| Description |
Service |
Rule |
| Communications and control network protection: Ensure FirewallRule doesn't have any rule that allows incoming traffic on all ports |
Exposing all ports adds risk of exposure or compromise for all current and future network services running on the instance. Change firewall rule to only expose required ports. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Ports with [ FromPort eq 0 and ToPort eq 65535 ] ] |
| Identities and credentials: Ensure BigQuery does not have Dataset ACL which is open to all authenticated users |
A cloud data warehouse should not allow access to all authenticated users. Verify that the permissions applied are in line with your business use case.This could expose sensitive data to users outside of your organization. |
BigQuery
|
BigqueryDataset should not have DatasetACL with [ SpecialGroup eq "allAuthenticatedUsers" ] |
| Identities and credentials: Ensure BigQuery does not have Dataset ACL which grants permission to a Gmail account |
A cloud data warehouse should not allow access to Gmail accounts. Verify that the permissions applied are in line with your business use case.This could expose sensitive data to users outside of your organization. |
BigQuery
|
BigqueryDataset should not have DatasetACL with [ UserEmail like "@gmail\.com" ] |
| Backups of information: Ensure SQL Instances have Backup enabled |
Enable database backups on mission-critical systems.Lack of backups can result in permanent data loss if database is lost or corrupted. |
SQL
|
SqlInstance should not have Settings . BackupConfiguration . Enabled eq false |
| Ensure FirewallRule does not contain any rule which opens DNS port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "udp") and Ports with [ ( FromPort lte 53 and ToPort gte 53 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens FTP port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( ( FromPort lte 20 and ToPort gte 20 ) or ( FromPort lte 21 and ToPort gte 21 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens MongoDB port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( ( FromPort lte 27017 and ToPort gte 27017 ) or ( FromPort lte 27018 and ToPort gte 27018 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens MsSQL port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 1434 and ToPort gte 1434 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens MySQL port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 3306 and ToPort gte 3306 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens NFS port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "udp", "tcp") and Ports with [ ( ( FromPort lte 111 and ToPort gte 111 ) or ( FromPort lte 2049 and ToPort gte 2049 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens OracleDB port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( ( FromPort lte 1521 and ToPort gte 1521 ) or ( FromPort lte 1630 and ToPort gte 1630 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens PostGreSQL port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 5432 and ToPort gte 5432 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens RDP port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "udp", "tcp") and Ports with [ ( FromPort lte 3389 and ToPort gte 3389 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens SMTP port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 25 and ToPort gte 25 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens SSH port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 22 and ToPort gte 22 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens Telnet port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 23 and ToPort gte 23 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure Virtual Machine Instances are not exposed to the internet |
Virtual Machine should not have the public IP address. If it is public is have exposure to the Internet which can increase the likelihood of data exfiltration or compromise for this virtual machine. To prevent this remove the public IP address from the access configuration for this virtual machine. |
ComputeEngine
|
Instance should not have NetworkInterfaces with [ AccessConfigs with [ NatIP ] ] |
| Ensure VPC does not have any route to the internet |
If VPC has a route to the Internet, then Exposure to the internet can lead to data exfiltration or compromise for resources in this VPC. Change the configuration of VPC to prevent this. |
VPCnetwork
|
Route should not have Network . Mode len () gt 0 and ( DestinationCIDR isPublic ( ) or DestinationCIDR eq 0.0.0.0/0 ) |
| Ensure that Load Balancers do not have public IP address |
If Load Balancer has a public IP address, then it can have exposure to the Internet. It can increase the likelihood of data exfiltration or compromise for the resources behind this load balancer. Modify the Load Balancer public IP to internal IP. |
ComputeEngine
|
ForwardingRule should not have Type eq "INTERNAL" and IP isPublic() |
| Ensure that project's IAM does not have primitive roles |
The Wide-ranging permissions roles should not provide to any account. It is the best practice to give the least privilege needed to limit the impact of a security incident. Apply more granular permissions to the account. |
ProjectIAM
|
IAMPolicy should not have Role . InbuiltRole and Role . Name in ( "editor", "viewer", "owner" ) |
| Ensure that 'Account' has 'services enabled' |
Ensure that Account has services enabled |
Project
|
Project should have Services len ( ) gt 0 |
| Ensure that DataProc Cluster has a customer managed encryption key |
Ensure that DataProc Cluster has a customer managed encryption key |
Dataproc
|
DataprocCluster should have Config . EncryptionConfig . GcePdKmsKeyName |
| Ensure that 'Bucket' has a 'customer managed encryption key' |
Ensure that Bucket' has a customer managed encryption key |
Storage
|
Bucket should have Encryption eq "Customer-managed key" |
| Ensure that 'Virtual Machine Instance Disk' has a 'customer managed encryption key' |
Ensure that Virtual Machine Instance Disk has a customer managed encryption key |
ComputeEngine
|
Volume should have DiskEncryptionKey . KMSKey . State eq "ENABLED" |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. |
Storage
|
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ] |
| Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world |
To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. |
SQL
|
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ] |
| Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host |
When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ] |
| Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels |
Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. |
Kubernetes
|
KubernetesCluster should have Tags len ( ) gt 0 |
| Remote access: Ensure oslogin is enabled for a Project |
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Project . ComputeInfo . CommonInstanceMetadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)true" ] and no Metadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)false" ] |
| Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account |
User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. |
IAM
|
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1 |
| Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. |
IAM
|
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ] |
| Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days |
A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. |
KMS
|
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days") |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] ) |
| Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. |
SQL
|
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True |
| Identities and credentials: Ensure that ServiceAccount has no Admin privileges. |
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" ) |
| Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level |
It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser" |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] ) |
| Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ] |
| Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled |
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. |
Kubernetes
|
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True |
| Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. |
Kubernetes
|
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password |
| Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled |
If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. |
Kubernetes
|
KubernetesCluster should have MasterAuth . ClientKey |
| Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters |
A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. |
Kubernetes
|
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ] |
| Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. |
ComputeEngine
|
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "(?i)true" ] |
| Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances |
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "(?i)true" ] |
| Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. |
Kubernetes
|
KubernetesCluster should not have LegacyAbac . Enabled eq True |
| Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts |
Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. |
IAMPolicy
|
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ] |
| Audit/log records: Ensure that logging is enabled for Cloud buckets |
By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. |
Storage
|
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix |
| Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. |
Kubernetes
|
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com" |
| Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. |
Kubernetes
|
KubernetesCluster should have LoggingService eq "logging.googleapis.com" |
| Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. |
Logging
|
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ] |
| Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. |
Monitor
|
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes |
Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Custom Role changes |
It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes |
It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.delete\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network route changes |
It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network changes |
It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_network\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes |
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes |
It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Communications and control network protection: Ensure the default network does not exist in a project |
To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. |
ComputeEngine
|
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True |
| Communications and control network protection: Ensure legacy networks does not exists for a project |
In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. |
VPCnetwork
|
VPC should not have Mode eq "LEGACY" |
| Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS |
Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. |
DNS
|
DNSManagedZone should have DnssecConfig . State eq "on" |
| Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ] |
| Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ] |
| Ensure that SSH access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ] |
| Ensure that RDP access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ] |
| Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network |
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. |
ComputeEngine
|
Subnet should have PrivateIPGoogleAccess eq True |
| Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network |
Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. |
VPCnetwork
|
VPC should have every Subnetworks with [ LogEnabled ] |
| Network integrity: Ensure that IP forwarding is not enabled on Instances |
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward |
| Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. |
Kubernetes
|
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True |
| Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters |
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. |
Kubernetes
|
KubernetesCluster should have NetworkPolicy . Enabled eq True |
| Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. |
Kubernetes
|
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True |
| Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets |
Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. |
Kubernetes
|
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true |
| Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters |
Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ] |
| Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ] |
| Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. |
Kubernetes
|
KubernetesCluster should have NodeConfig . ImageType eq "COS" |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts |
Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. |
IAMPolicy
|
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ] |
| Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account |
User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. |
IAM
|
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1 |
| Identities and credentials: Ensure that ServiceAccount has no Admin privileges. |
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" ) |
| Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level |
It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser" |
| Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. |
IAM
|
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ] |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] ) |
| Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days |
