant.
  5. Repeat step c. and d. for each Google Cloud Platform (GCP) organization deployed within your account.

02 To check the IAM policies associated with your GCP projects for email accounts outside the organization domains, perform the following actions:

  1. Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects created in your GCP account: 
    gcloud projects list
  --format="table(projectId)"
  2. The command output should return the requested project IDs: 
    PROJECT_ID
cc-web-app-prod-112233
cc-internal-app-112233
  3. Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filtering to describe the IAM policy associated with the selected GCP project. The verified policy lists the accounts that have been granted access to the specified project: 
    gcloud projects get-iam-policy cc-web-app-prod-112233
  --format=json
  4. The command output should return the requested IAM policy: 
    {
  "bindings": [
    {
      "members": [
        "user:admin@cloudconformity.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/editor"
    }
  ],
  "etag": "abcdabcdabcd",
  "version": 1
}

    Check the returned IAM policy for any account members that use email addresses outside an organization domain, such as Gmail addresses. If one or more member accounts are Gmail accounts, as shown in the example above (e.g. cloud.realisation@gmail.com), the access to the selected Google Cloud Platform (GCP) project is made with both personal account credentials and corporate login credentials, therefore the project access configuration is not compliant.
  5. Repeat step c. and d. for each Google Cloud Platform (GCP) project created within your account.

03 To check the IAM policies associated with your GCP organization folders for email accounts outside the organization domains, perform the following operations:

  1. Run resource-manager folders list command (Windows/macOS/Linux) using the ID of the organization that you want to examine as the identifier parameter and custom query filters to list the IDs of all folders available within the selected organization: 
    gcloud resource-manager folders list
  --organization 123412341234
  --format="table(name)"
  2. The command output should return the requested organization folders IDs: 
    ID
123456789012
123412341234
  3. Run resource-manager folders get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP organization folder that you want to examine as the identifier parameter and custom query filters to describe the IAM policy created for the selected folder. The policy lists the accounts that have been granted access to the specified GCP folder: 
    gcloud resource-manager folders get-iam-policy 123456789012
  --format=json
  4. The command output should return the requested IAM policy: 
    {
  "bindings": [
    {
      "members": [
        "user:cloud.realisation@gmail.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "user:admin@cloudconformity.com"
      ],
      "role": "roles/resourcemanager.folderAdmin"
    },
    {
      "members": [
        "user:admin@cloudconformity.com"
      ],
      "role": "roles/resourcemanager.folderEditor"
    }
  ],
  "etag": "aaaabbbbcccc",
  "version": 1
}

    Check the IAM policy document returned by the command output for any account members that use email addresses outside the selected organization domain, such as Gmail addresses. If one or more member accounts are Gmail accounts, as shown in the example above, the access to the selected Google Cloud Platform (GCP) organization folder is made with both personal account credentials and corporate login credentials, therefore the access configuration used is not compliant.
  5. Repeat step c. and d. for each Google Cloud Platform (GCP) folder created within the selected organization.

Remediation / Resolution

To create new Google corporate login accounts and ensure that no email addresses outside the organization can be granted IAM permissions to the GCP projects, folders, or the organization itself, perform the following actions:

Step A: To ensure that no email addresses outside your organization can be granted IAM permissions to GCP projects, folders, or organizations, enable Domain Restricted Sharing within the organization policy:

Using GCP Console

01 Sign in to the Google Cloud Management Console with the organizational unit credentials.

02 Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.

03 Click on the deployment selector from the top navigation bar, choose the ALL tab to list all the existing deployments, then choose the GCP organization that you want to reconfigure.

04 In the main navigation panel, select Organization Policies.

05 On the Organization policies page, type Domain restricted sharing in the Filter by policy name or ID search box to find the domain restricted sharing policy, then click on the name (link) of the returned policy.

06 Choose EDIT and perform the following operations:

  1. Under Applies to, select Customize to apply a custom policy to the organization.
  2. Under Policy enforcement, choose Merge with parent.
  3. Under Rules, choose ADD RULE to create a new rule. Rules define the values that are enforced by an organization policy constraint.
  4. In the Add rule configuration box, perform the following:
    • Choose Custom from Policy values dropdown.
    • Select Allow from the Policy type dropdown list.
    • Under Custom values, enter your Google Workspace customer ID (i.e. DIRECTORY_CUSTOMER_ID) into the NEW POLICY VALUE text box, then choose DONE.
  5. Choose SAVE to apply the changes.

07 Repeat steps no. 3 – 6 for each GCP organization created within your Google account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID and the associated Google Workspace customer ID of each GCP organization available in your Google Cloud account: 

gcloud organizations list
  --format="table(name,owner.directoryCustomerId)"

02 The command output should return the requested identifiers – ID as organization ID and DIRECTORY_CUSTOMER_ID as G Suite customer ID: 

ID              DIRECTORY_CUSTOMER_ID
123412341234    abcdc1234
111122223333    1234abcda

03 Run resource-manager org-policies allow command (Windows/macOS/Linux) using the ID of the GCP organization that you want to reconfigure as the identifier parameter, to enable the Domain Restricted Sharing policy for the selected organization: 

gcloud alpha resource-manager org-policies allow
  --organization '123412341234' iam.allowedPolicyMemberDomains 'abcdc1234'

04 The command request should return the reconfigured organization policy metadata: 

constraint: constraints/iam.allowedPolicyMemberDomains
etag: abcdabcdabcd
listPolicy:
  allowedValues:
  - abcdc1234
updateTime: '2022-01-27T19:50:38.320665Z'

05 Repeat step no. 3 and 4 for each GCP organization available within your Google account.

Step B: Create new Google corporate login accounts to be used instead of personal accounts:

Note: Creating Google corporate login accounts using Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Sign in to the Google Workspace Admin Console at https://admin.google.com using your GCP organizational unit credentials.

02 In the Users management section, choose Add a user to create a new Google corporate login account.

03 On the Add new user setup page, perform the following actions:

  1. In the User Information section, provide all the necessary identification details for your new Google corporate account.
  2. Choose Manage user's password, organizational unit, and profile photo, select Create password and provide a strong password in the Password box. To allow password change during the first sign in, select the Ask user to change their password when they sign in checkbox.
  3. Choose ADD NEW USER to create your new Google corporate account. Select DONE to return to the user management page. From now on, you use the new corporate account credentials to log in and manage your Google Cloud Platform (GCP) resources and deployments.

04 If required, repeat steps no. 2 and 3 to create new Google corporate login accounts.

References

Publication date Feb 4, 2021

Related CloudIAM rules