Best practice rules for GCP Identity and Access Management (IAM)
- Check for IAM Members with Service Roles at the Project Level
Ensure there are no IAM members with Service Account User and Service Account Token Creator roles at the project level.
- Configure Essential Contacts for Organizations
Ensure that Essential Contacts are defined for your Google Cloud organization.
- Configure Google Cloud Audit Logs to Track All Activities
Ensure that the Audit Logs feature is configured to record all service and user activities.
- Corporate Login Credentials In Use
Use corporate login credentials instead of personal accounts such as Gmail accounts.
- Delete Google Cloud API Keys
Ensure there are no API keys associated with your Google Cloud Platform (GCP) projects.
- Delete User-Managed Service Account Keys
Ensure there are no user-managed keys associated with your GCP service accounts.
- Detect GCP IAM Configuration Changes
IAM configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Enable Access Approval
Ensure that Access Approval is enabled for your Google Cloud account.
- Enable Access Transparency
Ensure that Access Transparency is enabled within your Google Cloud organization.
- Enable Multi-Factor Authentication for User Accounts
Ensure that Multi-Factor Authentication (MFA) feature is enabled for all GCP user accounts.
- Enable Security Key Enforcement for Admin Accounts
Enforce the use of security keys to help prevent Google Cloud account hijacking.
- Enforce Separation of Duties for KMS-Related Roles
Ensure that separation of duties is implemented for all Google Cloud KMS-related roles.
- Enforce Separation of Duties for Service-Account Related Roles
Ensure that separation of duties is implemented for all Google Cloud service account roles.
- Minimize the Use of Primitive Roles
Ensure that the use of Cloud Identity and Access Management (IAM) primitive roles is limited within your Google Cloud projects.
- Restrict Administrator Access for Service Accounts
Ensure that user-managed service accounts are not using administrator-based roles.
- Rotate User-Managed Service Account Keys
Ensure that your user-managed service account keys are rotated periodically.