A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. |
KMS
|
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days") |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] ) |
| Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. |
Logging
|
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ] |
| Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. |
Monitor
|
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes |
Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Custom Role changes |
It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes |
It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.delete\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network route changes |
It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network changes |
It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_network\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes |
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes |
It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Communications and control network protection: Ensure the default network does not exist in a project |
To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. |
ComputeEngine
|
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True |
| Communications and control network protection: Ensure legacy networks does not exists for a project |
In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. |
VPCnetwork
|
VPC should not have Mode eq "LEGACY" |
| Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS |
Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. |
DNS
|
DNSManagedZone should have DnssecConfig . State eq "on" |
| Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ] |
| Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ] |
| Ensure that SSH access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ] |
| Ensure that RDP access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ] |
| Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network |
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. |
ComputeEngine
|
Subnet should have PrivateIPGoogleAccess eq True |
| Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network |
Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. |
VPCnetwork
|
VPC should have every Subnetworks with [ LogEnabled ] |
| Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ] |
| Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances |
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "(?i)true" ] |
| Remote access: Ensure oslogin is enabled for a Project |
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Project . ComputeInfo . CommonInstanceMetadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)true" ] and no Metadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)false" ] |
| Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. |
ComputeEngine
|
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "(?i)true" ] |
| Network integrity: Ensure that IP forwarding is not enabled on Instances |
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward |
| Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. |
Storage
|
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ] |
| Audit/log records: Ensure that logging is enabled for Cloud buckets |
By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. |
Storage
|
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix |
| Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. |
SQL
|
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True |
| Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world |
To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. |
SQL
|
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ] |
| Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host |
When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ] |
| Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. |
Kubernetes
|
KubernetesCluster should have LoggingService eq "logging.googleapis.com" |
| Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. |
Kubernetes
|
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com" |
| Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. |
Kubernetes
|
KubernetesCluster should not have LegacyAbac . Enabled eq True |
| Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. |
Kubernetes
|
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True |
| Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels |
Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. |
Kubernetes
|
KubernetesCluster should have Tags len ( ) gt 0 |
| Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled |
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. |
Kubernetes
|
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True |
| Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters |
Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ] |
| Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ] |
| Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. |
Kubernetes
|
KubernetesCluster should have NodeConfig . ImageType eq "COS" |
| Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. |
Kubernetes
|
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password |
| Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters |
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. |
Kubernetes
|
KubernetesCluster should have NetworkPolicy . Enabled eq True |
| Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled |
If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. |
Kubernetes
|
KubernetesCluster should have MasterAuth . ClientKey |
| Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. |
Kubernetes
|
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True |
| Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled |
Disable access to the Kubernetes API from outside the node network if it is not required. |
Kubernetes
|
KubernetesCluster should have PrivateClusterConfig . EnablePrivateEndpoint and Endpoint isPrivate () |
| Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets |
Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. |
Kubernetes
|
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true |
| Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters |
A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. |
Kubernetes
|
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ] |
| Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) |
Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys |
ComputeEngine
|
Volume where Name notlike "^gke-" should have DiskEncryptionKey . Sha256 len ( ) gt 0 |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts |
Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. |
IAMPolicy
|
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ] |
| Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account |
User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. |
IAM
|
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1 |
| Identities and credentials: Ensure that ServiceAccount has no Admin privileges. |
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" ) |
| Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level |
It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level. |
Identity
|
IAMPolicy where Name eq "iam.serviceAccountUser" or Name eq "iam.serviceAccountTokenCreator" should have Members . UserEmails len() eq 0 |
| Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. |
IAM
|
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ] |
| Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access |
KMS
|
KMSKey should not have Bindings with [ Members has ("allAuthenticatedUsers") or Members has ("allUsers") ] |
| Ensure KMS encryption keys are rotated within a period of 90 days |
It is recommended that the KMS encryption keys are rotated within a period of 90 days |
KMS
|
KMSKey should have RotationPeriod lte 7776000 and NextRotationTime isEarlierThan (90, "days") |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] ) |
| Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. |
Logging
|
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ] |
| Ensure that retention policies on log buckets are configured using Bucket Lock |
Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks. |
Storage
|
LoggingSink where Destination . Bucket . Type len() gt 0 should have Destination . Bucket . RetentionPolicy . IsLocked |
| Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. |
Monitor
|
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes |
Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Custom Role changes |
It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes |
It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.delete\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network route changes |
It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network changes |
It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_network\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes |
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes |
It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Ensure that Cloud DNS logging is enabled for all VPC networks |
Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC |
Network
|
VPC should have DNSPolicy . enableLogging |
| Communications and control network protection: Ensure the default network does not exist in a project |
To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. |
ComputeEngine
|
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True |
| Communications and control network protection: Ensure legacy networks does not exists for a project |
In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. |
VPCnetwork
|
VPC should not have Mode eq "LEGACY" |
| Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS |
Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. |
DNS
|
DNSManagedZone should have DnssecConfig . State eq "on" |
| Ensure that SSH access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ] |
| Ensure that RDP access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ] |
| Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network |
Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. |
VPCnetwork
|
VPC should have every Subnetworks with [ LogEnabled ] |
| Ensure that instances are not configured to use the default service account |
It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Email like "compute@developer\.gserviceaccount\.com$"] |
| Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ] |
| Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances |
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "(?i)true" ] |
| Remote access: Ensure oslogin is enabled for a Project |
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Project . ComputeInfo . CommonInstanceMetadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)true" ] and no Metadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)false" ] |
| Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. |
ComputeEngine
|
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "(?i)true" ] |
| Network integrity: Ensure that IP forwarding is not enabled on Instances |
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward |
| Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) |
Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys |
ComputeEngine
|
Volume where Name notlike "^gke-" should have DiskEncryptionKey . Sha256 len ( ) gt 0 |
| Ensure Compute instances are launched with Shielded VM enabled |
To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled. |
ComputeEngine
|
Instance should have ShieldedVM |
| Ensure that Compute instances do not have public IP addresses |
Compute instances should not be configured to have external IP addresses. |
ComputeEngine
|
Instance should not have NetworkInterfaces with [ AccessConfigs len ( ) gt 0 ] |
| Ensure that Compute instances have Confidential Computing enabled |
Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in use while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU). |
ComputeEngine
|
Instance should have ConfidentialComputing |
| Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. |
Storage
|
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ] |
| Ensure that Cloud Storage buckets have uniform bucket-level access enabled |
It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets. |
Storage
|
Bucket should have IAMConfiguration.UniformBucketLevelAccess |
| Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on' |
It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should have Settings . DatabaseFlags with [ Name eq "skip_show_database" and Value eq "on" ] |
| Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off' |
It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should have Settings . DatabaseFlags with [ Name eq "local_infile" and Value eq "off" ] |
| Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on' |
Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_checkpoints" and Value eq "on" ] |
| Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter |
The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are: TERSE, DEFAULT, VERBOSE |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_error_verbosity" and Value in ( "default", "verbose" ) ] |
| Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on' |
Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_connections" and Value eq "on" ] |
| Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on' |
Enabling the log_disconnections setting logs the end of each session, including the session duration. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_disconnections" and Value eq "on" ] |
| Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on |
Enabling the log_lock_waits flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted deadlock_timeout time to acquire a lock. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_lock_waits" and Value eq "on" ] |
| Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' |
