Loading controls...
Benchmark: Compute
Description
This benchmark provides a set of controls that detect Terraform GCP Compute Engine resources deviating from security best practices.
Usage
Browse dashboards and select Compute:
steampipe dashboard
Or run the benchmarks in your terminal:
steampipe check terraform_gcp_compliance.benchmark.compute
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share terraform_gcp_compliance.benchmark.compute
Controls
- Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
- Ensure 'Block Project-wide SSH keys' is enabled for VM instances
- Ensure that Compute instances have Confidential Computing enabled
- Ensure that IP forwarding is not enabled on Instances
- Ensure OS login is enabled for a project
- Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
- Ensure Compute instances are launched with Shielded VM enabled
- Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
- Ensure that instances are not configured to use the default service account
- Ensure that Compute instances do not have public IP addresses
- Ensure that the default network does not exist in a project
- Ensure legacy networks do not exist for a project
- Ensure VPC Flow logs is enabled for every subnet in VPC Network
- Ensure Private Google Access is enabled for all subnetworks in VPC