Netskope

GCP Predefined Rules



🔍
Name Description Service Rule
Communications and control network protection: Ensure FirewallRule doesn't have any rule that allows incoming traffic on all ports Exposing all ports adds risk of exposure or compromise for all current and future network services running on the instance. Change firewall rule to only expose required ports. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Ports with [ FromPort eq 0 and ToPort eq 65535 ] ]
Identities and credentials: Ensure BigQuery does not have Dataset ACL which is open to all authenticated users A cloud data warehouse should not allow access to all authenticated users. Verify that the permissions applied are in line with your business use case.This could expose sensitive data to users outside of your organization. BigQuery
BigqueryDataset should not have DatasetACL with [ SpecialGroup eq "allAuthenticatedUsers" ]
Identities and credentials: Ensure BigQuery does not have Dataset ACL which grants permission to a Gmail account A cloud data warehouse should not allow access to Gmail accounts. Verify that the permissions applied are in line with your business use case.This could expose sensitive data to users outside of your organization. BigQuery
BigqueryDataset should not have DatasetACL with [ UserEmail like "@gmail\.com" ]
Backups of information: Ensure SQL Instances have Backup enabled Enable database backups on mission-critical systems.Lack of backups can result in permanent data loss if database is lost or corrupted. SQL
SqlInstance should not have Settings . BackupConfiguration . Enabled eq false
Ensure FirewallRule does not contain any rule which opens DNS port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "udp") and Ports with [ ( FromPort lte 53 and ToPort gte 53 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure FirewallRule does not contain any rule which opens FTP port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( ( FromPort lte 20 and ToPort gte 20 ) or ( FromPort lte 21 and ToPort gte 21 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure FirewallRule does not contain any rule which opens MongoDB port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( ( FromPort lte 27017 and ToPort gte 27017 ) or ( FromPort lte 27018 and ToPort gte 27018 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure FirewallRule does not contain any rule which opens MsSQL port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 1434 and ToPort gte 1434 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure FirewallRule does not contain any rule which opens MySQL port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 3306 and ToPort gte 3306 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure FirewallRule does not contain any rule which opens NFS port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "udp", "tcp") and Ports with [ ( ( FromPort lte 111 and ToPort gte 111 ) or ( FromPort lte 2049 and ToPort gte 2049 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure FirewallRule does not contain any rule which opens OracleDB port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( ( FromPort lte 1521 and ToPort gte 1521 ) or ( FromPort lte 1630 and ToPort gte 1630 ) ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure FirewallRule does not contain any rule which opens PostGreSQL port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 5432 and ToPort gte 5432 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure FirewallRule does not contain any rule which opens RDP port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "udp", "tcp") and Ports with [ ( FromPort lte 3389 and ToPort gte 3389 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure FirewallRule does not contain any rule which opens SMTP port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 25 and ToPort gte 25 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure FirewallRule does not contain any rule which opens SSH port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 22 and ToPort gte 22 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure FirewallRule does not contain any rule which opens Telnet port to internet Opening a port increases risk of exposure or compromise. Review whether the network service needs to be exposed to the world and change the firewall rule to restrict access. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 23 and ToPort gte 23 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Ensure Virtual Machine Instances are not exposed to the internet Virtual Machine should not have the public IP address. If it is public is have exposure to the Internet which can increase the likelihood of data exfiltration or compromise for this virtual machine. To prevent this remove the public IP address from the access configuration for this virtual machine. ComputeEngine
Instance should not have NetworkInterfaces with [ AccessConfigs with [ NatIP ] ]
Ensure VPC does not have any route to the internet If VPC has a route to the Internet, then Exposure to the internet can lead to data exfiltration or compromise for resources in this VPC. Change the configuration of VPC to prevent this. VPCnetwork
Route should not have Network . id and ( DestinationCIDR isPublic ( ) or DestinationCIDR eq 0.0.0.0/0 )
Ensure that Load Balancers do not have public IP address If Load Balancer has a public IP address, then it can have exposure to the Internet. It can increase the likelihood of data exfiltration or compromise for the resources behind this load balancer. Modify the Load Balancer public IP to internal IP. ComputeEngine
ForwardingRule should not have Type eq "INTERNAL" and IP isPublic()
Ensure that project's IAM does not have primitive roles The Wide-ranging permissions roles should not provide to any account. It is the best practice to give the least privilege needed to limit the impact of a security incident. Apply more granular permissions to the account. ProjectIAM
IAMPolicy should not have Role . InbuiltRole and Role . Name in ( "editor", "viewer", "owner" )
Ensure that 'Account' has 'services enabled' Ensure that Account has services enabled Project
Project should have Services len ( ) gt 0
Ensure that DataProc Cluster has a customer managed encryption key Ensure that DataProc Cluster has a customer managed encryption key Dataproc
DataprocCluster should have Config . EncryptionConfig . GcePdKmsKeyName
Ensure that 'Bucket' has a 'customer managed encryption key' Ensure that Bucket' has a customer managed encryption key Storage
Bucket should have Encryption eq "Customer-managed key"
Ensure that 'Virtual Machine Instance Disk' has a 'customer managed encryption key' Ensure that Virtual Machine Instance Disk has a customer managed encryption key ComputeEngine
Volume should have DiskEncryptionKey . KMSKey . id
Name Description Service Rule
Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. Storage
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ]
Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. SQL
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ]
Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. SQL
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ]
Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. Kubernetes
KubernetesCluster should have Tags len ( ) gt 0
Remote access: Ensure oslogin is enabled for a Project Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. ComputeEngine
Instance should have Metadata . Items with [ Key eq "enable-oslogin" and Value like "[Tt][Rr][Uu][Ee]" ]
Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. IAM
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1
Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. IAM
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ]
Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. KMS
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days")
Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] )
Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. SQL
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True
Identities and credentials: Ensure that ServiceAccount has no Admin privileges. A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" )
Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser"
Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] )
Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. ComputeEngine
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ]
Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. Kubernetes
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True
Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. Kubernetes
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password
Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. Kubernetes
KubernetesCluster should have MasterAuth . ClientKey
Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. Kubernetes
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ]
Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. ComputeEngine
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "[Tt][Rr][Uu][Ee]" ]
Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "[Tt][Rr][Uu][Ee]" ]
Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. Kubernetes
KubernetesCluster should not have LegacyAbac . Enabled eq True
Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. IAMPolicy
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ]
Audit/log records: Ensure that logging is enabled for Cloud buckets By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. Storage
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix
Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. Kubernetes
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com"
Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. Kubernetes
KubernetesCluster should have LoggingService eq "logging.googleapis.com"
Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. Logging
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ]
Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. Monitor
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Custom Role changes It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network route changes It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network changes It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gce_network\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Communications and control network protection: Ensure the default network does not exist in a project To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. ComputeEngine
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True
Communications and control network protection: Ensure legacy networks does not exists for a project In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. VPCnetwork
VPC should not have Mode eq "LEGACY"
Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. DNS
DNSManagedZone should have DnssecConfig . State eq "on"
Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ]
Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ]
Ensure that SSH access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ]
Ensure that RDP access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ]
Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. ComputeEngine
Subnet should have PrivateIPGoogleAccess eq True
Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. VPCnetwork
VPC should have every Subnetworks with [ LogEnabled ]
Network integrity: Ensure that IP forwarding is not enabled on Instances Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward
Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. Kubernetes
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True
Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. Kubernetes
KubernetesCluster should have NetworkPolicy . Enabled eq True
Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. Kubernetes
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True
Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. Kubernetes
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true
Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ]
Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ]
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. Kubernetes
KubernetesCluster should have NodeConfig . ImageType eq "COS"
Name Description Service Rule
Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. IAMPolicy
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ]
Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. IAM
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1
Identities and credentials: Ensure that ServiceAccount has no Admin privileges. A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" )
Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser"
Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. IAM
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ]
Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] )
Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. KMS
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days")
Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] )
Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. Logging
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ]
Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. Monitor
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Custom Role changes It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network route changes It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network changes It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gce_network\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Communications and control network protection: Ensure the default network does not exist in a project To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. ComputeEngine
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True
Communications and control network protection: Ensure legacy networks does not exists for a project In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. VPCnetwork
VPC should not have Mode eq "LEGACY"
Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. DNS
DNSManagedZone should have DnssecConfig . State eq "on"
Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ]
Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ]
Ensure that SSH access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ]
Ensure that RDP access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ]
Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. ComputeEngine
Subnet should have PrivateIPGoogleAccess eq True
Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. VPCnetwork
VPC should have every Subnetworks with [ LogEnabled ]
Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. ComputeEngine
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ]
Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "[Tt][Rr][Uu][Ee]" ]
Remote access: Ensure oslogin is enabled for a Project Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. ComputeEngine
Instance should have Metadata . Items with [ Key eq "enable-oslogin" and Value like "[Tt][Rr][Uu][Ee]" ]
Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. ComputeEngine
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "[Tt][Rr][Uu][Ee]" ]
Network integrity: Ensure that IP forwarding is not enabled on Instances Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward
Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. Storage
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ]
Audit/log records: Ensure that logging is enabled for Cloud buckets By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. Storage
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix
Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. SQL
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True
Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. SQL
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ]
Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. SQL
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ]
Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. Kubernetes
KubernetesCluster should have LoggingService eq "logging.googleapis.com"
Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. Kubernetes
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com"
Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. Kubernetes
KubernetesCluster should not have LegacyAbac . Enabled eq True
Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. Kubernetes
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True
Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. Kubernetes
KubernetesCluster should have Tags len ( ) gt 0
Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. Kubernetes
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True
Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ]
Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ]
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. Kubernetes
KubernetesCluster should have NodeConfig . ImageType eq "COS"
Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. Kubernetes
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password
Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. Kubernetes
KubernetesCluster should have NetworkPolicy . Enabled eq True
Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. Kubernetes
KubernetesCluster should have MasterAuth . ClientKey
Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. Kubernetes
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True
Baseline security configuration of systems: Ensure Kubernetes Cluster is created with Private cluster enabled A private cluster is a cluster that makes your master inaccessible from the public internet. In a private cluster, nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. Nodes have addressed only in the private RFC 1918 address space. Nodes and masters communicate with each other privately using VPC peering. Kubernetes
KubernetesCluster should have PrivateClusterConfig . EnablePrivateEndpoint eq True
Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. Kubernetes
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true
Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. Kubernetes
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ]
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys ComputeEngine
Volume where Name notlike "^gke-" should have DiskEncryptionKey . Sha256 len ( ) gt 0
Name Description Service Rule
Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. IAMPolicy
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ]
Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. IAM
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1
Identities and credentials: Ensure that ServiceAccount has no Admin privileges. A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" )
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level. Identity
IAMPolicy where Name eq "iam.serviceAccountUser" or Name eq "iam.serviceAccountTokenCreator" should have Members . UserEmails len() eq 0
Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. IAM
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ]
Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access KMS
KMSKey should not have Bindings with [ Members has ("allAuthenticatedUsers") or Members has ("allUsers") ]
Ensure KMS encryption keys are rotated within a period of 90 days It is recommended that the KMS encryption keys are rotated within a period of 90 days KMS
KMSKey should have RotationPeriod lte 7776000 and NextRotationTime isEarlierThan (90, "days")
Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] )
Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. Logging
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ]
Ensure that retention policies on log buckets are configured using Bucket Lock Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks. Storage
LoggingSink where Destination . Bucket . id len() gt 0 should have Destination . Bucket . RetentionPolicy . IsLocked
Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. Monitor
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Custom Role changes It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network route changes It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network changes It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gce_network\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Ensure that Cloud DNS logging is enabled for all VPC networks Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC Network
VPC should have DNSPolicy . enableLogging
Communications and control network protection: Ensure the default network does not exist in a project To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. ComputeEngine
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True
Communications and control network protection: Ensure legacy networks does not exists for a project In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. VPCnetwork
VPC should not have Mode eq "LEGACY"
Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. DNS
DNSManagedZone should have DnssecConfig . State eq "on"
Ensure that SSH access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ]
Ensure that RDP access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ]
Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. VPCnetwork
VPC should have every Subnetworks with [ LogEnabled ]
Ensure that instances are not configured to use the default service account It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project. ComputeEngine
Instance should not have ServiceAccounts with [ Email like "compute@developer\.gserviceaccount\.com$"]
Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. ComputeEngine
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ]
Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "[Tt][Rr][Uu][Ee]" ]
Remote access: Ensure oslogin is enabled for a Project Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. ComputeEngine
Instance should have Metadata . Items with [ Key eq "enable-oslogin" and Value like "[Tt][Rr][Uu][Ee]" ]
Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. ComputeEngine
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "[Tt][Rr][Uu][Ee]" ]
Network integrity: Ensure that IP forwarding is not enabled on Instances Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys ComputeEngine
Volume where Name notlike "^gke-" should have DiskEncryptionKey . Sha256 len ( ) gt 0
Ensure Compute instances are launched with Shielded VM enabled To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled. ComputeEngine
Instance should have ShieldedVM
Ensure that Compute instances do not have public IP addresses Compute instances should not be configured to have external IP addresses. ComputeEngine
Instance should not have NetworkInterfaces with [ AccessConfigs len ( ) gt 0 ]
Ensure that Compute instances have Confidential Computing enabled Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in use while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU). ComputeEngine
Instance should have ConfidentialComputing
Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. Storage
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ]
Ensure that Cloud Storage buckets have uniform bucket-level access enabled It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets. Storage
Bucket should have IAMConfiguration.UniformBucketLevelAccess
Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on' It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on SQL
SqlInstance where DatabaseType eq "MYSQL" should have Settings . DatabaseFlags with [ Name eq "skip_show_database" and Value eq "on" ]
Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off' It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off. SQL
SqlInstance where DatabaseType eq "MYSQL" should have Settings . DatabaseFlags with [ Name eq "local_infile" and Value eq "off" ]
Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on' Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on. SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_checkpoints" and Value eq "on" ]
Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are: TERSE, DEFAULT, VERBOSE SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_error_verbosity" and Value in ( "default", "verbose" ) ]
Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on' Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts. SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_connections" and Value eq "on" ]
Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on' Enabling the log_disconnections setting logs the end of each session, including the session duration. SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_disconnections" and Value eq "on" ]
Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on Enabling the log_lock_waits flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted deadlock_timeout time to acquire a lock. SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_lock_waits" and Value eq "on" ]
Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' The log_statement_stats flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query. This cannot be enabled with other module statistics (log_parser_stats, log_planner_stats, log_executor_stats). SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_statement_stats" and Value eq "off" ]
Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_hostname" and Value eq "off" ]
Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server. If the syntax is correct a parse tree is built up else an error is generated. The log_parser_stats flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query. SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_parser_stats" and Value eq "off" ]
Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' The same SQL query can be excuted in multiple ways and still produce different results. The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query. The log_planner_stats flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.. SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_planner_stats" and Value eq "off" ]
Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner. The executor processes the plan recursively to extract the required set of rows. The log_executor_stats flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query. SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_executor_stats" and Value eq "off" ]
Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter The log_min_error_statement flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. Ensure a value of ERROR or stricter is set. SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_min_error_statement" and Value in ("debug5", "debug4", "debug3", "debug2", "debug1", "info", "notice", "warning", "error")]
Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on) PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed work_mem. The log_temp_files flag controls logging names and the file size when it is deleted. Configuring log_temp_files to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes. A value of -1 disables temporary file information logging. SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_temp_files" and Value eq "0" ]
Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled) The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set. SQL
SqlInstance where DatabaseType eq "POSTGRES" should have Settings . DatabaseFlags with [ Name eq "log_min_duration_statement" and Value eq "-1" ]
Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off SQL
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "external scripts enabled" and Value eq "off" ]
Ensure 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off. SQL
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "cross db ownership chaining" and Value eq "off" ]
Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured. SQL
SqlInstance where DatabaseType eq "SQLSERVER" should not have Settings . DatabaseFlags with [ Name eq "user options" ]
Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate It is recommended to set user connections database flag for Cloud SQL SQL Server instance according organization-defined value. SQL
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "user connections" and Value neq "0" ]
Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off' It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off. SQL
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "3625" and Value eq "off" ]
Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off. SQL
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "contained database authentication" and Value eq "off" ]
Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. SQL
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True
Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. SQL
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ]
Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. SQL
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ]
Ensure that Cloud SQL database instances do not have public IPs It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs. SQL
SqlInstance where InstanceType eq "CLOUD_SQL_INSTANCE" should not have BackendType eq "SECOND_GEN" and IpAddresses with [IpAddress isPublic() or Type eq "PRIMARY" ]
Backups of information: Ensure SQL Instances have Backup enabled Enable database backups on mission-critical systems.Lack of backups can result in permanent data loss if database is lost or corrupted. SQL
SqlInstance should not have Settings . BackupConfiguration . Enabled eq false
Ensure that BigQuery datasets are not anonymously or publicly accessible It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access. Database