The log_statement_stats flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query. This cannot be enabled with other module statistics (log_parser_stats, log_planner_stats, log_executor_stats). |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_statement_stats" and Value eq "off" ] |
| Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately |
PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_hostname" and Value eq "off" ] |
| Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' |
The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server. If the syntax is correct a parse tree is built up else an error is generated. The log_parser_stats flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_parser_stats" and Value eq "off" ] |
| Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' |
The same SQL query can be excuted in multiple ways and still produce different results. The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query. The log_planner_stats flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_planner_stats" and Value eq "off" ] |
| Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' |
The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner. The executor processes the plan recursively to extract the required set of rows. The log_executor_stats flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_executor_stats" and Value eq "off" ] |
| Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter |
The log_min_error_statement flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. Ensure a value of ERROR or stricter is set. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_min_error_statement" and Value in ("debug5", "debug4", "debug3", "debug2", "debug1", "info", "notice", "warning", "error")] |
| Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on) |
PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed work_mem. The log_temp_files flag controls logging names and the file size when it is deleted. Configuring log_temp_files to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes. A value of -1 disables temporary file information logging. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_temp_files" and Value eq "0" ] |
| Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled) |
The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_min_duration_statement" and Value eq "-1" ] |
| Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off |
It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "external scripts enabled" and Value eq "off" ] |
| Ensure 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' |
It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "cross db ownership chaining" and Value eq "off" ] |
| Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured |
It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should not have Settings . DatabaseFlags with [ Name eq "user options" ] |
| Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate |
It is recommended to set user connections database flag for Cloud SQL SQL Server instance according organization-defined value. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "user connections" and Value neq "0" ] |
| Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off' |
It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "3625" and Value eq "off" ] |
| Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' |
It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "contained database authentication" and Value eq "off" ] |
| Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. |
SQL
|
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True |
| Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host |
When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ] |
| Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world |
To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. |
SQL
|
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ] |
| Ensure that Cloud SQL database instances do not have public IPs |
It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs. |
SQL
|
SqlInstance where InstanceType eq "CLOUD_SQL_INSTANCE" should not have BackendType eq "SECOND_GEN" and IpAddresses with [IpAddress isPublic() or Type eq "PRIMARY" ] |
| Backups of information: Ensure SQL Instances have Backup enabled |
Enable database backups on mission-critical systems.Lack of backups can result in permanent data loss if database is lost or corrupted. |
SQL
|
SqlInstance should not have Settings . BackupConfiguration . Enabled eq false |
| Ensure that BigQuery datasets are not anonymously or publicly accessible |
It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access. |
Database
|
BigqueryDataset should not have DatasetACL with [ SpecialGroup eq "allAuthenticatedUsers" or SpecialGroup eq "allUsers"] |
| Ensure that all BigQuery Tables are encrypted with Customer- managed encryption key (CMEK) |
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys. |
Database
|
BigqueryDataset should have every Tables with [ encryption . enabled ] |
| Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' |
It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "remote access" and Value eq "off" ] |
| Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets |
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. |
Database
|
BigqueryDataset should have Encryption.Enabled |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts |
Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. |
IAMPolicy
|
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ] |
| Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account |
User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. |
IAM
|
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1 |
| Identities and credentials: Ensure that ServiceAccount has no Admin privileges. |
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" ) |
| Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level |
It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level. |
Identity
|
IAMPolicy where Name eq "iam.serviceAccountUser" or Name eq "iam.serviceAccountTokenCreator" should have Members . UserEmails len() eq 0 |
| Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. |
IAM
|
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ] |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] ) |
| Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access |
KMS
|
KMSKey should not have Bindings with [ Members has ("allAuthenticatedUsers") or Members has ("allUsers") ] |
| Ensure KMS encryption keys are rotated within a period of 90 days |
It is recommended that the KMS encryption keys are rotated within a period of 90 days |
KMS
|
KMSKey should have RotationPeriod lte 7776000 and NextRotationTime isEarlierThan (90, "days") |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] ) |
| Ensure API Keys Are Not Created for a Project |
Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead |
API
|
GCP should not have APIKeys len() gt 0 |
| Ensure API keys are restricted to only APIs that application needs access |
API keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application |
API
|
APIKey should not have ( APIRestrictions len () eq 0 or APIRestrictions with [ Service eq "cloudapis.googleapis.com" ] ) |
| Ensure API keys are restricted to use by only specified Hosts and Apps |
Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps |
API
|
APIKey should not have ( ApplicationRestriction eq "None" or ( ( ApplicationRestriction eq "BrowserKeyRestrictions" and BrowserKeyRestrictions with [ AllowedReferrer like "\*" ] ) or ( ApplicationRestriction eq "ServerKeyRestrictions" and ServerKeyRestrictions with [ AllowedIp in ("0.0.0.0", "0.0.0.0/0", "::/0") ] ) ) ) |
| Ensure API keys are rotated every 90 days |
It is recommended to rotate API keys every 90 days |
API
|
APIKey should have CreationDate isLaterThan ( -90, "days" ) |
| Ensure Essential Contacts is Configured for Organization |
It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information |
Security
|
Organization should have EssentialContacts len () gt 0 and ( EssentialContacts with [ ValidationState eq "VALID" and NotificationCategorySubscriptions with [ NotificationCategory eq "ALL" ] ] or ( EssentialContacts with [ ValidationState eq "VALID" and NotificationCategorySubscriptions with [ NotificationCategory eq "LEGAL" ] ] and EssentialContacts with [ ValidationState eq "VALID" and NotificationCategorySubscriptions with [ NotificationCategory eq "SECURITY" ] ] and EssentialContacts with [ ValidationState eq "VALID" and NotificationCategorySubscriptions with [ NotificationCategory eq "SUSPENSION" ] ] and EssentialContacts with [ ValidationState eq "VALID" and NotificationCategorySubscriptions with [ NotificationCategory eq "TECHNICAL" ] ] ) ) |
| Ensure that DataProc Cluster has a customer managed encryption key |
Ensure that DataProc Cluster has a customer managed encryption key |
Dataproc
|
DataprocCluster should have Config . EncryptionConfig . GcePdKmsKeyName |
| Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. |
Logging
|
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ] |
| Ensure That Sinks Are Configured for All Log Entries |
It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM) |
Logging
|
GCP should have atleast one LoggingSinks with [ Destination . URL and ( Destination . BigqueryDataset or Destination . Bucket or Destination . PubSubTopic ) and ( Filter len() eq 0 or not Filter ) ] |
| Ensure that retention policies on log buckets are configured using Bucket Lock |
Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks. |
Storage
|
LoggingSink where Destination . Bucket . Type len() gt 0 should have Destination . Bucket . RetentionPolicy . IsLocked |
| Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. |
Monitor
|
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes |
Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Custom Role changes |
It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes |
It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.delete\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network route changes |
It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network changes |
It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_network\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes |
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes |
It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Ensure that Cloud DNS logging is enabled for all VPC networks |
Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC |
Network
|
VPC should have DNSPolicy . enableLogging |
| Ensure Cloud Asset Inventory Is Enabled |
GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource |
API
|
GCP should have atleast one Service with [ Name eq "cloudasset.googleapis.com" and State eq "ENABLED"] |
| Ensure 'Access Approval' is 'Enabled' |
GCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects. You can then select users within your organization who can approve these requests through giving them a security role in IAM. All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve. This adds an additional control and logging of who in your organization approved/denied these requests |
Security
|
AccessApprovalSetting should have ( Enabled and EnrolledServices with [ CloudProduct eq "all" ] ) |
| Communications and control network protection: Ensure the default network does not exist in a project |
To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. |
ComputeEngine
|
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True |
| Communications and control network protection: Ensure legacy networks does not exists for a project |
In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. |
VPCnetwork
|
VPC should not have Mode eq "LEGACY" |
| Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS |
Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. |
DNS
|
DNSManagedZone should have DnssecConfig . State eq "on" |
| Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ] |
| Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ] |
| Ensure that SSH access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ] |
| Ensure that RDP access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ] |
| Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network |
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. |
ComputeEngine
|
Subnet should have PrivateIPGoogleAccess eq True |
| Ensure that instances are not configured to use the default service account |
It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Email like "compute@developer\.gserviceaccount\.com$"] |
| Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ] |
| Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances |
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "(?i)true" ] |
| Remote access: Ensure oslogin is enabled for a Project |
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Project . ComputeInfo . CommonInstanceMetadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)true" ] and no Metadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)false" ] |
| Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. |
ComputeEngine
|
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "(?i)true" ] |
| Network integrity: Ensure that IP forwarding is not enabled on Instances |
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward |
| Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) |
Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys |
ComputeEngine
|
Volume where Name notlike "^gke-" should have DiskEncryptionKey . Sha256 len ( ) gt 0 |
| Ensure Compute instances are launched with Shielded VM enabled |
To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled. |
ComputeEngine
|
Instance should have ShieldedVM |
| Ensure that Compute instances do not have public IP addresses |
Compute instances should not be configured to have external IP addresses. |
ComputeEngine
|
Instance should not have NetworkInterfaces with [ AccessConfigs len ( ) gt 0 ] |
| Ensure that Compute instances have Confidential Computing enabled |
Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in use while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU). |
ComputeEngine
|
Instance should have ConfidentialComputing |
| Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. |
Storage
|
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ] |
| Ensure that Cloud Storage buckets have uniform bucket-level access enabled |
It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets. |
Storage
|
Bucket should have IAMConfiguration.UniformBucketLevelAccess |
| Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host |
When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ] |
| Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on' |
It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should have Settings . DatabaseFlags with [ Name eq "skip_show_database" and Value eq "on" ] |
| Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off' |
It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should have Settings . DatabaseFlags with [ Name eq "local_infile" and Value eq "off" ] |
| Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter |
The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are: TERSE, DEFAULT, VERBOSE |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_error_verbosity" and Value in ( "default", "verbose" ) ] |
| Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on' |
Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_connections" and Value eq "on" ] |
| Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on' |
Enabling the log_disconnections setting logs the end of each session, including the session duration. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_disconnections" and Value eq "on" ] |
| Ensure 'log_statement' Database Flag for Cloud SQL PostgreSQL instance is set appropriately |
The value of log_statement flag determined the SQL statements that are logged. Valid values are none, ddl, mod, all. The value ddl logs all data definition statements. The value mod logs all ddl statements, plus data-modifying statements. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_statement" and Value neq "none" ] |
| Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately |
PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_hostname" and Value eq "off" ] |
| Ensure that the 'Log_min_messages' database flag for Cloud SQL PostgreSQL instance is set to at least 'Warning' |
The log_min_messages flag defines the minimum message severity level that is considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_min_messages" and Value in ("debug5", "debug4", "debug3", "debug2", "debug1", "info", "notice", "warning", "error", "log", "fatal", "panic")] |
| Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter |
The log_min_error_statement flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. Ensure a value of ERROR or stricter is set. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_min_error_statement" and Value in ("debug5", "debug4", "debug3", "debug2", "debug1", "info", "notice", "warning", "error")] |
| Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled) |
The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_min_duration_statement" and Value eq "-1" ] |
| Ensure that 'cloudsql.enable_pgaudit' database flag for each Cloud Sql Postgresql instance is set to 'on' for centralized logging |
Ensure cloudsql.enable_pgaudit database flag for Cloud SQL PostgreSQL instance is set to on to allow for centralized logging. |
SQL
|
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "cloudsql.enable_pgaudit" and Value eq "on" ] |
| Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off |
It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "external scripts enabled" and Value eq "off" ] |
| Ensure 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' |
It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "cross db ownership chaining" and Value eq "off" ] |
| Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate |
It is recommended to set user connections database flag for Cloud SQL SQL Server instance according organization-defined value. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "user connections" and Value neq "0" ] |
| Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured |
It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should not have Settings . DatabaseFlags with [ Name eq "user options" ] |
| Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' |
It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "remote access" and Value eq "off" ] |
| Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off' |
It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "3625" and Value eq "off" ] |
| Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' |
It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "contained database authentication" and Value eq "off" ] |
| Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. |
SQL
|
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True |
| Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world |
To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. |
SQL
|
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ] |
| Ensure that Cloud SQL database instances do not have public IPs |
It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs. |
SQL
|
SqlInstance where InstanceType eq "CLOUD_SQL_INSTANCE" should not have BackendType eq "SECOND_GEN" and IpAddresses with [IpAddress isPublic() or Type eq "PRIMARY" ] |
| Backups of information: Ensure SQL Instances have Backup enabled |
Enable database backups on mission-critical systems.Lack of backups can result in permanent data loss if database is lost or corrupted. |
SQL
|
SqlInstance should not have Settings . BackupConfiguration . Enabled eq false |
| Ensure that BigQuery datasets are not anonymously or publicly accessible |
It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access. |
Database
|
BigqueryDataset should not have DatasetACL with [ SpecialGroup eq "allAuthenticatedUsers" or SpecialGroup eq "allUsers"] |
| Ensure that all BigQuery Tables are encrypted with Customer- managed encryption key (CMEK) |
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys. |
Database
|
BigqueryDataset should have every Tables with [ encryption . enabled ] |
| Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets |
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. |
Database
|
BigqueryDataset should have Encryption.Enabled |
| Description |
Service |
Rule |
| Ensure that instances are not configured to use the default service account |
It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Email like "compute@developer\.gserviceaccount\.com$"] |
| Ensure Compute instances are launched with Shielded VM enabled |
To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled. |
ComputeEngine
|
Instance should have ShieldedVM |
| Ensure clusters are created with Private Nodes |
Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes with no public IP addresses |
Kubernetes
|
KubernetesCluster should have PrivateClusterConfig . EnablePrivateNodes |
| Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled |
Enable Integrity Monitoring for Shielded GKE Nodes to be notified of inconsistencies during the node boot sequence |
Kubernetes
|
KubernetesCluster should have NodePools with [ Config.ShieldedInstanceConfig.EnableIntegrityMonitoring ] |
| Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS |
Encrypt Kubernetes secrets, stored in etcd, at the application-layer using a customer-managed key in Cloud KMS |
Kubernetes
|
KubernetesCluster should have DatabaseEncryption.State eq "ENCRYPTED" and DatabaseEncryption.KeyName neq "" |
| Ensure legacy Compute Engine instance metadata APIs are Disabled |
Disable the legacy GCE instance metadata APIs for GKE nodes. Under some circumstances, these can be used from within a pod to extract the node's credentials |
Kubernetes
|
KubernetesCluster should have NodePools with [ Config.Metadata with [ Name eq "disable-legacy-endpoints" and Value eq "true"] ] |
| Ensure Pod Security Policy is Enabled and set as appropriate |
Pod Security Policy should be used to prevent privileged containers where possible and enforce namespace and workload configurations |
Kubernetes
|
KubernetesCluster should have PodSecurityPolicyConfig.Enabled |
| Ensure Shielded GKE Nodes are Enabled |
Shielded GKE Nodes provides verifiable integrity via secure boot, virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring |
Kubernetes
|
KubernetesCluster should have ShieldedNodes.Enabled |
| Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled |
Send logs and metrics to a remote aggregator to mitigate the risk of local tampering in the event of a breach |
Kubernetes
|
KubernetesCluster should have ( ( ( LoggingService eq "logging.googleapis.com/kubernetes" ) or ( LoggingService eq "logging.googleapis.com" ) ) and ( ( MonitoringService eq "monitoring.googleapis.com/kubernetes" ) or ( MonitoringService eq "monitoring.googleapis.com" ) ) ) |
| Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. |
Kubernetes
|
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password |
| Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled |
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. |
Kubernetes
|
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True |
| Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters |
A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. |
Kubernetes
|
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ] |
| Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets |
Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. |
Kubernetes
|
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true |
| Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. |
Kubernetes
|
KubernetesCluster should have LoggingService eq "logging.googleapis.com" |
| Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. |
Kubernetes
|
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com" |
| Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) |
Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys |
ComputeEngine
|
Volume where Name notlike "^gke-" should have DiskEncryptionKey . Sha256 len ( ) gt 0 |
| Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances |
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "(?i)true" ] |
| Description |
Service |
Rule |
| Ensure that BigQuery datasets are not anonymously or publicly accessible |
It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access. |
Database
|
BigqueryDataset should not have DatasetACL with [ SpecialGroup eq "allAuthenticatedUsers" or SpecialGroup eq "allUsers"] |
| Ensure that 'Bucket' has a 'customer managed encryption key' |
Ensure that Bucket' has a customer managed encryption key |
Storage
|
Bucket should have Encryption eq "Customer-managed key" |
| Ensure that Cloud Storage buckets have uniform bucket-level access enabled |
It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets. |
Storage
|
Bucket should have IAMConfiguration.UniformBucketLevelAccess |
| Backups of information: Ensure SQL Instances have Backup enabled |
Enable database backups on mission-critical systems.Lack of backups can result in permanent data loss if database is lost or corrupted. |
SQL
|
SqlInstance should not have Settings . BackupConfiguration . Enabled eq false |
| Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access |
KMS
|
KMSKey should not have Bindings with [ Members has ("allAuthenticatedUsers") or Members has ("allUsers") ] |
| Ensure KMS encryption keys are rotated within a period of 90 days |
It is recommended that the KMS encryption keys are rotated within a period of 90 days |
KMS
|
KMSKey should have RotationPeriod lte 7776000 and NextRotationTime isEarlierThan (90, "days") |
| Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. |
Logging
|
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ] |
| Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes |
Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. |
Monitor
|
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Custom Role changes |
It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes |
It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes |
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' |
It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off. |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "contained database authentication" and Value eq "off" ] |
| Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off |
It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off |
SQL
|
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "external scripts enabled" and Value eq "off" ] |
| Audit/log records: Ensure that logging is enabled for Cloud buckets |
By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. |
Storage
|
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix |
| Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. |
Storage
|
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ] |
| Identities and credentials: Ensure BigQuery does not have Dataset ACL which grants permission to a Gmail account |
A cloud data warehouse should not allow access to Gmail accounts. Verify that the permissions applied are in line with your business use case.This could expose sensitive data to users outside of your organization. |
BigQuery
|
BigqueryDataset should not have DatasetACL with [ UserEmail like "@gmail\.com" ] |
| Identities and credentials: Ensure BigQuery does not have Dataset ACL which is open to all authenticated users |
A cloud data warehouse should not allow access to all authenticated users. Verify that the permissions applied are in line with your business use case.This could expose sensitive data to users outside of your organization. |
BigQuery
|
BigqueryDataset should not have DatasetACL with [ SpecialGroup eq "allAuthenticatedUsers" ] |
| Description |
Service |
Rule |
| Communications and control network protection: Ensure FirewallRule doesn't have any rule that allows incoming traffic on all ports |
Exposing all ports adds risk of exposure or compromise for all current and future network services running on the instance. Change firewall rule to only expose required ports. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Ports with [ FromPort eq 0 and ToPort eq 65535 ] ] |
| Ensure FirewallRule does not contain any rule which opens DNS port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "udp") and Ports with [ ( FromPort lte 53 and ToPort gte 53 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens Telnet port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 23 and ToPort gte 23 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens FTP port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( ( FromPort lte 20 and ToPort gte 20 ) or ( FromPort lte 21 and ToPort gte 21 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure that Compute instances do not have public IP addresses |
Compute instances should not be configured to have external IP addresses. |
ComputeEngine
|
Instance should not have NetworkInterfaces with [ AccessConfigs len ( ) gt 0 ] |
| Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled |
Disable access to the Kubernetes API from outside the node network if it is not required. |
Kubernetes
|
KubernetesCluster should have PrivateClusterConfig . EnablePrivateEndpoint and Endpoint isPrivate () |
| Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters |
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. |
Kubernetes
|
KubernetesCluster should have NetworkPolicy . Enabled eq True |
| Ensure that Load Balancers do not have public IP address |
If Load Balancer has a public IP address, then it can have exposure to the Internet. It can increase the likelihood of data exfiltration or compromise for the resources behind this load balancer. Modify the Load Balancer public IP to internal IP. |
ComputeEngine
|
ForwardingRule should not have Type eq "INTERNAL" and IP isPublic() |
| Ensure FirewallRule does not contain any rule which opens MongoDB port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( ( FromPort lte 27017 and ToPort gte 27017 ) or ( FromPort lte 27018 and ToPort gte 27018 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens MsSQL port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 1434 and ToPort gte 1434 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens MySQL port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 3306 and ToPort gte 3306 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Communications and control network protection: Ensure the default network does not exist in a project |
To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. |
ComputeEngine
|
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True |
| Communications and control network protection: Ensure legacy networks does not exists for a project |
In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. |
VPCnetwork
|
VPC should not have Mode eq "LEGACY" |
| Ensure that RDP access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ] |
| Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network |
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. |
ComputeEngine
|
Subnet should have PrivateIPGoogleAccess eq True |
| Ensure FirewallRule does not contain any rule which opens NFS port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "udp", "tcp") and Ports with [ ( ( FromPort lte 111 and ToPort gte 111 ) or ( FromPort lte 2049 and ToPort gte 2049 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens OracleDB port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( ( FromPort lte 1521 and ToPort gte 1521 ) or ( FromPort lte 1630 and ToPort gte 1630 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world |
To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. |
SQL
|
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ] |
| Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host |
When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ] |
| Ensure that Cloud SQL database instances do not have public IPs |
It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs. |
SQL
|
SqlInstance where InstanceType eq "CLOUD_SQL_INSTANCE" should not have BackendType eq "SECOND_GEN" and IpAddresses with [IpAddress isPublic() or Type eq "PRIMARY" ] |
| Ensure FirewallRule does not contain any rule which opens SSH port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 22 and ToPort gte 22 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure Virtual Machine Instances are not exposed to the internet |
Virtual Machine should not have the public IP address. If it is public is have exposure to the Internet which can increase the likelihood of data exfiltration or compromise for this virtual machine. To prevent this remove the public IP address from the access configuration for this virtual machine. |
ComputeEngine
|
Instance should not have NetworkInterfaces with [ AccessConfigs with [ NatIP ] ] |
| Ensure VPC does not have any route to the internet |
If VPC has a route to the Internet, then Exposure to the internet can lead to data exfiltration or compromise for resources in this VPC. Change the configuration of VPC to prevent this. |
VPCnetwork
|
Route should not have Network . Mode len () gt 0 and ( DestinationCIDR isPublic ( ) or DestinationCIDR eq 0.0.0.0/0 ) |
| Ensure FirewallRule does not contain any rule which opens PostGreSQL port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 5432 and ToPort gte 5432 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens RDP port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "udp", "tcp") and Ports with [ ( FromPort lte 3389 and ToPort gte 3389 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Ensure FirewallRule does not contain any rule which opens SMTP port to internet |
Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 25 and ToPort gte 25 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ] |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. |
Storage
|
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ] |
| Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world |
To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. |
SQL
|
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ] |
| Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host |
When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ] |
| Remote access: Ensure oslogin is enabled for a Project |
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Project . ComputeInfo . CommonInstanceMetadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)true" ] and no Metadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)false" ] |
| Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account |
User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. |
IAM
|
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1 |
| Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. |
IAM
|
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ] |
| Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days |
A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. |
KMS
|
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days") |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] ) |
| Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. |
SQL
|
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True |
| Identities and credentials: Ensure that ServiceAccount has no Admin privileges. |
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" ) |
| Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level |
It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser" |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] ) |
| Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ] |
| Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled |
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. |
Kubernetes
|
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True |
| Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. |
Kubernetes
|
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password |
| Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled |
If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. |
Kubernetes
|
KubernetesCluster should have MasterAuth . ClientKey |
| Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters |
A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. |
Kubernetes
|
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ] |
| Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances |
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "(?i)true" ] |
| Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts |
Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. |
IAMPolicy
|
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ] |
| Audit/log records: Ensure that logging is enabled for Cloud buckets |
By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. |
Storage
|
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix |
| Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. |
Kubernetes
|
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com" |
| Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. |
Kubernetes
|
KubernetesCluster should have LoggingService eq "logging.googleapis.com" |
| Communications and control network protection: Ensure the default network does not exist in a project |
To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. |
ComputeEngine
|
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True |
| Communications and control network protection: Ensure legacy networks does not exists for a project |
In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. |
VPCnetwork
|
VPC should not have Mode eq "LEGACY" |
| Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS |
Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. |
DNS
|
DNSManagedZone should have DnssecConfig . State eq "on" |
| Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ] |
| Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ] |
| Ensure that SSH access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ] |
| Ensure that RDP access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ] |
| Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network |
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. |
ComputeEngine
|
Subnet should have PrivateIPGoogleAccess eq True |
| Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network |
Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. |
VPCnetwork
|
VPC should have every Subnetworks with [ LogEnabled ] |
| Network integrity: Ensure that IP forwarding is not enabled on Instances |
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward |
| Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. |
Kubernetes
|
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True |
| Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters |
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. |
Kubernetes
|
KubernetesCluster should have NetworkPolicy . Enabled eq True |
| Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. |
Kubernetes
|
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True |
| Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets |
Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. |
Kubernetes
|
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true |
| Description |
Service |
Rule |
| Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. |
Kubernetes
|
KubernetesCluster should have NodeConfig . ImageType eq "COS" |
| Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters |
Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ] |
| Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ] |
| Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. |
Kubernetes
|
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True |
| Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. |
Kubernetes
|
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True |
| Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters |
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. |
Kubernetes
|
KubernetesCluster should have NetworkPolicy . Enabled eq True |
| Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. |
Kubernetes
|
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password |
| Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled |
If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. |
Kubernetes
|
KubernetesCluster should have MasterAuth . ClientKey |
| Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. |
Kubernetes
|
KubernetesCluster should not have LegacyAbac . Enabled eq True |
| Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled |
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. |
Kubernetes
|
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True |
| Ensure Image Vulnerability Scanning using GCR Container Analysis or a third party provider |
Scan images stored in Google Container Registry (GCR) for vulnerabilities. |
Kubernetes
|
GCP should have atleast one Service with [ Name eq "containerscanning.googleapis.com" and State eq "ENABLED"] |
| Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS |
Encrypt Kubernetes secrets, stored in etcd, at the application-layer using a customer-managed key in Cloud KMS |
Kubernetes
|
KubernetesCluster should have DatabaseEncryption.State eq "ENCRYPTED" and DatabaseEncryption.KeyName neq "" |
| Ensure legacy Compute Engine instance metadata APIs are Disabled |
Disable the legacy GCE instance metadata APIs for GKE nodes. Under some circumstances, these can be used from within a pod to extract the node's credentials |
Kubernetes
|
KubernetesCluster should have NodePools with [ Config.Metadata with [ Name eq "disable-legacy-endpoints" and Value eq "true"] ] |
| Ensure the GKE Metadata Server is Enabled |
Running the GKE Metadata Server prevents workloads from accessing sensitive instance metadata and facilitates Workload Identity |
Kubernetes
|
KubernetesCluster should have NodePools with [ Config.WorkloadMetadataConfig.NodeMetadata len() gt 0] |
| When creating New Clusters - Automate GKE version management using Release Channels |
Subscribe to the Regular or Stable Release Channel to automate version upgrades to the GKE cluster and to reduce version management complexity to the number of features and level of stability required |
Kubernetes
|
KubernetesCluster should have ReleaseChannel.Channel eq "REGULAR" or ReleaseChannel.Channel eq "STABLE" |
| Ensure Shielded GKE Nodes are Enabled |
Shielded GKE Nodes provides verifiable integrity via secure boot, virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring |
Kubernetes
|
KubernetesCluster should have ShieldedNodes.Enabled |
| Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled |
Enable Integrity Monitoring for Shielded GKE Nodes to be notified of inconsistencies during the node boot sequence |
Kubernetes
|
KubernetesCluster should have NodePools with [ Config.ShieldedInstanceConfig.EnableIntegrityMonitoring ] |
| Ensure Secure Boot for Shielded GKE Nodes is Enabled |
Enable Secure Boot for Shielded GKE Nodes to verify the digital signature of node boot components |
Kubernetes
|
KubernetesCluster should have NodePools with [ Config.ShieldedInstanceConfig.EnableSecureBoot ] |
| Enable VPC Flow Logs and Intranode Visibility |
Enable VPC Flow Logs and Intranode Visibility to see pod-level traffic, even for traffic within a worker node |
Kubernetes
|
KubernetesCluster should have NetworkConfig . EnableIntraNodeVisibility |
| Ensure clusters are created with Private Nodes |
Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes with no public IP addresses |
Kubernetes
|
KubernetesCluster should have PrivateClusterConfig . EnablePrivateNodes |
| Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled |
Send logs and metrics to a remote aggregator to mitigate the risk of local tampering in the event of a breach |
Kubernetes
|
KubernetesCluster should have ( ( ( LoggingService eq "logging.googleapis.com/kubernetes" ) or ( LoggingService eq "logging.googleapis.com" ) ) and ( ( MonitoringService eq "monitoring.googleapis.com/kubernetes" ) or ( MonitoringService eq "monitoring.googleapis.com" ) ) ) |
| Ensure that Alpha clusters are not used for production workloads |
Alpha clusters are not covered by an SLA and are not production-ready |
Kubernetes
|
KubernetesCluster should have EnableKubernetesAlpha |
| Ensure Pod Security Policy is Enabled and set as appropriate |
Pod Security Policy should be used to prevent privileged containers where possible and enforce namespace and workload configurations |
Kubernetes
|
KubernetesCluster should have PodSecurityPolicyConfig.Enabled |
| Consider GKE Sandbox for running untrusted workloads |
Use GKE Sandbox to restrict untrusted workloads as an additional layer of protection when running in a multi-tenant environment |
Kubernetes
|
KubernetesCluster should have NodePools with [ Config.SandboxConfig.SandboxType eq "gvisor"] |
| Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled |
Disable access to the Kubernetes API from outside the node network if it is not required. |
Kubernetes
|
KubernetesCluster should have PrivateClusterConfig . EnablePrivateEndpoint and Endpoint isPrivate () |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account |
User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. |
IAM
|
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1 |
| Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. |
IAM
|
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ] |
| Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days |
A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. |
KMS
|
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days") |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] ) |
| Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. |
SQL
|
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True |
| Identities and credentials: Ensure that ServiceAccount has no Admin privileges. |
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" ) |
| Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level |
It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser" |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] ) |
| Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ] |
| Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled |
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. |
Kubernetes
|
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True |
| Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. |
Kubernetes
|
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password |
| Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled |
If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. |
Kubernetes
|
KubernetesCluster should have MasterAuth . ClientKey |
| Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters |
A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. |
Kubernetes
|
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ] |
| Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. |
Kubernetes
|
KubernetesCluster should not have LegacyAbac . Enabled eq True |
| Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts |
Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. |
IAMPolicy
|
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ] |
| Audit/log records: Ensure that logging is enabled for Cloud buckets |
By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. |
Storage
|
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix |
| Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. |
Kubernetes
|
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com" |
| Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. |
Kubernetes
|
KubernetesCluster should have LoggingService eq "logging.googleapis.com" |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. |
Storage
|
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ] |
| Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world |
To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. |
SQL
|
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ] |
| Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host |
When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ] |
| Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels |
Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. |
Kubernetes
|
KubernetesCluster should have Tags len ( ) gt 0 |
| Remote access: Ensure oslogin is enabled for a Project |
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Project . ComputeInfo . CommonInstanceMetadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)true" ] and no Metadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)false" ] |
| Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account |
User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. |
IAM
|
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1 |
| Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. |
IAM
|
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ] |
| Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days |
A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. |
KMS
|
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days") |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] ) |
| Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. |
SQL
|
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True |
| Identities and credentials: Ensure that ServiceAccount has no Admin privileges. |
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" ) |
| Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level |
It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser" |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] ) |
| Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ] |
| Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled |
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. |
Kubernetes
|
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True |
| Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. |
Kubernetes
|
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password |
| Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled |
If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. |
Kubernetes
|
KubernetesCluster should have MasterAuth . ClientKey |
| Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters |
A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. |
Kubernetes
|
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ] |
| Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. |
ComputeEngine
|
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "(?i)true" ] |
| Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances |
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "(?i)true" ] |
| Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. |
Kubernetes
|
KubernetesCluster should not have LegacyAbac . Enabled eq True |
| Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts |
Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. |
IAMPolicy
|
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ] |
| Audit/log records: Ensure that logging is enabled for Cloud buckets |
By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. |
Storage
|
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix |
| Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. |
Kubernetes
|
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com" |
| Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. |
Kubernetes
|
KubernetesCluster should have LoggingService eq "logging.googleapis.com" |
| Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. |
Logging
|
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ] |
| Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. |
Monitor
|
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes |
Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Custom Role changes |
It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes |
It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.delete\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network route changes |
It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network changes |
It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_network\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes |
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes |
It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Communications and control network protection: Ensure the default network does not exist in a project |
To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. |
ComputeEngine
|
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True |
| Communications and control network protection: Ensure legacy networks does not exists for a project |
In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. |
VPCnetwork
|
VPC should not have Mode eq "LEGACY" |
| Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS |
Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. |
DNS
|
DNSManagedZone should have DnssecConfig . State eq "on" |
| Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ] |
| Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ] |
| Ensure that SSH access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ] |
| Ensure that RDP access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ] |
| Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network |
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. |
ComputeEngine
|
Subnet should have PrivateIPGoogleAccess eq True |
| Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network |
Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. |
VPCnetwork
|
VPC should have every Subnetworks with [ LogEnabled ] |
| Network integrity: Ensure that IP forwarding is not enabled on Instances |
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward |
| Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. |
Kubernetes
|
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True |
| Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters |
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. |
Kubernetes
|
KubernetesCluster should have NetworkPolicy . Enabled eq True |
| Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. |
Kubernetes
|
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True |
| Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets |
Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. |
Kubernetes
|
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true |
| Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters |
Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ] |
| Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ] |
| Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. |
Kubernetes
|
KubernetesCluster should have NodeConfig . ImageType eq "COS" |
| Description |
Service |
Rule |
| Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ] |
| Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts |
Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. |
IAMPolicy
|
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ] |
| Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account |
User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. |
IAM
|
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1 |
| Identities and credentials: Ensure that ServiceAccount has no Admin privileges. |
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" ) |
| Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level |
It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser" |
| Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. |
IAM
|
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ] |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] ) |
| Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days |
A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. |
KMS
|
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days") |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] ) |
| Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ] |
| Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. |
Storage
|
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ] |
| Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world |
To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. |
SQL
|
