Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Access Approval

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CloudIAM-012

Ensure that Access Approval is enabled within your Google Cloud Platform (GCP) projects. This allows you to require your explicit approval whenever Google personnel need to access your GCP resources. Once the feature is enabled, you can delegate users within your organization who can approve these requests by giving them an appropriate security role in Identity and Access Management (IAM). These requests show the requester's name/ID in an email or Pub/Sub message, which you can choose to approve. This creates a new control and logging layer that reveals who in your organization approved or denied access requests to your projects.

This rule resolution is part of the Conformity solution.

Security
Operational
excellence

Controlling access to your Google Cloud data is crucial when working with business-critical and sensitive information. With Access Approval, you can be certain that your cloud data is accessed by approved Google personnel only. The feature ensures a cryptographically-signed approval is available for Google Cloud support and engineering teams when they need to access your data (though certain exceptions apply). By default, Access Approval and its dependency, Access Transparency, are not enabled and must be turned on.

Audit

To determine if Access Approval is enabled for your Google Cloud Platform (GCP) projects, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, select Settings to access the IAM settings.

05 Access Transparency is a dependency of the Access Approval. Check the status of the Access Transparency feature, available under Access Transparency. If the feature status is not set to Access Transparency is enabled for this organization. To disable Access Transparency for this organization, please contact support., Access Transparency is disabled for the selected GCP project and the Audit process ends here. Otherwise, you can continue the Audit process with the next step.

06 Navigate to Google Cloud Security console available at https://console.cloud.google.com/security.

07 In the left navigation panel, under Detections and Controls, select Access Approval.

08 Check the operational status of the Access Approval feature. If the feature status is not available, instead an enrollment page is displayed (i.e., the Enroll button is visible and can be activated), the Access Approval security feature is not enabled for the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each GCP project available within your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
	cc-web-project-112233
	cc-mobile-project-123123

03 Run access-approval settings get command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter, to describe the Access Approval settings associated with the selected project: 

gcloud access-approval settings get
	--project cc-web-project-112233

04 The command output should return the requested Access Approval settings or one of the following messages:

  1. If the access-approval settings get command output returns the Access Approval settings, search for the "enrolledAncestor" flag. The presence of the "enrolledAncestor": true flag in the feature settings, as shown in the example below, indicates that Access Approval is being inherited. This setting confirms that the feature is enforced at a higher level in the resource hierarchy (Folder or Organization), and is therefore enabled for the selected GCP project: 
    {
	"effectiveApprovalPolicy": {
	"justificationBasedApprovalPolicy": "JUSTIFICATION_BASED_APPROVAL_ENABLED_ALL"
	},
	"enrolledAncestor": true,
	"name": "projects/cc-web-project-112233/accessApprovalSettings",
	"preferredRequestExpirationDays": 5,
	"approvalPolicy": {}
}
  2. If the command output returns the following error: ERROR: (gcloud.access-approval.settings.get) FAILED_PRECONDITION: Precondition check failed., Access Transparency (a dependency of Access Approval) is disabled for the selected GCP project and the Audit process ends here. Otherwise, you can continue the Audit process with the next step: 
    ERROR: (gcloud.access-approval.settings.get) FAILED_PRECONDITION: Precondition check failed.
  3. If the access-approval settings get command output does not return the Access Approval settings, instead the following message is displyed: API [accessapproval.googleapis.com] not enabled on project [\<project-name\>], the feature API is not enabled. As a result, Access Approval is not enabled for the selected GCP project: 
    API [accessapproval.googleapis.com] not enabled on project [cc-web-project-112233].
  4. If the command output returns the following error: ERROR: (gcloud.access-approval.settings.get) Projects instance [\<project-name\>] not found: Requested entity was not found., the Access Approval security feature is not enabled for the the selected GCP project: 
    ERROR: (gcloud.access-approval.settings.get) Projects instance [cc-web-project-112233] not found: Requested entity was not found.

