Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Users Should Use Work Email For Access” in GCP using GCP console, you can follow these steps:
- Go to the GCP Console and select the project for which you need to remediate the misconfiguration.
- Click on the “IAM & Admin” menu from the left-hand side navigation menu.
- Click on the “IAM” tab to view the list of IAM roles and members.
- Select the user for whom you want to remediate the misconfiguration.
- Click on the “Edit” button next to the user’s email address.
- In the “Edit member” dialog box, scroll down to the “Role” section.
- Click on the “Add Another Role” button to add a new role.
- In the “Select a Role” dialog box, search for the “Organization Policy User” role and select it.
- Click on the “Save” button to add the new role to the user.
- Repeat the above steps for all the users who have access to the project.
Using CLI
Using CLI
To remediate the misconfiguration “Users Should Use Work Email For Access” in GCP using GCP CLI, you can follow the below steps:
- Open the Cloud Shell in the GCP Console.
-
Run the following command to check if the G Suite domain is set for the organization:
Replace
ORGANIZATION_IDwith your organization ID. - If the G Suite domain is not set for the organization, follow the instructions given in the following link to set up a G Suite domain: https://cloud.google.com/resource-manager/docs/creating-managing-organization#setup_a_g_suite_domain
-
Once the G Suite domain is set up, run the following command to enable domain-restricted sharing:
Replace
DOMAIN_NAMEwith your G Suite domain name. This command restricts sharing of GCP resources to only users with email addresses in the specified G Suite domain. -
Run the following command to verify that the domain-restricted sharing is enabled:
Replace
DOMAIN_NAMEwith your G Suite domain name. This command should return the following output:This confirms that the domain-restricted sharing is enabled. -
Finally, you can check the users who have access to your GCP resources using the following command:
Replace
PROJECT_IDwith your GCP project ID. This command lists all the users who have access to your GCP resources. Make sure that all the users have email addresses in the specified G Suite domain. If any user does not have an email address in the specified G Suite domain, remove their access to the GCP resources using the following command:ReplacePROJECT_IDwith your GCP project ID,EMAIL_ADDRESSwith the email address of the user, andROLEwith the role that the user has been assigned. This command removes the user’s access to the specified GCP resources.
Using Python
Using Python
To remediate the misconfiguration “Users Should Use Work Email For Access” in GCP, we can use the following steps using Python:Note: This code assumes that all users in the domain have a work email address with the same domain as the organization. If this is not the case, you may need to modify the code to handle different email domains.
-
First, we need to identify the users who are not using their work email for access to GCP. We can do this by using the
google-authandgoogle-api-python-clientlibraries to authenticate and make API requests to the GCP Admin SDK. -
Once we have identified the users, we can update their email addresses to their work email using the
googleapiclient.discoverymodule. We can use theusers().update()method to update the email address of the user. - We can also set up a notification system to alert users who are not using their work email for access to update their email address.