GCP IAM Best Practices

Best practice rules for GCP Identity and Access Management (IAM)

Trend Micro Cloud One™ – Conformity monitors GCP Identity and Access Management (IAM) with the following rules:

• Check for IAM Members with Service Roles at the Project Level

  Ensure there are no IAM members with Service Account User and Service Account Token Creator roles at the project level.

• Configure Essential Contacts for Organizations

  Ensure that Essential Contacts are defined for your Google Cloud organization.

• Configure Google Cloud Audit Logs to Track All Activities

  Ensure that the Audit Logs feature is configured to record all service and user activities.

• Corporate Login Credentials In Use

  Use corporate login credentials instead of personal accounts such as Gmail accounts.

• Delete Google Cloud API Keys

  Ensure there are no API keys associated with your Google Cloud Platform (GCP) projects.

• Delete User-Managed Service Account Keys

  Ensure there are no user-managed keys associated with your GCP service accounts.

• Detect GCP IAM Configuration Changes

  IAM configuration changes have been detected within your Google Cloud Platform (GCP) account.

• Enable Access Approval

  Ensure that Access Approval is enabled for your Google Cloud account.

• Enable Access Transparency

  Ensure that Access Transparency is enabled within your Google Cloud organization.

• Enable Multi-Factor Authentication for User Accounts

  Ensure that Multi-Factor Authentication (MFA) feature is enabled for all GCP user accounts.

• Enable Security Key Enforcement for Admin Accounts

  Enforce the use of security keys to help prevent Google Cloud account hijacking.

• Enforce Separation of Duties for KMS-Related Roles

  Ensure that separation of duties is implemented for all Google Cloud KMS-related roles.

• Enforce Separation of Duties for Service-Account Related Roles

  Ensure that separation of duties is implemented for all Google Cloud service account roles.

• Minimize the Use of Primitive Roles

  Ensure that the use of Cloud Identity and Access Management (IAM) primitive roles is limited within your Google Cloud projects.

• Restrict Administrator Access for Service Accounts

  Ensure that user-managed service accounts are not using administrator-based roles.

• Rotate User-Managed Service Account Keys

  Ensure that your user-managed service account keys are rotated periodically.