Authentication and authorization guidelines

Decide on your source of truth for provisioning managed user identities. Patterns include creating user identities in Cloud Identity, syncing identities from an existing identity provider, or using Workforce Identity Federation.

Don't have a single super admin or Organization Administrator. Create one or more (up to 20) backup administrator accounts. A single super admin or Organization Administrator can result in lockout scenarios. This situation also carries a higher risk as one person can make platform-altering changes, potentially with no oversight.

Enforce strong and unique passwords for all user accounts. Consider using a password manager. Weak or no credentials are a common pattern that malicious users can easily exploit.

Use Identity and Access Management (IAM) roles that are based on job functions to assign permissions to users. Job functions are predefined roles that allow admins to provide a set of permissions that is limited to a job function, thus improving productivity and reducing the back-and-forth of asking for permissions. To better align with your organization's requirements, you can create custom roles based on predefined roles.

Use the iam.disableServiceAccountKeyCreation boolean constraint to disable external service account keys from being created. This constraint lets you control the use of unmanaged long-term credentials for service accounts. When this constraint is set, you can't create user-managed credentials for service accounts in projects that are affected by the constraint.

Set organization-wide policies to prevent adding external members to Google Groups.

By default, external user accounts can be added to groups in Cloud Identity. We recommend that you configure sharing settings so that group owners can't add external members.

Note that this restriction doesn't apply to the super admin account or to other delegated administrators with Google Groups admin permissions. Because federation from your identity provider runs with administrator privileges, the group sharing settings don't apply to this group synchronization. We recommend that you review controls in the identity provider and synchronization mechanism to ensure that non-domain members aren't added to groups, or that you apply group restrictions.

Set the session length for Google Cloud services to expire at least once a day. Leaving an account signed in for an extended period is a security risk. Enforcing a maximum session duration automatically ends the session after a set time, forcing a new, secure sign-in.

This practice reduces the opportunity for a malicious user to use a stolen password and ensures access is regularly reverified.

Don't permit unmanaged consumer accounts. Consolidate any unmanaged consumer accounts, and consider a solution to prevent the creation of further unmanaged consumer accounts with your domain.

Unmanaged consumer accounts are not governed by your joiner-mover-leaver (JML) processes, so they introduce the risk that an employee still has access to your resources after they leave their job. These accounts are also treated as external with regard to controls like domain restricted sharing.

Ensure that super admin accounts are separate from day-to-day user accounts. Super admin accounts must be dedicated accounts that are used only when making critical changes. For increased security, turn on multiparty approval for admin actions. Turning on multiparty approval means sensitive actions are approved by two administrators, which helps prevent attackers from compromising an admin account and lock out other admin users.

Enable multi-factor authentication (MFA), also known as 2-step authentication (2SV) for all Google Accounts and Cloud Identity users, not just super admins. MFA for super admins is enabled by default. MFA adds another layer of defense because passwords alone often aren't a strong enough security measure.

Remove the domain-wide Project Creator and Billing Account Creator roles that are granted by default to all members in a new organization.

New organizations grant the Project Creator and Billing Account Creator roles to all managed user identities in the domain. While these roles are useful for getting started, this configuration isn't intended for production environments. Letting billing accounts proliferate leads to increased administrative overhead and has technical consequences when splitting services across multiple Billing Accounts. Allowing free-form project creation can lead to projects that don't adhere to your governance conventions.

Instead, remove these roles and establish a project creation process to request new projects and associate them with billing.

Use Privileged Access Manager for managing privileged access. For all other access, use access groups, let group memberships expire automatically, and implement an approval workflow for group memberships.

Using the least privilege model lets you only provide access when needed, for the resources that are needed. Using pre-built roles simplifies use and reduces sprawl caused by custom roles so that you don't have to worry about managing the role lifecycle.

Use the automaticIamGrantsForDefaultServiceAccounts boolean constraint to disable automatic role grants when Google Cloud services automatically create default service accounts with overly permissive roles.

By default, some systems grant overly broad permissions to automated accounts, which is a potential security risk. For example, if you don't enforce this constraint and you create a default service account, the service account is automatically granted the Editor role (roles/editor) on your project. If an attacker compromises a single part of the system, they could gain control over the entire project. This constraint disables those automatic, high-level permissions, forcing a more secure, deliberate approach where only the minimal necessary permissions are granted.

If you must use service account keys, rotate the keys at least once every 90 days.

A rotation interval limits how long an attacker can have access to the system. Without a rotation interval, the attacker has access forever. Where possible, consider using Workload Identity Federation instead of service account keys.

Use Workload Identity Federation to let CI/CD systems and workloads running on other clouds authenticate to Google Cloud. Workload Identity Federation lets workloads that run outside of Google Cloud authenticate without requiring a service account key. By avoiding service account keys and other long-lived credentials, Workload Identity Federation can help you reduce the risk of credential leakage.

By default, super admin account self-recovery is off for new customers. However, existing customers might have this setting on. Turning this setting off helps to mitigate the risk that a compromised phone, a compromised email, or a social engineering attack might let an attacker gain super admin privileges over your environment.

Plan an internal process for a super admin to contact another super admin in your organization if they have lost access to their account, and ensure that all super admins are familiar with the process for support-assisted recovery.

To turn off the feature, go to the account recovery settings in the Google Admin console.

Set the idle session timeout to 15 minutes for sensitive use cases. Idle sessions might be used by attackers for credential theft.

Provide hardware security keys, if possible, to super admins or Organization Administrators as a second factor. Super admin accounts are the highest-value targets for sophisticated attacks. Hardware security keys provide a high level of protection because they are phishing-resistant. Hardware security keys are the strongest possible defense against account takeover for your most critical administrators and build on your standard MFA policy.

If you're using an external identity provider, set up post-SSO verification.

Enable an additional layer of control based on Google's sign-in risk analysis. After you apply this setting, users might see additional risk-based login challenges at sign-in if Google determines that a user sign-in is suspicious.

Enable principal access boundary (PAB) policies to limit principal access and help protect against phishing and data exfiltration. Enable a boundary policy for the organization to avoid external phishing attacks. Principal access boundaries improve security by reducing the extent of an attack with a compromised identity, and they also help prevent any external phishing attacks and other exfiltration attacks.