--- title: Essential Contacts should be configured for organization description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Essential Contacts should be configured for organization --- # Essential Contacts should be configured for organization ## Description{% #description %} This rule fails when a GCP organization has no Essential Contacts configured at the organization scope, or when its organization-level contacts do not collectively cover the four notification categories Google sends from: `LEGAL`, `SECURITY`, `SUSPENSION`, and `TECHNICAL` (or a single contact subscribed to `ALL`). Without this coverage, security advisories and account-suspension notices can reach the wrong inbox or be missed entirely. The check is evaluated against each `gcp_organization` and joins to `gcp_essentialcontacts_contact` records whose `parent` is `organizations/`. Project-level contacts do not satisfy the control. Contacts whose `validation_state` is `INVALID` are excluded from coverage because Google has flagged the email as undeliverable; notifications would not arrive even though the contact is technically configured. ## Remediation{% #remediation %} Add Essential Contacts at the organization level for each required notification category. From the [Essential Contacts page in the Google Cloud Console](https://console.cloud.google.com/iam-admin/essential-contacts) select the organization, click **+ ADD CONTACT**, supply an email and pick the categories. The same configuration with `gcloud`: ```bash gcloud essential-contacts create \ --email=security@example.com \ --notification-categories=LEGAL,SECURITY,SUSPENSION,TECHNICAL \ --organization=ORGANIZATION_ID ``` A single contact subscribed to `ALL` also satisfies the control. If a flagged contact is failing because of `validation_state == "INVALID"`, either correct the email address or have the contact admin re-validate it from the Essential Contacts console; once Google flips it back to `VALID`, the next CSPM scan will pass. ## References{% #references %} - [CIS Google Cloud Platform Foundation Benchmark v4.0.0 — control 1.16](https://www.cisecurity.org/benchmark/google_cloud_computing_platform) - [Managing Essential Contacts notification categories](https://cloud.google.com/resource-manager/docs/managing-notification-contacts)