Mods

turbot/gcp_compliance

11 Stars
Overview
114Controls
91Queries
GitHub
CFT Scorecard v1
Verify all GKE clusters are Private Clusters
Prevent public users from having access to resources via IAM
Ensure Kubernetes web UI/Dashboard is disabled
Ensure default Service account is not used for Project access in Kubernetes Engine clusters
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)
Ensure that RSASHA1 is not used for key-signing key in Cloud DNS
Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS
Ensure Kubernetes Cluster is created with Alias IP ranges enabled
Ensure automatic node repair is enabled on all node pools in a GKE cluster
Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Ensure VPC Flow logs is enabled for every subnet in VPC Network
Ensure Private Google Access is enabled for all subnetworks in VPC
Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters
Check that GKE clusters have a Network Policy installed
Prevent a public IP from being assigned to a Cloud SQL instance
Check if BigQuery datasets are publicly readable
Check if Cloud Storage buckets have Bucket Only Policy turned on
Check if Cloud SQL instances have SSL turned on
Check for open firewall rules allowing RDP from the internet
Check for open firewall rules allowing SSH from the internet
Check for open firewall rules allowing ingress from the internet
Enforce corporate domain by banning gmail.com addresses access to BigQuery datasets
Enforce corporate domain by banning googlegroups.com addresses access to BigQuery datasets
Limit the number of App Engine application versions simultaneously running or installed
Check if Cloud SQL instances are world readable
CIS v1.2.0
1 Identity and Access Management
1.1 Ensure that corporate login credentials are used
1.2 Ensure that multi-factor authentication is enabled for all non-service accounts
1.3 Ensure that Security Key Enforcement is enabled for all admin accounts
1.4 Ensure that there are only GCP-managed service account keys for each service account
1.5 Ensure that Service Account has no Admin privileges
1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
1.7 Ensure user-managed/external keys for service accounts are rotated every 90 days or less
1.8 Ensure that Separation of duties is enforced while assigning service account related roles to users
1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
1.10 Ensure KMS encryption keys are rotated within a period of 90 days
1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users
1.12 Ensure API keys are not created for a project
1.13 Ensure API keys are restricted to use by only specified Hosts and Apps
1.14 Ensure API keys are restricted to only APIs that application needs access
1.15 Ensure API keys are rotated every 90 days
2 Logging and Monitoring
2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
2.2 Ensure that sinks are configured for all log entries
2.3 Ensure that retention policies on log buckets are configured using Bucket Lock
2.4 Ensure log metric filter and alerts exist for project ownership assignments/changes
2.5 Ensure that the log metric filter and alerts exist for Audit Configuration changes
2.6 Ensure that the log metric filter and alerts exist for Custom Role changes
2.7 Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes
2.8 Ensure that the log metric filter and alerts exist for VPC network route changes
2.9 Ensure that the log metric filter and alerts exist for VPC network changes
2.10 Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes
2.11 Ensure that the log metric filter and alerts exist for SQL instance configuration changes
2.12 Ensure that Cloud DNS logging is enabled for all VPC networks
3 Networking
3.1 Ensure that the default network does not exist in a project
3.2 Ensure legacy networks do not exist for a project
3.3 Ensure that DNSSEC is enabled for Cloud DNS
3.4 Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
3.5 Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
3.6 Ensure that SSH access is restricted from the internet
3.7 Ensure that RDP access is restricted from the Internet
3.8 Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network
3.9 Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
3.10 Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses
4 Virtual Machines
4.1 Ensure that instances are not configured to use the default service account
4.2 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
4.3 Ensure 'Block Project-wide SSH keys' is enabled for VM instances
4.4 Ensure oslogin is enabled for a Project
4.5 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
4.6 Ensure that IP forwarding is not enabled on Instances
4.7 Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
4.8 Ensure Compute instances are launched with Shielded VM enabled
4.9 Ensure that Compute instances do not have public IP addresses
4.10 Ensure that App Engine applications enforce HTTPS connections
4.11 Ensure that Compute instances have Confidential Computing enabled
5 Storage
5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible
5.2 Ensure that Cloud Storage buckets have uniform bucket-level access enabled
6 Cloud SQL Database Services
6.1 MySQL Database
6.1.1 Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges
6.1.2 Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'
6.1.3 Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'
6.2 PostgreSQL Database
6.2.1 Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'
6.2.2 Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
6.2.3 Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
6.2.4 Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
6.2.5 Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'
6.2.6 Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'
6.2.7 Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
6.2.8 Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately
6.2.9 Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
6.2.10 Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
6.2.11 Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
6.2.12 Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
6.2.13 Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately
6.2.14 Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
6.2.15 Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0'
6.2.16 Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
6.3 SQL Server
6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
6.3.3 Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate
6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
6.3.6 Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'
6.3.7 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL
6.5 Ensure that Cloud SQL database instances are not open to the world
6.6 Ensure that Cloud SQL database instances do not have public IPs
6.7 Ensure that Cloud SQL database instances are configured with automated backups
7 BigQuery
7.1 Ensure that BigQuery datasets are not anonymously or publicly accessible
7.2 Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)
7.3 Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets
Forseti Security v2.26.0
Check that CMEK rotation policy is in place and is sufficiently short
Prevent public users from having access to resources via IAM
Check if service account keys are older than 100 days
Only allow members from my domain to be added to IAM roles
Check if BigQuery datasets are publicly readable
Check for open firewall rules allowing ingress from the internet
Check for open firewall rules allowing TCP/UDP from the internet
Enforce corporate domain by banning gmail.com addresses access to BigQuery datasets
Enforce corporate domain by banning googlegroups.com addresses access to BigQuery datasets
Check if Cloud SQL instances are world readable

Benchmarks & Controls in GCP Compliance

The GCP Compliance mod includes 13 benchmarks & 114 controls.

Usage

steampipe check all

Benchmarks