Corporate Login Credentials In Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that corporate login credentials are used to access Google Cloud Platform (GCP) resources in order to follow cloud security best practices. In this way, all members within your organization can access Google Cloud services and resources using their corporate accounts, and your administrators can see and control these accounts through Google Admin console. The appropriate credentials required must be fully managed Google accounts tied to your corporate domain name through the Cloud Identity service. Cloud Identity is a stand-alone Identity-as-a-Service (IDaaS) service that provides GCP users access to many of the identity management capabilities provided by G Suite - a set of secure, cloud-native collaboration and productivity applications powered by Google. Signing up for Cloud Identity service provides a management layer over the Google accounts that are associated with your corporate (organization) domain name. Through the Cloud Identity management layer, you can enable or disable access to various Google solutions, including Google Cloud Platform (GCP), for your organization members. Signing up for Cloud Identity also creates an organization node for your domain, which helps map corporate structure and controls to your GCP resources via Google Cloud resource hierarchy.

Security

Use only fully-managed corporate login credentials to access your Google Cloud Platform (GCP) resources for increased visibility, auditing, and secure access management. Personal accounts, available outside the organization's domain, such as Gmail accounts, should not be used for business purposes.


Audit

To determine the type of login credentials used to access your GCP resources and deployments, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

03 In the navigation panel, select IAM.

04 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the GCP organization, folder or project that you want to examine.

05 On the IAM page, choose the PERMISSIONS tab, then select View by MEMBERS to list all the member accounts available for the selected GCP organization/folder/project.

06 On the MEMBERS panel, check for any account members that use email addresses outside the organization's domain, such as Gmail addresses. If one or more member accounts are Gmail accounts, the access to the selected Google Cloud Platform (GCP) organization/folder/project can be made with both personal account credentials and corporate login credentials, therefore the access configuration is not compliant.

07 Repeat steps no. 4 – 6 for all the projects and folders available within the selected GCP organization, including the organization itself, to determine the types of login credentials used to access your GCP deployments.

08 Repeat steps no. 1 – 7 for each Google Cloud Platform (GCP) organization deployed within your account.

Using GCP CLI

01 To check your GCP organizations IAM policies for email accounts outside the organization domains, perform the following operations:

  1. Run organizations list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the organizations available within your GCP account:
    gcloud organizations list
    	--format="table(name)"
    
  2. The command output should return the requested organization identifiers:
    ID
    123412341234
    111122223333
    
  3. Run organizations get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter and custom query filters to describe the Access Management (IAM) policy assigned to the selected organization, in JSON format:
    gcloud organizations get-iam-policy 123412341234
    	--format=json
    
  4. The command output should return the organization's IAM policy:
    {
      "bindings": [
        {
          "members": [
            "domain:cloudconformity.com"
          ],
          "role": "roles/billing.creator"
        },
        {
          "members": [
            "user:admin@cloudconformity.com"
          ],
          "role": "roles/resourcemanager.organizationAdmin"
        },
        {
          "members": [
            "domain:cloudconformity.com"
          ],
          "role": "roles/resourcemanager.projectCreator"
        },
        {
          "members": [
            "user:cloud.realisation@gmail.com"
          ],
          "role": "roles/owner"
        }
      ],
      "etag": "abcdabcdabcd",
      "version": 1
    }
    
    The IAM policy returned by the organizations get-iam-policy command output should contain the member accounts that have access to the selected organization. Check for any account members that use email addresses outside the organization's domain, such as Gmail addresses (i.e. end in @gmail.com). If one or more member accounts are Gmail accounts, as shown in the example above, the access to the selected Google Cloud Platform (GCP) organization can be made with both personal account credentials and corporate login credentials, therefore the access configuration used is not compliant.
  5. Repeat step c and d for each Google Cloud Platform (GCP) organization deployed within your account.

02 To check your GCP projects IAM policies for email accounts outside the organization domains, perform the following:

  1. Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your GCP account:
    gcloud projects list
    	--format="table(projectId)"
    
  2. The command output should return the requested project IDs:
    PROJECT_ID
    cc-web-app-prod-112233
    cc-internal-app-112233
    
  3. Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom filtering to describe the IAM policy created for the selected GCP project. The policy lists the accounts that have been granted access to the specified project:
    gcloud projects get-iam-policy cc-web-app-prod-112233
    	--format=json
    
  4. The command output should return the requested IAM policy:
    {
      "bindings": [
        {
          "members": [
            "user:admin@cloudconformity.com"
          ],
          "role": "roles/owner"
        },
        {
          "members": [
            "user:cloud.realisation@gmail.com"
          ],
          "role": "roles/editor"
        }
      ],
      "etag": "abcdabcdabcd",
      "version": 1
    }
    

    Check the IAM policy document for any account members that use email addresses outside an organization domain, such as Gmail addresses. If one or more member accounts are Gmail accounts, as shown in the example above (e.g. cloud.realisation@gmail.com), the access to the selected Google Cloud Platform (GCP) project is made with both personal account credentials and corporate login credentials, therefore the project access configuration is not compliant.
  5. Repeat step c and d for each Google Cloud Platform (GCP) project created within your account.

03 To check the IAM policies of your GCP organization folders for email accounts outside the organization domains, perform the following operations:

  1. Run resource-manager folders list command (Windows/macOS/Linux) using the ID of the organization that you want to examine as identifier parameter and custom query filters to list the IDs of all folders available in the selected GCP organization:
    gcloud resource-manager folders list
    	--organization 123412341234
    	--format="table(name)"
    
  2. The command output should return the requested organization folders IDs:
    ID
    123456789012
    123412341234
    
  3. Run resource-manager folders get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP organization folder that you want to examine as identifier parameter and custom query filters to describe the IAM policy created for the selected folder. The policy lists the accounts that have been granted access to the specified GCP folder:
    gcloud resource-manager folders get-iam-policy 123456789012
    	--format=json
    
  4. The command output should return the requested IAM policy:
    {
      "bindings": [
        {
          "members": [
            "user:cloud.realisation@gmail.com"
          ],
          "role": "roles/owner"
        },
        {
          "members": [
            "user:admin@cloudconformity.com"
          ],
          "role": "roles/resourcemanager.folderAdmin"
        },
        {
          "members": [
            "user:admin@cloudconformity.com"
          ],
          "role": "roles/resourcemanager.folderEditor"
        }
      ],
      "etag": "aaaabbbbcccc",
      "version": 1
    }
    

    Check the IAM policy document returned by the command output for any account members that use email addresses outside the selected organization domain, such as Gmail addresses. If one or more member accounts are Gmail accounts, as shown in the example above, the access to the selected Google Cloud Platform (GCP) organization folder is made with both personal account credentials and corporate login credentials, therefore the access configuration used is not compliant.
  5. Repeat step c and d for each Google Cloud Platform (GCP) folder created within the selected organization.

Remediation / Resolution

To create new Google corporate login accounts and ensure that no email addresses outside the organization can be granted IAM permissions to the GCP projects, folders or the organization itself, perform the following actions:

Step A: To ensure that no email addresses outside your organization can be granted IAM permissions to GCP projects, folders or organizations, enable Domain Restricted Sharing within the organization policy:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

03 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the GCP organization that you want to reconfigure.

04 In the navigation panel, select Organization policies.

05 On the Organization policies page, type Domain restricted sharing in the Filter by policy name or ID search box to find the required policy, then click on the returned policy.

06 On the Domain restricted sharing policy configuration page, perform the following:

  1. Under Applies to, select Customize to apply a custom policy to the organization.
  2. Under Policy enforcement, make sure that Merge with parent option is selected.
  3. Choose Custom from Policy values dropdown list.
  4. Select Allow from the Policy type dropdown list.
  5. Under Custom values, enter your G Suite customer ID into the NEW POLICY VALUE text box, then press Enter.
  6. Click SAVE to apply the changes.

07 Repeat steps no. 3 – 6 for other GCP organizations created within your Google account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID and the associated G Suite customer ID of each GCP organization available in your Google Cloud account:

gcloud organizations list
	--format="table(name,owner.directoryCustomerId)"

02 The command output should return the requested identifiers – ID as organization ID and DIRECTORY_CUSTOMER_ID as G Suite customer ID:

ID              DIRECTORY_CUSTOMER_ID
123412341234    abcdc1234
111122223333    1234abcda

03 Run resource-manager org-policies allow command (Windows/macOS/Linux) using the ID of the GCP organization that you want to reconfigure as identifier parameter, to enable Domain Restricted Sharing for the selected organization by updating its policy:

gcloud alpha resource-manager org-policies allow
	--organization '123412341234' iam.allowedPolicyMemberDomains 'abcdc1234'

04 The command request should return the reconfigured organization policy metadata:

constraint: constraints/iam.allowedPolicyMemberDomains
etag: abcdabcdabcd
listPolicy:
  allowedValues:
  - abcdc1234
updateTime: '2020-04-11T10:50:51.731Z'

05 Repeat step no. 3 and 4 for other GCP organizations available within your Google account.

Step B: Create new Google corporate login accounts to be used instead of personal accounts:

Note: Creating Google corporate login accounts using Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Sign in to Google Admin Console at https://admin.google.com using your GCP organizational unit credentials.

02 On the main Admin Console page, select Users to access the user management page.

03 On the Users management page, click Add new user to create a new Google corporate login account.

04 On the Add new user panel, provide all the necessary identification details for the new account, turn off Automatically generate a password and Ask for a password change at the next sign-in configuration settings, then type a strong password for the new account within the Password text box. Click ADD NEW USER to create the new account. Click DONE to return to the user management page. From now on, you use the new corporate account credentials to log in and manage your Google Cloud Platform (GCP) resources.

05 If required, repeat step no. 3 and 4 to create new Google corporate login accounts.

References

Publication date Feb 4, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Corporate Login Credentials In Use

Risk level: Medium