Best practice rules for GCP Identity and Access Management (IAM)
Trend Micro Cloud One™ – Conformity monitors GCP Identity and Access Management (IAM) with the following rules:
- Check for IAM Members with Service Roles at the Project Level
Ensure there are no IAM members with Service Account User and Service Account Token Creator roles at the project level.
- Configure Google Cloud Audit Logs to Track All Activities
Ensure that the Audit Logs feature is configured to record all service and user activities.
- Corporate Login Credentials In Use
Use corporate login credentials instead of personal accounts such as Gmail accounts.
- Delete Google Cloud API Keys
Ensure there are no API keys associated with your Google Cloud Platform (GCP) projects.
- Delete User-Managed Service Account Keys
Ensure there are no user-managed keys associated with your GCP service accounts.
- Enable Multi-Factor Authentication for User Accounts
Ensure that Multi-Factor Authentication (MFA) feature is enabled for all GCP user accounts.
- Enable Security Key Enforcement for Admin Accounts
Enforce the use of security keys to help prevent Google Cloud account hijacking.
- Enforce Separation of Duties for Service-Account Related Roles
Ensure that separation of duties is implemented for all Google Cloud service account roles.
- Minimize the Use of Primitive Roles
Ensure that the use of Cloud Identity and Access Management (IAM) primitive roles is limited within your Google Cloud projects.
- Restrict Administrator Access for Service Accounts
Ensure that user-managed service accounts are not using administrator-based roles.
- Rotate User-Managed Service Account Keys
Ensure that your user-managed service account keys are rotated periodically.