05 Repeat steps no. 3 and 4 for each GCP project created within your Google Cloud account.

Remediation / Resolution

To enable the Access Approval security feature for your GCP projects, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, select Settings to access the IAM settings.

05 To enroll in Access Approval, ensure that Access Transparency is enabled for your project's organization. On the Settings page, check the status of the Access Transparency feature, available under Access Transparency. If the feature is not enabled, choose Enable access transparency for organization to enable Access Transparency. Once enabled, the feature status should change to Access Transparency is enabled for this organization. To disable Access Transparency for this organization, please contact support.

06 Navigate to Google Cloud Security console available at https://console.cloud.google.com/security.

07 In the left navigation panel, under Detections and Controls, select Access Approval.

08 In the Access Approval section, choose Enroll to enable Access Approval for the selected GCP project. Choose the operational mode that you want to use for Access Approval from the Enroll in Access Approval? configuration box. To get started, Google Cloud recommends selecting the Transparency or Streamlined support mode. Choose Enroll and select Save from the Access Approval Settings panel to apply the default settings.

09 To make use of Access Approval, receive email notifications of access requests for your GCP project, and approve incoming access requests, perform the following actions:

  1. To view and approve access requests, you must grant yourself the Access Approval Approver role (i.e., roles/accessapproval.approver):
    1. Navigate to Cloud Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam.
    2. In the left navigation panel, select IAM.
    3. Select the Allow tab, choose View by principals, and select Grant access to add a new principal.
    4. For Add principals, enter your email address in the New principals box.
    5. For Assign roles, click inside the Select a role box, and choose the Access Approval Approver role from the Roles list.
    6. Choose Save to save the permission changes.
  2. To add yourself as an approver in order to review and approve access requests, perform the following operations:
    1. Navigate to Google Cloud Security console available at https://console.cloud.google.com/security.
    2. In the left navigation panel, under Detections and Controls, select Access Approval.
    3. Choose Manage settings from the page top menu to access the Access Approval configuration settings.
    4. On the Access Approval Settings panel, perform the following actions:
      1. For Select services, choose the services that require Access Approval. See the list of services and support levels.
      2. For Set up approval notifications, provide the Pub/Sub topic and/or email addresses for groups or people (admins) who should be notified when approval requests are made.
      3. (Optional) For Access Approval default settings, you can change the default settings available for the feature.
      4. (Optional) For Access Approval policy settings, you can change the access management policy configured in step no. 8.
      5. (Optional) For Use a custom signing key (advanced), choose Use a Cloud KMS signing key (advanced), and enter the encryption key version in the Enter key version resource name box.
      6. Choose Save to apply the configuration changes.
  3. Now that Access Approval is enabled and you added yourself as an approver for access requests, you can expect to receive email notifications for access requests. On the Access Approval page, select the access request that you want to approve, and choose Approve for confirmation.

10 Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run services enable command (Windows/macOS/Linux) to enable the Access Approval API for your Google Cloud Platform (GCP) project. To enable the Access Approval API and feature, the Access Transparency must be enabled for your project's organization (the command does not produce an output): 

gcloud services enable accessapproval.googleapis.com
	--project cc-web-project-112233

02 Run access-approval settings update command (Windows/macOS/Linux) with the ID of the GCP project that you want to configure as the identifier parameter, to enable Access Approval for all the cloud services supported by the selected GCP project. Replace \<approval-email-address\> with the email recipient chosen for access approval requests: 

gcloud access-approval settings update
	--project=cc-web-project-112233
	--enrolled_services=all
	--notification_emails='<approval-email-address>'

03 The command output should return the Access Approval feature configuration information: 

approvalPolicy: {}
	enrolledServices:
	- cloudProduct: all
		enrollmentLevel: BLOCK_ALL
	name: projects/cc-web-project-112233/accessApprovalSettings
	notificationEmails:
	- <approval-email-address>
	preferredRequestExpirationDays: 5

04 Repeat steps no. 1 - 3 for each GCP project created within your Google Cloud account.

References

Publication date Oct 8, 2025

Related CloudIAM rules