> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Users Should Use Work Email For Access

### More Info:

User should have access via their official corporate email id and not their personal id.

### Risk Level

Medium

### Address

Security, Reliability

### Compliance Standards

CISGCP, CBP, SOC2, NISTCSF, PCIDSS

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration "Users Should Use Work Email For Access" in GCP using GCP console, you can follow these steps:

        1. Go to the GCP Console and select the project for which you need to remediate the misconfiguration.
        2. Click on the "IAM & Admin" menu from the left-hand side navigation menu.
        3. Click on the "IAM" tab to view the list of IAM roles and members.
        4. Select the user for whom you want to remediate the misconfiguration.
        5. Click on the "Edit" button next to the user's email address.
        6. In the "Edit member" dialog box, scroll down to the "Role" section.
        7. Click on the "Add Another Role" button to add a new role.
        8. In the "Select a Role" dialog box, search for the "Organization Policy User" role and select it.
        9. Click on the "Save" button to add the new role to the user.
        10. Repeat the above steps for all the users who have access to the project.

        By adding the "Organization Policy User" role to the users, you are enforcing the organization policy that requires users to use their work email for access. This will ensure that only authorized users with valid work emails can access the GCP resources.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "Users Should Use Work Email For Access" in GCP using GCP CLI, you can follow the below steps:

        1. Open the Cloud Shell in the GCP Console.

        2. Run the following command to check if the G Suite domain is set for the organization:

           ```
           gcloud organizations describe ORGANIZATION_ID
           ```

           Replace `ORGANIZATION_ID` with your organization ID.

        3. If the G Suite domain is not set for the organization, follow the instructions given in the following link to set up a G Suite domain:

           [https://cloud.google.com/resource-manager/docs/creating-managing-organization#setup\_a\_g\_suite\_domain](https://cloud.google.com/resource-manager/docs/creating-managing-organization#setup_a_g_suite_domain)

        4. Once the G Suite domain is set up, run the following command to enable domain-restricted sharing:

           ```
           gcloud beta identity organizational-settings domains update DOMAIN_NAME --allow-unrestricted-sharing=false --force
           ```

           Replace `DOMAIN_NAME` with your G Suite domain name.

           This command restricts sharing of GCP resources to only users with email addresses in the specified G Suite domain.

        5. Run the following command to verify that the domain-restricted sharing is enabled:

           ```
           gcloud beta identity organizational-settings domains describe DOMAIN_NAME
           ```

           Replace `DOMAIN_NAME` with your G Suite domain name.

           This command should return the following output:

           ```
           allowUnrestrictedSharing: false
           ```

           This confirms that the domain-restricted sharing is enabled.

        6. Finally, you can check the users who have access to your GCP resources using the following command:

           ```
           gcloud projects get-iam-policy PROJECT_ID
           ```

           Replace `PROJECT_ID` with your GCP project ID.

           This command lists all the users who have access to your GCP resources. Make sure that all the users have email addresses in the specified G Suite domain. If any user does not have an email address in the specified G Suite domain, remove their access to the GCP resources using the following command:

           ```
           gcloud projects remove-iam-policy-binding PROJECT_ID --member=user:EMAIL_ADDRESS --role=ROLE
           ```

           Replace `PROJECT_ID` with your GCP project ID, `EMAIL_ADDRESS` with the email address of the user, and `ROLE` with the role that the user has been assigned.

           This command removes the user's access to the specified GCP resources.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration "Users Should Use Work Email For Access" in GCP, we can use the following steps using Python:

        1. First, we need to identify the users who are not using their work email for access to GCP. We can do this by using the `google-auth` and `google-api-python-client` libraries to authenticate and make API requests to the GCP Admin SDK.

        2. Once we have identified the users, we can update their email addresses to their work email using the `googleapiclient.discovery` module. We can use the `users().update()` method to update the email address of the user.

        3. We can also set up a notification system to alert users who are not using their work email for access to update their email address.

        Here is a sample Python code to remediate the misconfiguration "Users Should Use Work Email For Access" in GCP:

        ```python theme={null}
        from google.oauth2 import service_account
        from googleapiclient.discovery import build

        # Replace with the path to your service account key file
        KEY_FILE_LOCATION = '/path/to/keyfile.json'

        # Replace with your GCP project ID
        PROJECT_ID = 'your-project-id'

        # Replace with the domain of your organization
        DOMAIN = 'your-domain.com'

        # Authenticate using a service account key file
        creds = service_account.Credentials.from_service_account_file(
            KEY_FILE_LOCATION,
            scopes=['https://www.googleapis.com/auth/admin.directory.user']
        )

        # Create the Admin SDK API client
        service = build('admin', 'directory_v1', credentials=creds)

        # Get a list of all users in the domain
        users = service.users().list(domain=DOMAIN).execute()

        # Loop through the users and update their email address if it is not their work email
        for user in users['users']:
            if user['primaryEmail'].endswith('@gmail.com'):
                # Update the user's email address to their work email
                new_email = user['primaryEmail'].replace('@gmail.com', '@your-domain.com')
                service.users().update(userKey=user['id'], body={'primaryEmail': new_email}).execute()

                # Send a notification to the user to update their email address
                print(f"Updated email address for user {user['primaryEmail']}. Please update your email address to your work email.")
        ```

        Note: This code assumes that all users in the domain have a work email address with the same domain as the organization. If this is not the case, you may need to modify the code to handle different email domains.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:
