GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Ensure Essential Contacts Configured For Organization
More Info:
Many Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.
Risk Level
Medium
Address
Security, Reliability
Compliance Standards
CISGCP, CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Ensure Essential Contacts Configured For Organization” for GCP using GCP console, follow the steps given below:
- Login to GCP console using your credentials.
- Go to the Navigation menu and select “IAM & Admin”.
- Click on “Settings” from the left-hand side menu.
- Scroll down to the “Essential Contacts” section and click on “Configure”.
- Click on “Add contact” and enter the email address of the contact person.
- Select the contact type from the dropdown menu.
- Click on “Add” to save the contact details.
- Repeat steps 5 to 7 to add more contacts if required.
- Once you have added all the essential contacts, click on “Save” to save the changes.
By following these steps, you have successfully remediated the misconfiguration “Ensure Essential Contacts Configured For Organization” for GCP using GCP console.
To remediate the misconfiguration “Ensure Essential Contacts Configured For Organization” for GCP using GCP CLI, you can follow the below steps:
-
Open the GCP Cloud Shell by clicking on the Activate Cloud Shell button on the top of the GCP Console.
-
Run the following command to list all the organizations in your GCP account:
gcloud organizations list -
Note down the organization ID of the organization for which you want to ensure essential contacts are configured.
-
Run the following command to ensure essential contacts are configured for the organization:
gcloud alpha organizations update <ORGANIZATION_ID> --essential-contact-emails=<EMAIL_ADDRESS>Replace
<ORGANIZATION_ID>with the organization ID you noted down in step 3 and<EMAIL_ADDRESS>with the email address of the essential contact(s) you want to configure.Note: You can configure multiple email addresses separated by commas.
-
Verify that the essential contact(s) have been configured for the organization by running the following command:
gcloud alpha organizations describe <ORGANIZATION_ID> --format="value(essentialContacts)"This command will output the email address(es) of the essential contact(s) configured for the organization.
By following the above steps, you can remediate the misconfiguration “Ensure Essential Contacts Configured For Organization” for GCP using GCP CLI.
To remediate the “Ensure Essential Contacts Configured For Organization” misconfiguration for GCP using Python, you can follow these steps:
- Import the necessary libraries:
from google.oauth2 import service_account
from googleapiclient.discovery import build
- Set up authentication using a service account:
credentials = service_account.Credentials.from_service_account_file('path/to/service_account.json')
- Create a client object for the Organizations API:
org_client = build('cloudresourcemanager', 'v1', credentials=credentials)
- Get the current organization:
org = org_client.organizations().get(name='organizations/your_org_id').execute()
- Check if essential contacts are configured:
if 'notificationSettings' in org and 'pubsubTopic' in org['notificationSettings']:
print('Essential contacts are configured.')
else:
print('Essential contacts are not configured.')
- If essential contacts are not configured, configure them:
topic_name = 'your_pubsub_topic_name'
notification_settings = {
'pubsubTopic': f'projects/{project_id}/topics/{topic_name}',
'cloudAuditLogsEnabled': True,
'projectDeletionPolicy': 'ABANDON',
'folderDeletionPolicy': 'ABANDON'
}
org_client.organizations().updateNotificationSettings(name=f'organizations/{org_id}', body=notification_settings).execute()
print('Essential contacts have been configured.')
Note: Replace your_org_id, project_id, topic_name, and org_id with the appropriate values for your organization. Also, make sure the service account has the necessary permissions to update organization settings.