---
title: GCP Access Approval should be enabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > GCP Access Approval should be enabled
---

# GCP Access Approval should be enabled
 
## Description{% #description %}

GCP Access Approval requires explicit customer sign-off before Google support personnel can access customer data, providing an additional layer of control over privileged access to Google Cloud resources. The rule evaluates each GCP organization: it FAILS when the organization has no `gcp_accessapproval_access_approval_settings` row, when the row exists but has no enrolled services, or when enrolled services are configured without any notification recipients (no `notification_emails` and no `notification_pubsub_topic`) — approval requests would have nowhere to be delivered. Iterating from `gcp_organization` (rather than from the settings resource itself) is what catches the "Access Approval has never been configured" case; settings-resource rows only exist after enrollment.

## Remediation{% #remediation %}

Enable Access Approval at the organization or folder level so it propagates to every child project, then add the email addresses that should receive approval requests. From the [Access Approval setup guide](https://cloud.google.com/access-approval/docs/setting-up-access-approval) in the Google Cloud documentation, follow the "Enroll" steps. With `gcloud`:

```bash
gcloud access-approval settings update \
    --organization=ORGANIZATION_ID \
    --enrolled_services=all \
    --notification_emails=security-team@example.com
```

## References{% #references %}

- [CIS Google Cloud Platform Foundation Benchmark v4.0.0 — control 2.15](https://www.cisecurity.org/benchmark/google_cloud_computing_platform)
- [Access Approval overview](https://cloud.google.com/access-approval/docs/overview)