Users Should Use Work Email For Access

More Info:

User should have access via their official corporate email id and not their personal id.

Risk Level

Medium

Address

Security, Reliability

Compliance Standards

CISGCP, CBP, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Users Should Use Work Email For Access” in GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell in the GCP Console.
Run the following command to check if the G Suite domain is set for the organization:
```
gcloud organizations describe ORGANIZATION_ID
```
Replace ORGANIZATION_ID with your organization ID.
If the G Suite domain is not set for the organization, follow the instructions given in the following link to set up a G Suite domain: https://cloud.google.com/resource-manager/docs/creating-managing-organization#setup_a_g_suite_domain
Once the G Suite domain is set up, run the following command to enable domain-restricted sharing:
```
gcloud beta identity organizational-settings domains update DOMAIN_NAME --allow-unrestricted-sharing=false --force
```
Replace DOMAIN_NAME with your G Suite domain name. This command restricts sharing of GCP resources to only users with email addresses in the specified G Suite domain.
Run the following command to verify that the domain-restricted sharing is enabled:
```
gcloud beta identity organizational-settings domains describe DOMAIN_NAME
```
Replace DOMAIN_NAME with your G Suite domain name. This command should return the following output:
```
allowUnrestrictedSharing: false
```
This confirms that the domain-restricted sharing is enabled.
Finally, you can check the users who have access to your GCP resources using the following command:
```
gcloud projects get-iam-policy PROJECT_ID
```
Replace PROJECT_ID with your GCP project ID. This command lists all the users who have access to your GCP resources. Make sure that all the users have email addresses in the specified G Suite domain. If any user does not have an email address in the specified G Suite domain, remove their access to the GCP resources using the following command:
```
gcloud projects remove-iam-policy-binding PROJECT_ID --member=user:EMAIL_ADDRESS --role=ROLE
```
Replace PROJECT_ID with your GCP project ID, EMAIL_ADDRESS with the email address of the user, and ROLE with the role that the user has been assigned. This command removes the user’s access to the specified GCP resources.

Using Python

To remediate the misconfiguration “Users Should Use Work Email For Access” in GCP, we can use the following steps using Python:

First, we need to identify the users who are not using their work email for access to GCP. We can do this by using the google-auth and google-api-python-client libraries to authenticate and make API requests to the GCP Admin SDK.
Once we have identified the users, we can update their email addresses to their work email using the googleapiclient.discovery module. We can use the users().update() method to update the email address of the user.
We can also set up a notification system to alert users who are not using their work email for access to update their email address.

Here is a sample Python code to remediate the misconfiguration “Users Should Use Work Email For Access” in GCP:

from google.oauth2 import service_account
from googleapiclient.discovery import build

# Replace with the path to your service account key file
KEY_FILE_LOCATION = '/path/to/keyfile.json'

# Replace with your GCP project ID
PROJECT_ID = 'your-project-id'

# Replace with the domain of your organization
DOMAIN = 'your-domain.com'

# Authenticate using a service account key file
creds = service_account.Credentials.from_service_account_file(
    KEY_FILE_LOCATION,
    scopes=['https://www.googleapis.com/auth/admin.directory.user']
)

# Create the Admin SDK API client
service = build('admin', 'directory_v1', credentials=creds)

# Get a list of all users in the domain
users = service.users().list(domain=DOMAIN).execute()

# Loop through the users and update their email address if it is not their work email
for user in users['users']:
    if user['primaryEmail'].endswith('@gmail.com'):
        # Update the user's email address to their work email
        new_email = user['primaryEmail'].replace('@gmail.com', '@your-domain.com')
        service.users().update(userKey=user['id'], body={'primaryEmail': new_email}).execute()

        # Send a notification to the user to update their email address
        print(f"Updated email address for user {user['primaryEmail']}. Please update your email address to your work email.")

Note: This code assumes that all users in the domain have a work email address with the same domain as the organization. If this is not the case, you may need to modify the code to handle different email domains.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Users Should Use Work Email For Access

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: