Ensure that security key enforcement is enabled for all Google Cloud Platform (GCP) organization administrator accounts. To follow security best practices, the security key enforcement must be implemented for all GCP organizational units. This reduces the risk of account breach, making it more difficult for an attacker or malicious user to steal administrator credentials and ultimately gain access to private and sensitive data.
A GCP user account with the Organization Administrator role has the highest level of privilege within the organization. User accounts like this should be protected with the strongest form of Multi-Factor Authentication (2-Step Verification): Security Keys. Security Keys are physical keys that send an encrypted signature rather than a code in order to protect login credentials against phishing attack. Users simply tap the button on their security key instead of typing codes. Unlike other MFA/2SV methods that use one-time codes via text messages, security keys don't require a phone number associated with the user account. Because GCP organization administrator accounts have access to sensitive data and critical systems, it is strongly recommended that these accounts use Security Keys as Multi-Factor Authentication (MFA) method.
To determine if security key enforcement is enabled for all your GCP organization administrator accounts, perform the following operations:Note: Getting the security key enforcement configuration status using GCP Command Line Interface (CLI) is not currently supported.
Remediation / Resolution
To enable security key enforcement for your Google Cloud Platform (GCP) organization administrator accounts, perform the following operations:Note: Enabling security key enforcement for GCP admin accounts using Command Line Interface (CLI) is not currently supported.
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable Security Key Enforcement for Admin Accounts
Risk level: High