More Info:

Many Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.

Risk Level

Medium

Address

Security, Reliability

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Essential Contacts Configured For Organization” for GCP using GCP console, follow the steps given below:
  1. Login to GCP console using your credentials.
  2. Go to the Navigation menu and select “IAM & Admin”.
  3. Click on “Settings” from the left-hand side menu.
  4. Scroll down to the “Essential Contacts” section and click on “Configure”.
  5. Click on “Add contact” and enter the email address of the contact person.
  6. Select the contact type from the dropdown menu.
  7. Click on “Add” to save the contact details.
  8. Repeat steps 5 to 7 to add more contacts if required.
  9. Once you have added all the essential contacts, click on “Save” to save the changes.
By following these steps, you have successfully remediated the misconfiguration “Ensure Essential Contacts Configured For Organization” for GCP using GCP console.

To remediate the misconfiguration “Ensure Essential Contacts Configured For Organization” for GCP using GCP CLI, you can follow the below steps:
  1. Open the GCP Cloud Shell by clicking on the Activate Cloud Shell button on the top of the GCP Console.
  2. Run the following command to list all the organizations in your GCP account: 
    gcloud organizations list
  3. Note down the organization ID of the organization for which you want to ensure essential contacts are configured.
  4. Run the following command to ensure essential contacts are configured for the organization: 
    gcloud alpha organizations update <ORGANIZATION_ID> --essential-contact-emails=<EMAIL_ADDRESS>
    Replace <ORGANIZATION_ID> with the organization ID you noted down in step 3 and <EMAIL_ADDRESS> with the email address of the essential contact(s) you want to configure. Note: You can configure multiple email addresses separated by commas.
  5. Verify that the essential contact(s) have been configured for the organization by running the following command: 
    gcloud alpha organizations describe <ORGANIZATION_ID> --format="value(essentialContacts)"
    This command will output the email address(es) of the essential contact(s) configured for the organization.
By following the above steps, you can remediate the misconfiguration “Ensure Essential Contacts Configured For Organization” for GCP using GCP CLI.
To remediate the “Ensure Essential Contacts Configured For Organization” misconfiguration for GCP using Python, you can follow these steps:
  1. Import the necessary libraries:
from google.oauth2 import service_account
from googleapiclient.discovery import build
  1. Set up authentication using a service account:
credentials = service_account.Credentials.from_service_account_file('path/to/service_account.json')
  1. Create a client object for the Organizations API:
org_client = build('cloudresourcemanager', 'v1', credentials=credentials)
  1. Get the current organization:
org = org_client.organizations().get(name='organizations/your_org_id').execute()
  1. Check if essential contacts are configured:
if 'notificationSettings' in org and 'pubsubTopic' in org['notificationSettings']:
    print('Essential contacts are configured.')
else:
    print('Essential contacts are not configured.')
  1. If essential contacts are not configured, configure them:
topic_name = 'your_pubsub_topic_name'

notification_settings = {
    'pubsubTopic': f'projects/{project_id}/topics/{topic_name}',
    'cloudAuditLogsEnabled': True,
    'projectDeletionPolicy': 'ABANDON',
    'folderDeletionPolicy': 'ABANDON'
}

org_client.organizations().updateNotificationSettings(name=f'organizations/{org_id}', body=notification_settings).execute()

print('Essential contacts have been configured.')
Note: Replace your_org_id, project_id, topic_name, and org_id with the appropriate values for your organization. Also, make sure the service account has the necessary permissions to update organization settings.

Additional Reading: