Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Access Approval

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CloudIAM-012

Ensure that Access Approval is enabled within your Google Cloud Platform (GCP) account in order to allow you to require your explicit approval whenever Google personnel need to access your GCP projects. Once the Access Approval feature is enabled, you can delegate users within your organization who can approve the access requests by giving them a security role in Identity and Access Management (IAM). These requests show the requester name/ID in an email or Pub/Sub message that you can choose to approve. This creates a new control and logging layer that reveals who in your organization approved/denied access requests to your projects.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security
Operational
excellence

Controlling access to your Google Cloud data is crucial when working with business-critical and sensitive data. With Access Approval, you can be certain that your cloud information is accessed by approved Google personnel only. The Access Approval feature ensures that a cryptographically-signed approval is available for Google Cloud support and engineering teams when they need to access your cloud data (certain exceptions apply). By default, Access Approval and its dependency of Access Transparency are not enabled.

Audit

To determine if Access Approval is enabled for your Google Cloud account, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.

04 In the main navigation panel, select Settings.

05 Access Transparency is a dependency of the Access Approval. Check the status of the Access Transparency feature, available under Access Transparency. If the status is not set to Enabled, Access Transparency is disabled for the selected project, therefore Access Approval is not enabled for the selected GCP project and the Audit process ends here. If the Access Transparency status is set to Enabled, continue the Audit process with the next step.

06 Navigate to Google Cloud Security console at https://console.cloud.google.com/security.

07 In the main navigation panel, select Access Approval.

08 Check the status of the Access Approval feature. If the feature status is not available, instead an enrollment page is displayed, the Access Approval security feature is not enabled for the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the IDs of all the GCP projects available within your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers: 

PROJECT_ID
cc-web-project-112233
cc-mobile-project-123123

03 Run access-approval settings get command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter, to describe the status of the Access Approval feature available for the selected project: 

gcloud access-approval settings get
  --project cc-web-project-112233

The command output should return the Access Approval feature status. If the access-approval settings get command output does not return the requested status, Access Approval is not enabled for the selected GCP project.

04 Repeat step no. 3 for each GCP project created within your Google Cloud account.

Remediation / Resolution

To enable the Access Approval security feature for your GCP projects, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.

04 In the main navigation panel, select Settings.

05 To enroll in Access Approval, ensure that Access Transparency is enabled for your project's organization. On the Settings page, check the status of the Access Transparency feature, available under Access Transparency. If the feature is not enabled, choose ENABLE ACCESS TRANSPARENCY FOR ORGANIZATION to enable Access Transparency.

06 Navigate to Google Cloud Security console at https://console.cloud.google.com/security.

07 In the main navigation panel, select Access Approval.

08 In the Access Approval section, choose ENROLL to enable Access Approval for the selected GCP project.

09 To make use of Access Approval, receive email notifications of access requests for your GCP project, and approve incoming access requests, perform the following actions:

  1. To view and approve access requests, you must grant yourself the Access Approval Approver role (i.e. roles/accessapproval.approver):
    • Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.
    • In the main navigation panel, select IAM.
    • Choose ADD from the console top menu to add a new principal.
    • In the New principals box, enter your email address.
    • Click inside the Select a role box, and choose the Access Approval Approver role from the Roles menu.
    • Choose SAVE to save the changes.
  2. To add yourself as an approver in order to review and approve access requests, perform the following:
    • Navigate to Google Cloud Security console at https://console.cloud.google.com/security.
    • In the main navigation panel, select Access Approval.
    • Choose MANAGE SETTINGS from the console top menu to access the feature configuration settings.
    • In the Access Approval section, choose ENROLL to enable Access Approval for the selected GCP project.
    • Under Set up approval notifications, add your email address in the User or group email box.
  3. Now that Access Approval is enabled and you added yourself as an approver for access requests, you can expect to receive email notifications for access requests. On the Access Approval page, select the access request that you want to approve, and choose Approve for confirmation.

10 Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 To enroll in Access Approval, ensure that Access Transparency is enabled for your project's organization. Check the GCP console steps to make sure that Access Transparency is enabled.

02 Run access-approval settings update command (Windows/macOS/Linux) using the ID of the GCP project that you want to access as the identifier parameter, to enable Access Approval for all the cloud services supported by the selected project. Replace <approval-email-address> with the email recipient for access approval requests. Run the following command from an account that has permissions as an "Approver for Access Approval Requests" (see Console Remediation step no. 9 a. and b. for more details): 

gcloud access-approval settings update
  --project=cc-web-project-112233
  --enrolled_services=all
  --notification_emails='<approval-email-address>'

03 Repeat steps no. 1 and 2 for each GCP project created within your Google Cloud account.

References

Publication date Aug 16, 2022

Related CloudIAM rules