Description

This rule fails when a GCP organization has no Essential Contacts configured at the organization scope, or when its organization-level contacts do not collectively cover the four notification categories Google sends from: LEGAL, SECURITY, SUSPENSION, and TECHNICAL (or a single contact subscribed to ALL). Without this coverage, security advisories and account-suspension notices can reach the wrong inbox or be missed entirely.

The check is evaluated against each gcp_organization and joins to gcp_essentialcontacts_contact records whose parent is organizations/<organization_id>. Project-level contacts do not satisfy the control. Contacts whose validation_state is INVALID are excluded from coverage because Google has flagged the email as undeliverable; notifications would not arrive even though the contact is technically configured.

Remediation

Add Essential Contacts at the organization level for each required notification category. From the Essential Contacts page in the Google Cloud Console select the organization, click + ADD CONTACT, supply an email and pick the categories. The same configuration with gcloud:

gcloud essential-contacts create \
    --email=security@example.com \
    --notification-categories=LEGAL,SECURITY,SUSPENSION,TECHNICAL \
    --organization=ORGANIZATION_ID

A single contact subscribed to ALL also satisfies the control. If a flagged contact is failing because of validation_state == "INVALID", either correct the email address or have the contact admin re-validate it from the Essential Contacts console; once Google flips it back to VALID, the next CSPM scan will pass.

References

• CIS Google Cloud Platform Foundation Benchmark v4.0.0 — control 1.16
• Managing Essential Contacts notification categories