|
| 1 | +export default { |
| 2 | + id: 'gcp-cis-1.3.0-2.15', |
| 3 | + title: |
| 4 | + 'GCP CIS 2.15 Ensure \'Access Approval\' is \'Enabled\'', |
| 5 | + description: `GCP Access Approval enables you to require your organizations' explicit approval |
| 6 | + whenever Google support try to access your projects. You can then select users within your |
| 7 | + organization who can approve these requests through giving them a security role in IAM. |
| 8 | + All access requests display which Google Employee requested them in an email or Pub/Sub |
| 9 | + message that you can choose to Approve. This adds an additional control and logging of |
| 10 | + who in your organization approved/denied these requests.`, |
| 11 | + audit: `**Determine if Access Transparency is Enabled** |
| 12 | +
|
| 13 | + 1. From the Google Cloud Home, click on the Navigation hamburger menu in the top left. Hover over the IAM & Admin Menu. Select settings in the middle of the column that opens. |
| 14 | + 2. The status should be "Enabled' under the heading *Access Transparency* |
| 15 | +
|
| 16 | + **Enable Access Transparency** |
| 17 | +
|
| 18 | + 1. From the Google Cloud Home, click on the Navigation hamburger menu in the top left. Hover over the *IAM & Admin* Menu. Select *settings* in the middle of the column that opens. |
| 19 | + 2. Click the blue button labeled Enable *Access Transparency for Organization* |
| 20 | +
|
| 21 | + **Determine if Access Approval is Enabled** |
| 22 | +
|
| 23 | + 1. From the Google Cloud Home, within the project you wish to check, click on the Navigation hamburger menu in the top left. Hover over the *Security* Menu. Select *Access Approval* in the middle of the column that opens. |
| 24 | + 2. The status will be displayed here. If you see a screen saying you need to enroll in Access Approval, it is not enabled. |
| 25 | +
|
| 26 | + **From CLI: |
| 27 | +
|
| 28 | + Determine if Access Approval is Enabled** |
| 29 | +
|
| 30 | + 1. From within the project you wish to audit, run the following command. |
| 31 | +
|
| 32 | + gcloud access-approval settings get |
| 33 | +
|
| 34 | + 2. The status will be displayed in the output.`, |
| 35 | + |
| 36 | + rationale: `Controlling access to your information is one of the foundations of information security. |
| 37 | + Google Employees do have access to your organizations' projects for support reasons. With |
| 38 | + Access Approval, organizations can then be certain that their information is accessed by |
| 39 | + only approved Google Personnel.`, |
| 40 | + remediation: `**From Console:** |
| 41 | +
|
| 42 | + 1. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the *Security* Menu. Select *Access Approval* in the middle of the column that opens. |
| 43 | + 2. The status will be displayed here. On this screen, there is an option to click *Enroll*. If |
| 44 | + it is greyed out and you see an error bar at the top of the screen that says *Access Transparency is not enabled* please view the corresponding reference within this section to enable it. |
| 45 | + 3. In the second screen click *Enroll*. |
| 46 | +
|
| 47 | + **Grant an IAM Group or User the role with permissions to Add Users to be Access Approval message Recipients** |
| 48 | +
|
| 49 | + 1. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the *IAM and Admin*. Select *IAM* in the middle of the column that opens. |
| 50 | + 2. Click the blue button the says *+add* at the top of the screen. |
| 51 | + 3. In the *principals* field, select a user or group by typing in their associated email address. |
| 52 | + 4. Click on the role field to expand it. In the filter field enter *Access Approval Approver* and select it. |
| 53 | + 5. Click *save*. |
| 54 | +
|
| 55 | + **Add a Group or User as an Approver for Access Approval Requests** |
| 56 | +
|
| 57 | + 1. As a user with the *Access Approval Approver* permission, within the project where you wish to add an email address to which request will be sent, click on the Navigation hamburger menu in the top left. Hover over the *Security* Menu. Select *Access Approval* in the middle of the column that opens. |
| 58 | + 2. Click *Manage Settings* |
| 59 | + 3. Under *Set up approval notifications*s, enter the email address associated with a Google Cloud User or Group you wish to send Access Approval requests to. All future access approvals will be sent as emails to this address. |
| 60 | +
|
| 61 | + **From CLI:** |
| 62 | +
|
| 63 | + 1. To update all services in an entire project, run the following command from an account that has permissions as an 'Approver for Access Approval Requests' |
| 64 | +
|
| 65 | + gcloud access-approval settings update --project=<project name> -- |
| 66 | + enrolled_services=all --notification_emails='<email recipient for access |
| 67 | + approval requests>@<domain name>' |
| 68 | +
|
| 69 | + **Default Value:** |
| 70 | +
|
| 71 | + By default Access Approval and its dependency of Access Transparency are not enabled.`, |
| 72 | + references: [ |
| 73 | + 'https://cloud.google.com/cloud-provider-access-management/accessapproval/docs', |
| 74 | + 'https://cloud.google.com/cloud-provider-access-management/accessapproval/docs/overview', |
| 75 | + 'https://cloud.google.com/cloud-provider-access-management/accessapproval/docs/quickstart-custom-key', |
| 76 | + 'https://cloud.google.com/cloud-provider-access-management/accessapproval/docs/supported-services', |
| 77 | + 'https://cloud.google.com/cloud-provider-access-management/accessapproval/docs/view-historical-requests', |
| 78 | + ], |
| 79 | + gql: `{ |
| 80 | + querygcpAsset { |
| 81 | + id |
| 82 | + __typename |
| 83 | + } |
| 84 | + }`, |
| 85 | + resource: 'querygcpProject[*]', |
| 86 | + severity: 'unknown', |
| 87 | + check: ({ resource }: any) => { |
| 88 | + const { assets } = resource |
| 89 | + return !!assets |
| 90 | + }, |
| 91 | +} |
0 commit comments