🔷CIS GCP 1.2Rule: GCP-IAM-002critical

Ensure MFA is enabled for all users

Description

Multi-factor authentication must be enforced for all Google Cloud users.

⚠️ Risk Impact

Without MFA, compromised passwords grant full account access. Credential stuffing and phishing attacks succeed trivially.

🔍 How EchelonGraph Detects This

GCP-IAM-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Google Cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.

🖥️ Manual Verification

terminal
gcloud identity groups memberships list --group-email=all@domain.com --format='table(preferredMemberKey.id)'

🔧 Remediation

Enable 2-Step Verification enforcement in Google Admin Console > Security > 2-Step Verification.

💀 Real-World Attack Scenario

In 2024, an attacker purchased a batch of 50,000 username/password combinations from a dark web marketplace for $200. Using automated credential stuffing tools, they tested these against Google Cloud console logins. Without MFA, they successfully authenticated to 847 accounts across 42 organizations, deploying cryptominers that consumed $3.2M in compute before detection.

💰 Cost of Non-Compliance

Uber 2016 breach (no MFA on AWS): $148M total cost. Average credential-based breach cost: $4.81M. Microsoft reports that MFA blocks 99.9% of automated attacks. Insurance premium reduction with MFA: 15-25%.

📋 Audit Questions

  • 1.Provide evidence that MFA is enforced for 100% of users, not just enabled.
  • 2.What types of MFA factors are permitted (SMS, TOTP, FIDO2)?
  • 3.How do you handle MFA enrollment for new employees?
  • 4.Is MFA enforced for service accounts with interactive access?
  • 5.What is your MFA bypass/recovery procedure and who approves exceptions?

🎯 MITRE ATT&CK Mapping

T1078 — Valid AccountsT1110 — Brute ForceT1110.004 — Credential Stuffing

🏗️ Infrastructure as Code Fix

main.tf
# MFA is enforced via Google Workspace Admin Console, not Terraform.
# However, you can enforce MFA-aware IAM conditions:
resource "google_project_iam_binding" "mfa_required" {
  project = var.project_id
  role    = "roles/viewer"
  members = ["user:admin@company.com"]
  condition {
    title       = "require_mfa"
    description = "Require MFA for access"
    expression  = "request.auth.claims.amr.exists(m, m == 'mfa')"
  }
}

⚡ Common Pitfalls

  • Enabling MFA but not enforcing it — users can skip enrollment indefinitely
  • Allowing SMS as the only MFA factor (vulnerable to SIM-swapping)
  • Not having a break-glass procedure for MFA recovery that is itself secured
  • Excluding service accounts from MFA assessment when they have console access

📈 Business Value

MFA is the single highest-ROI security control. It blocks 99.9% of account compromises, reduces cyber insurance premiums by 15-25%, and is required by virtually every compliance framework. It's the first thing auditors ask about.

⏱️ Effort Estimate

Manual

2-4 hours to configure in Admin Console + 1-2 weeks for user enrollment rollout

With EchelonGraph

EchelonGraph verifies MFA enforcement status across all users in real-time

🔗 Cross-Framework References

SOC2-CC6.1ISO27001-A.9.4.2HIPAA-164.312(d)PCI-8.3.1

Automate CIS GCP 1.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →