More Info:

User should have access via their official corporate email id and not their personal id.

Risk Level

Medium

Address

Security, Reliability

Compliance Standards

CISGCP, CBP, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Users Should Use Work Email For Access” in GCP using GCP console, you can follow these steps:
  1. Go to the GCP Console and select the project for which you need to remediate the misconfiguration.
  2. Click on the “IAM & Admin” menu from the left-hand side navigation menu.
  3. Click on the “IAM” tab to view the list of IAM roles and members.
  4. Select the user for whom you want to remediate the misconfiguration.
  5. Click on the “Edit” button next to the user’s email address.
  6. In the “Edit member” dialog box, scroll down to the “Role” section.
  7. Click on the “Add Another Role” button to add a new role.
  8. In the “Select a Role” dialog box, search for the “Organization Policy User” role and select it.
  9. Click on the “Save” button to add the new role to the user.
  10. Repeat the above steps for all the users who have access to the project.
By adding the “Organization Policy User” role to the users, you are enforcing the organization policy that requires users to use their work email for access. This will ensure that only authorized users with valid work emails can access the GCP resources.

To remediate the misconfiguration “Users Should Use Work Email For Access” in GCP using GCP CLI, you can follow the below steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to check if the G Suite domain is set for the organization: 
    gcloud organizations describe ORGANIZATION_ID
    Replace ORGANIZATION_ID with your organization ID.
  3. If the G Suite domain is not set for the organization, follow the instructions given in the following link to set up a G Suite domain: https://cloud.google.com/resource-manager/docs/creating-managing-organization#setup_a_g_suite_domain
  4. Once the G Suite domain is set up, run the following command to enable domain-restricted sharing: 
    gcloud beta identity organizational-settings domains update DOMAIN_NAME --allow-unrestricted-sharing=false --force
    Replace DOMAIN_NAME with your G Suite domain name. This command restricts sharing of GCP resources to only users with email addresses in the specified G Suite domain.
  5. Run the following command to verify that the domain-restricted sharing is enabled: 
    gcloud beta identity organizational-settings domains describe DOMAIN_NAME
    Replace DOMAIN_NAME with your G Suite domain name. This command should return the following output: 
    allowUnrestrictedSharing: false
    This confirms that the domain-restricted sharing is enabled.
  6. Finally, you can check the users who have access to your GCP resources using the following command: 
    gcloud projects get-iam-policy PROJECT_ID
    Replace PROJECT_ID with your GCP project ID. This command lists all the users who have access to your GCP resources. Make sure that all the users have email addresses in the specified G Suite domain. If any user does not have an email address in the specified G Suite domain, remove their access to the GCP resources using the following command: 
    gcloud projects remove-iam-policy-binding PROJECT_ID --member=user:EMAIL_ADDRESS --role=ROLE
    Replace PROJECT_ID with your GCP project ID, EMAIL_ADDRESS with the email address of the user, and ROLE with the role that the user has been assigned. This command removes the user’s access to the specified GCP resources.
To remediate the misconfiguration “Users Should Use Work Email For Access” in GCP, we can use the following steps using Python:
  1. First, we need to identify the users who are not using their work email for access to GCP. We can do this by using the google-auth and google-api-python-client libraries to authenticate and make API requests to the GCP Admin SDK.
  2. Once we have identified the users, we can update their email addresses to their work email using the googleapiclient.discovery module. We can use the users().update() method to update the email address of the user.
  3. We can also set up a notification system to alert users who are not using their work email for access to update their email address.
Here is a sample Python code to remediate the misconfiguration “Users Should Use Work Email For Access” in GCP:
from google.oauth2 import service_account
from googleapiclient.discovery import build

# Replace with the path to your service account key file
KEY_FILE_LOCATION = '/path/to/keyfile.json'

# Replace with your GCP project ID
PROJECT_ID = 'your-project-id'

# Replace with the domain of your organization
DOMAIN = 'your-domain.com'

# Authenticate using a service account key file
creds = service_account.Credentials.from_service_account_file(
    KEY_FILE_LOCATION,
    scopes=['https://www.googleapis.com/auth/admin.directory.user']
)

# Create the Admin SDK API client
service = build('admin', 'directory_v1', credentials=creds)

# Get a list of all users in the domain
users = service.users().list(domain=DOMAIN).execute()

# Loop through the users and update their email address if it is not their work email
for user in users['users']:
    if user['primaryEmail'].endswith('@gmail.com'):
        # Update the user's email address to their work email
        new_email = user['primaryEmail'].replace('@gmail.com', '@your-domain.com')
        service.users().update(userKey=user['id'], body={'primaryEmail': new_email}).execute()

        # Send a notification to the user to update their email address
        print(f"Updated email address for user {user['primaryEmail']}. Please update your email address to your work email.")
Note: This code assumes that all users in the domain have a work email address with the same domain as the organization. If this is not the case, you may need to modify the code to handle different email domains.

Additional Reading: