Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Security Key Enforcement for Admin Accounts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)
Rule ID: CloudIAM-006

Ensure that security key enforcement is enabled for all Google Cloud Platform (GCP) organization administrator accounts. To follow security best practices, the security key enforcement must be implemented for all GCP organizational units. This reduces the risk of account breach, making it more difficult for an attacker or malicious user to steal administrator credentials and ultimately gain access to private and sensitive data.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

A GCP user account with the Organization Administrator role has the highest level of privilege within the organization. User accounts like this should be protected with the strongest form of Multi-Factor Authentication (2-Step Verification): Security Keys. Security Keys are physical keys that send an encrypted signature rather than a code in order to protect login credentials against phishing attack. Users simply tap the button on their security key instead of typing codes. Unlike other MFA/2SV methods that use one-time codes via text messages, security keys don't require a phone number associated with the user account. Because GCP organization administrator accounts have access to sensitive data and critical systems, it is strongly recommended that these accounts use Security Keys as Multi-Factor Authentication (MFA) method.

Audit

To determine if security key enforcement is enabled for all your GCP organization administrator accounts, perform the following operations:

Note: Getting the security key enforcement configuration status using GCP Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Select the GCP organization that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select IAM.

05 Choose the PERMISSIONS tab, then select View by MEMBERS to list the member accounts created for the selected organization.

06 Copy the email address of the member account with the Role set to Organization Administrator. This role provides the selected account the access to administer all resources that belong to your organization.

07 Navigate to Google Admin at https://admin.google.com and sign in using the email address copied at the previous step to access the organization administrator account.

08 On the main Admin Console page, select Security, then click on the Basic settings tab to access the 2-Step Verification configuration settings.

09 On the Basic settings panel, check if the Allow users to turn on 2-step verification checkbox is selected. If Allow users to turn on 2-step verification checkbox is not selected, 2-Step Verification (also known as Multi-Factor Authentication) and security key enforcement is not enabled for the selected administrator account. If Allow users to turn on 2-step verification checkbox is selected, click on Go to advanced settings to enforce 2-step verification link to access the advanced security settings available.

10 On the Advanced security settings page, check the Enforcement configuration setting. If Enforcement is set to Turn off enforcement, the security key enforcement is not enabled for the selected GCP organization administrator account.

11 Repeat steps no. 6 – 10 for each admin account that you want to examine, created for the selected GCP organizational unit.

12 Repeat steps no. 2 – 11 for each GCP organization available in your Google account.

Remediation / Resolution

To enable security key enforcement for your Google Cloud Platform (GCP) organization administrator accounts, perform the following operations:

Note: Enabling security key enforcement for GCP admin accounts using Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Navigate to Google Admin at https://admin.google.com and sign in using the access credentials of the organization administrator account that you want to reconfigure (see Audit section to identify the right admin account).

02 On the Admin Console page, choose Security, then click on the Basic settings tab to access the 2-Step Verification feature configuration settings.

03 On the Basic settings panel, make sure that Allow users to turn on 2-step verification checkbox is selected, then click on Go to advanced settings to enforce 2-step verification link to access the advanced security settings available for the selected admin account.

04 On the Advanced security settings page, perform the following:

  1. Under Enforcement, select Turn on enforcement now to enable the enforcement settings for 2-Step Verification (Multi-Factor Authentication). On the confirmation box, click OK to confirm the action.
  2. (Optional) From New user enrollment period dropdown list, choose an appropriate enrollment period to provide the newly created admin users an opportunity to add 2-Step Verification before enforcement is applied. The enrollment period starts after first successful login.
  3. For Allowed 2-step verification methods, choose Only Security Key to configure the security key as 2-Step Verification method.
  4. From 2-step verification policy suspension grace period dropdown list, choose a grace period based on your organizational requirements. When admin users are placed in the grace period, they will be able to sign in using 2-Step Verification backup codes in addition to security keys.
  5. For Security codes, select Allow security codes without remote access to allow admin users to generate security codes for use on the same device or local network, as a backup to security keys. Google security codes are single-use codes that can be used where security keys are not supported. Users can generate these codes from https://g.co/sc.
  6. For 2-step verification frequency, select whether or not to allow the admin user to trust the device at 2-Step Verification.
  7. Make sure that you enroll your security key before you activate the security key enforcement, in order to prevent admin account lockout after enforcement. Once the enrolment has been completed, click SAVE to apply the changes.

05 Repeat steps no. 1 – 4 for each administrator account that you want to reconfigure for security key enforcement, created for the selected GCP organizational unit.

06 Repeat steps no. 1 – 5 for each GCP organization available within your Google account.

References

Publication date Feb 4, 2021

Related CloudIAM rules