Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Essential Contacts for Organizations

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudIAM-013

Ensure that Essential Contacts are configured at the GCP organization level to designate email addresses for cloud services in order to notify of important technical and/or security information. Essential Contacts are inherited through the GCP resource hierarchy, making them available for all the folders and projects in your organization.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security
Reliability
Sustainability
Cost
optimisation
Operational
excellence
Performance
efficiency

Google Cloud Platform (GCP) services, such as Cloud Billing, send out billing notifications to share important information with the cloud platform users. By default, these types of notifications are sent to members with certain Identity and Access Management (IAM) roles such as "roles/owner" and "roles/billing.admin". With Essential Contacts, you can specify exactly who receives important notifications by providing your own list of contacts (i.e. email addresses).

Audit

To determine if the Essential Contacts are configured for your GCP organization, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.

04 In the main navigation panel, choose Essential Contacts to access the list with the contacts that will receive critical notifications for your GCP organization.

05 Select View by: CATEGORY tab to list the essential contacts by category.

06 Check the Contacts column for each of the following notification categories: Suspension, Security, Technical, and Legal. If there are no email addresses configured for all the listed categories, essential contacts are not configured for the selected GCP organization. Alternatively, check the Contacts column for the All category to determine if there are any contacts configured to receive all possible important notifications. If there is no email address configured for the All category, essential contacts are not configured for your GCP organization.

07 Repeat steps no. 2 – 6 for each organization created within your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each GCP organization available in your Google Cloud account: 

gcloud organizations list
  --format="table(name)"

02 The command output should return the requested organization IDs: 

ID
112233441122
123412341234

03 Run essential-contacts list command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as the identifier parameter, to describe the essential contacts that have been defined for the selected organization, grouped by notification category: 

gcloud essential-contacts list
  --organization="112233441122"
  --format="yaml(email,notificationCategorySubscriptions)"

04 The command request should return the requested configuration information: 

---
email: user@domain.com
notificationCategorySubscriptions:
- BILLING
- LEGAL

Check the notificationCategorySubscriptions attribute value for each email address configured as essential contact to determine the notification categories subscribed to the configured email address. If there is no email address configured for the following notification categories: SUSPENSION, SECURITY, TECHNICAL, and LEGAL, essential contacts are not configured for the selected GCP organization. Alternatively, check for email addresses configured for the ALL notification category. If there is no email address configured for the ALL category, essential contacts are not configured for your GCP organization.

05 Repeat steps no. 3 and 4 for each organization created within your Google Cloud account.

Remediation / Resolution

To define essential contacts for your GCP organization in order to receive critical notifications, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.

04 In the main navigation panel, choose Essential Contacts.

05 Choose ADD CONTACT from the console top menu to configure essential contacts for your GCP organization.

06 In the Add a contact configuration box, perform the following actions:

  1. For Email and Confirm Email, provide the email address of the contact will receive critical notifications for the selected GCP organization
  2. Select the following categories from the Notification Categories section to send corresponding notifications to the email address configured at the previous step: Suspension, Security, Technical, and Legal. Alternatively, you can just select the All category to receive all possible messages and notifications.
  3. Choose SAVE to apply the configuration changes.

07 Repeat steps no. 2 – 6 for each organization created within your Google Cloud account.

Using GCP CLI

01 Run essential-contacts create command (Windows/macOS/Linux) using the ID of the GCP organization that you want to reconfigure as the identifier parameter, to define essential contacts (i.e. email addresses) for the following notification categories: suspension, security, technical, and legal, in order to receive critical notifications for the selected organization. Alternatively, you can just set the --notification-categories parameter to "all" to receive all possible messages and notifications (if the command is successful, no response is returned): 

gcloud essential-contacts create
  --email="user@domain.com"
  --language="en-US"
  --notification-categories="suspension,security,technical,legal"
  --organization="112233441122"

02 Repeat step no. 1 for each organization created within in your Google Cloud account

References

Publication date Jul 28, 2022

Related CloudIAM rules