Description

GCP Access Approval requires explicit customer sign-off before Google support personnel can access customer data, providing an additional layer of control over privileged access to Google Cloud resources. The rule evaluates each GCP organization: it FAILS when the organization has no gcp_accessapproval_access_approval_settings row, when the row exists but has no enrolled services, or when enrolled services are configured without any notification recipients (no notification_emails and no notification_pubsub_topic) — approval requests would have nowhere to be delivered. Iterating from gcp_organization (rather than from the settings resource itself) is what catches the “Access Approval has never been configured” case; settings-resource rows only exist after enrollment.

Remediation

Enable Access Approval at the organization or folder level so it propagates to every child project, then add the email addresses that should receive approval requests. From the Access Approval setup guide in the Google Cloud documentation, follow the “Enroll” steps. With gcloud:

gcloud access-approval settings update \
    --organization=ORGANIZATION_ID \
    --enrolled_services=all \
    --notification_emails=security-team@example.com

References

• CIS Google Cloud Platform Foundation Benchmark v4.0.0 — control 2.15
• Access Approval overview