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ] |
| Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host |
When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ] |
| Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. |
Kubernetes
|
KubernetesCluster should not have LegacyAbac . Enabled eq True |
| Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. |
Kubernetes
|
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password |
| Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled |
If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. |
Kubernetes
|
KubernetesCluster should have MasterAuth . ClientKey |
| Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters |
A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. |
Kubernetes
|
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ] |
| Identities and credentials: Ensure BigQuery does not have Dataset ACL which is open to all authenticated users |
A cloud data warehouse should not allow access to all authenticated users. Verify that the permissions applied are in line with your business use case.This could expose sensitive data to users outside of your organization. |
BigQuery
|
BigqueryDataset should not have DatasetACL with [ SpecialGroup eq "allAuthenticatedUsers" ] |
| Identities and credentials: Ensure BigQuery does not have Dataset ACL which grants permission to a Gmail account |
A cloud data warehouse should not allow access to Gmail accounts. Verify that the permissions applied are in line with your business use case.This could expose sensitive data to users outside of your organization. |
BigQuery
|
BigqueryDataset should not have DatasetACL with [ UserEmail like "@gmail\.com" ] |
| Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances |
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "(?i)true" ] |
| Remote access: Ensure oslogin is enabled for a Project |
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Project . ComputeInfo . CommonInstanceMetadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)true" ] and no Metadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)false" ] |
| Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. |
ComputeEngine
|
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "(?i)true" ] |
| Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. |
Kubernetes
|
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True |
| Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled |
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. |
Kubernetes
|
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True |
| Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. |
Monitor
|
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes |
Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Custom Role changes |
It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes |
It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.delete\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network route changes |
It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network changes |
It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_network\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes |
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes |
It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure that IP forwarding is not enabled on Instances |
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward |
| Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters |
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. |
Kubernetes
|
KubernetesCluster should have NetworkPolicy . Enabled eq True |
| Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. |
Kubernetes
|
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True |
| Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. |
SQL
|
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True |
| Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels |
Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. |
Kubernetes
|
KubernetesCluster should have Tags len ( ) gt 0 |
| Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled |
Disable access to the Kubernetes API from outside the node network if it is not required. |
Kubernetes
|
KubernetesCluster should have PrivateClusterConfig . EnablePrivateEndpoint and Endpoint isPrivate () |
| Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets |
Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. |
Kubernetes
|
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true |
| Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters |
Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ] |
| Backups of information: Ensure SQL Instances have Backup enabled |
Enable database backups on mission-critical systems.Lack of backups can result in permanent data loss if database is lost or corrupted. |
SQL
|
SqlInstance should not have Settings . BackupConfiguration . Enabled eq false |
| Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. |
Logging
|
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ] |
| Audit/log records: Ensure that logging is enabled for Cloud buckets |
By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. |
Storage
|
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix |
| Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. |
Kubernetes
|
KubernetesCluster should have LoggingService eq "logging.googleapis.com" |
| Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. |
Kubernetes
|
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com" |
| Communications and control network protection: Ensure the default network does not exist in a project |
To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. |
ComputeEngine
|
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True |
| Communications and control network protection: Ensure legacy networks does not exists for a project |
In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. |
VPCnetwork
|
VPC should not have Mode eq "LEGACY" |
| Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS |
Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. |
DNS
|
DNSManagedZone should have DnssecConfig . State eq "on" |
| Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ] |
| Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ] |
| Ensure that SSH access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ] |
| Ensure that RDP access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ] |
| Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network |
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. |
ComputeEngine
|
Subnet should have PrivateIPGoogleAccess eq True |
| Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network |
Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. |
VPCnetwork
|
VPC should have every Subnetworks with [ LogEnabled ] |
| Communications and control network protection: Ensure FirewallRule doesn't have any rule that allows incoming traffic on all ports |
Exposing all ports adds risk of exposure or compromise for all current and future network services running on the instance. Change firewall rule to only expose required ports. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Ports with [ FromPort eq 0 and ToPort eq 65535 ] ] |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. |
Storage
|
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ] |
| Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world |
To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. |
SQL
|
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ] |
| Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host |
When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ] |
| Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels |
Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. |
Kubernetes
|
KubernetesCluster should have Tags len ( ) gt 0 |
| Remote access: Ensure oslogin is enabled for a Project |
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Project . ComputeInfo . CommonInstanceMetadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)true" ] and no Metadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)false" ] |
| Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account |
User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. |
IAM
|
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1 |
| Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. |
IAM
|
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ] |
| Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days |
A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. |
KMS
|
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days") |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] ) |
| Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. |
SQL
|
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True |
| Identities and credentials: Ensure that ServiceAccount has no Admin privileges. |
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" ) |
| Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level |
It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser" |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] ) |
| Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ] |
| Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled |
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. |
Kubernetes
|
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True |
| Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. |
Kubernetes
|
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password |
| Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled |
If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. |
Kubernetes
|
KubernetesCluster should have MasterAuth . ClientKey |
| Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters |
A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. |
Kubernetes
|
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ] |
| Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. |
ComputeEngine
|
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "(?i)true" ] |
| Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances |
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "(?i)true" ] |
| Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. |
Kubernetes
|
KubernetesCluster should not have LegacyAbac . Enabled eq True |
| Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts |
Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. |
IAMPolicy
|
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ] |
| Audit/log records: Ensure that logging is enabled for Cloud buckets |
By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. |
Storage
|
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix |
| Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. |
Kubernetes
|
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com" |
| Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. |
Kubernetes
|
KubernetesCluster should have LoggingService eq "logging.googleapis.com" |
| Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. |
Logging
|
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ] |
| Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. |
Monitor
|
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes |
Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Custom Role changes |
It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes |
It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.delete\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network route changes |
It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network changes |
It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_network\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes |
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes |
It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Communications and control network protection: Ensure the default network does not exist in a project |
To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. |
ComputeEngine
|
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True |
| Communications and control network protection: Ensure legacy networks does not exists for a project |
In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. |
VPCnetwork
|
VPC should not have Mode eq "LEGACY" |
| Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS |
Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. |
DNS
|
DNSManagedZone should have DnssecConfig . State eq "on" |
| Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ] |
| Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ] |
| Ensure that SSH access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ] |
| Ensure that RDP access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ] |
| Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network |
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. |
ComputeEngine
|
Subnet should have PrivateIPGoogleAccess eq True |
| Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network |
Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. |
VPCnetwork
|
VPC should have every Subnetworks with [ LogEnabled ] |
| Network integrity: Ensure that IP forwarding is not enabled on Instances |
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward |
| Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. |
Kubernetes
|
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True |
| Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters |
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. |
Kubernetes
|
KubernetesCluster should have NetworkPolicy . Enabled eq True |
| Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. |
Kubernetes
|
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True |
| Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets |
Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. |
Kubernetes
|
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true |
| Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters |
Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ] |
| Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ] |
| Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. |
Kubernetes
|
KubernetesCluster should have NodeConfig . ImageType eq "COS" |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. |
Storage
|
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ] |
| Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world |
To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. |
SQL
|
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ] |
| Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host |
When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ] |
| Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels |
Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. |
Kubernetes
|
KubernetesCluster should have Tags len ( ) gt 0 |
| Remote access: Ensure oslogin is enabled for a Project |
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Project . ComputeInfo . CommonInstanceMetadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)true" ] and no Metadata . Items with [ Key eq "enable-oslogin" and Value like "(?i)false" ] |
| Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account |
User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. |
IAM
|
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1 |
| Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. |
IAM
|
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ] |
| Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days |
A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. |
KMS
|
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days") |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] ) |
| Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. |
SQL
|
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True |
| Identities and credentials: Ensure that ServiceAccount has no Admin privileges. |
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" ) |
| Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level |
It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser" |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] ) |
| Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ] |
| Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled |
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. |
Kubernetes
|
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True |
| Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. |
Kubernetes
|
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password |
| Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled |
If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. |
Kubernetes
|
KubernetesCluster should have MasterAuth . ClientKey |
| Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters |
A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. |
Kubernetes
|
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ] |
| Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. |
ComputeEngine
|
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "(?i)true" ] |
| Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances |
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "(?i)true" ] |
| Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. |
Kubernetes
|
KubernetesCluster should not have LegacyAbac . Enabled eq True |
| Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts |
Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. |
IAMPolicy
|
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ] |
| Audit/log records: Ensure that logging is enabled for Cloud buckets |
By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. |
Storage
|
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix |
| Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. |
Kubernetes
|
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com" |
| Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. |
Kubernetes
|
KubernetesCluster should have LoggingService eq "logging.googleapis.com" |
| Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. |
Logging
|
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ] |
| Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. |
Monitor
|
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes |
Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Custom Role changes |
It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes |
It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.delete\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network route changes |
It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network changes |
It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_network\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes |
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes |
It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Communications and control network protection: Ensure the default network does not exist in a project |
To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. |
ComputeEngine
|
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True |
| Communications and control network protection: Ensure legacy networks does not exists for a project |
In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. |
VPCnetwork
|
VPC should not have Mode eq "LEGACY" |
| Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS |
Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. |
DNS
|
DNSManagedZone should have DnssecConfig . State eq "on" |
| Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ] |
| Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ] |
| Ensure that SSH access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ] |
| Ensure that RDP access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ] |
| Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network |
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. |
ComputeEngine
|
Subnet should have PrivateIPGoogleAccess eq True |
| Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network |
Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. |
VPCnetwork
|
VPC should have every Subnetworks with [ LogEnabled ] |
| Network integrity: Ensure that IP forwarding is not enabled on Instances |
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward |
| Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. |
Kubernetes
|
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True |
| Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters |
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. |
Kubernetes
|
KubernetesCluster should have NetworkPolicy . Enabled eq True |
| Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. |
Kubernetes
|
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True |
| Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets |
Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. |
Kubernetes
|
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true |
| Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters |
Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ] |
| Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ] |
| Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. |
Kubernetes
|
KubernetesCluster should have NodeConfig . ImageType eq "COS" |
| Description |
Service |
Rule |
| Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. |
Storage
|
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ] |
| Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world |
To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. |
SQL
|
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ] |
| Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host |
When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. |
SQL
|
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ] |
| Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels |
Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. |
Kubernetes
|
KubernetesCluster should have Tags len ( ) gt 0 |
| Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. |
SQL
|
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True |
| Identities and credentials: Ensure that ServiceAccount has no Admin privileges. |
A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" ) |
| Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level |
It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. |
IAMPolicy
|
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser" |
| Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users |
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. |
IAMPolicy
|
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] ) |
| Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
ComputeEngine
|
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ] |
| Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled |
You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. |
Kubernetes
|
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True |
| Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. |
Kubernetes
|
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password |
| Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled |
If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. |
Kubernetes
|
KubernetesCluster should have MasterAuth . ClientKey |
| Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters |
A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. |
Kubernetes
|
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ] |
| Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. |
ComputeEngine
|
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "(?i)true" ] |
| Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances |
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "(?i)true" ] |
| Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. |
Kubernetes
|
KubernetesCluster should not have LegacyAbac . Enabled eq True |
| Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts |
Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. |
IAMPolicy
|
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ] |
| Audit/log records: Ensure that logging is enabled for Cloud buckets |
By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. |
Storage
|
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix |
| Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. |
Kubernetes
|
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com" |
| Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. |
Kubernetes
|
KubernetesCluster should have LoggingService eq "logging.googleapis.com" |
| Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. |
Logging
|
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ] |
| Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. |
Monitor
|
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes |
Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Custom Role changes |
It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes |
It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.firewalls\.delete\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network route changes |
It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for VPC network changes |
It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_network\"\s+AND\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*:\s*\"compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes |
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes |
It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks |
Monitor
|
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ] |
| Communications and control network protection: Ensure the default network does not exist in a project |
To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. |
ComputeEngine
|
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True |
| Communications and control network protection: Ensure legacy networks does not exists for a project |
In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. |
VPCnetwork
|
VPC should not have Mode eq "LEGACY" |
| Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS |
Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. |
DNS
|
DNSManagedZone should have DnssecConfig . State eq "on" |
| Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ] |
| Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC |
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. |
DNS
|
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ] |
| Ensure that SSH access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ] |
| Ensure that RDP access is restricted from the internet |
This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. |
VPCnetwork
|
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ] |
| Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network |
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. |
ComputeEngine
|
Subnet should have PrivateIPGoogleAccess eq True |
| Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network |
Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. |
VPCnetwork
|
VPC should have every Subnetworks with [ LogEnabled ] |
| Network integrity: Ensure that IP forwarding is not enabled on Instances |
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. |
ComputeEngine
|
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward |
| Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. |
Kubernetes
|
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True |
| Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters |
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. |
Kubernetes
|
KubernetesCluster should have NetworkPolicy . Enabled eq True |
| Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. |
Kubernetes
|
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True |
| Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets |
Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. |
Kubernetes
|
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true |
| Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters |
Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ] |
| Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. |
Kubernetes
|
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ] |
| Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. |
Kubernetes
|
KubernetesCluster should have NodeConfig . ImageType eq "COS" |