BigqueryDataset should not have DatasetACL with [ SpecialGroup eq "allAuthenticatedUsers" or SpecialGroup eq "allUsers"]
Ensure that all BigQuery Tables are encrypted with Customer- managed encryption key (CMEK) BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys. Database
BigqueryDataset should have every Tables with [ encryption . enabled ]
Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off. SQL
SqlInstance where DatabaseType eq "SQLSERVER" should have Settings . DatabaseFlags with [ Name eq "remote access" and Value eq "off" ]
Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. Database
BigqueryDataset should have Encryption.Enabled
Name Description Service Rule
Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. Storage
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ]
Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. SQL
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ]
Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. SQL
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ]
Remote access: Ensure oslogin is enabled for a Project Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. ComputeEngine
Instance should have Metadata . Items with [ Key eq "enable-oslogin" and Value like "[Tt][Rr][Uu][Ee]" ]
Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. IAM
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1
Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. IAM
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ]
Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. KMS
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days")
Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] )
Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. SQL
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True
Identities and credentials: Ensure that ServiceAccount has no Admin privileges. A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" )
Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser"
Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] )
Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. ComputeEngine
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ]
Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. Kubernetes
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True
Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. Kubernetes
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password
Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. Kubernetes
KubernetesCluster should have MasterAuth . ClientKey
Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. Kubernetes
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ]
Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "[Tt][Rr][Uu][Ee]" ]
Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. IAMPolicy
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ]
Audit/log records: Ensure that logging is enabled for Cloud buckets By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. Storage
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix
Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. Kubernetes
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com"
Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. Kubernetes
KubernetesCluster should have LoggingService eq "logging.googleapis.com"
Communications and control network protection: Ensure the default network does not exist in a project To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. ComputeEngine
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True
Communications and control network protection: Ensure legacy networks does not exists for a project In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. VPCnetwork
VPC should not have Mode eq "LEGACY"
Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. DNS
DNSManagedZone should have DnssecConfig . State eq "on"
Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ]
Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ]
Ensure that SSH access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ]
Ensure that RDP access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ]
Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. ComputeEngine
Subnet should have PrivateIPGoogleAccess eq True
Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. VPCnetwork
VPC should have every Subnetworks with [ LogEnabled ]
Network integrity: Ensure that IP forwarding is not enabled on Instances Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward
Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. Kubernetes
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True
Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. Kubernetes
KubernetesCluster should have NetworkPolicy . Enabled eq True
Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. Kubernetes
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True
Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. Kubernetes
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true
Name Description Service Rule
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. Kubernetes
KubernetesCluster should have NodeConfig . ImageType eq "COS"
Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ]
Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ]
Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. Kubernetes
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True
Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. Kubernetes
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True
Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. Kubernetes
KubernetesCluster should have NetworkPolicy . Enabled eq True
Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. Kubernetes
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password
Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. Kubernetes
KubernetesCluster should have MasterAuth . ClientKey
Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. Kubernetes
KubernetesCluster should not have LegacyAbac . Enabled eq True
Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. Kubernetes
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True
Ensure Image Vulnerability Scanning using GCR Container Analysis or a third party provider Scan images stored in Google Container Registry (GCR) for vulnerabilities. Kubernetes
GCP should have atleast one Service with [ Name eq "containerscanning.googleapis.com" and State eq "ENABLED"]
Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS Encrypt Kubernetes secrets, stored in etcd, at the application-layer using a customer-managed key in Cloud KMS Kubernetes
KubernetesCluster should have DatabaseEncryption.State eq "ENCRYPTED" and DatabaseEncryption.KeyName neq ""
Ensure legacy Compute Engine instance metadata APIs are Disabled Disable the legacy GCE instance metadata APIs for GKE nodes. Under some circumstances, these can be used from within a pod to extract the node's credentials Kubernetes
KubernetesCluster should have NodePools with [ Config.Metadata with [ Name eq "disable-legacy-endpoints" and Value eq "true"] ]
Ensure the GKE Metadata Server is Enabled Running the GKE Metadata Server prevents workloads from accessing sensitive instance metadata and facilitates Workload Identity Kubernetes
KubernetesCluster should have NodePools with [ Config.WorkloadMetadataConfig.NodeMetadata len() gt 0]
When creating New Clusters - Automate GKE version management using Release Channels Subscribe to the Regular or Stable Release Channel to automate version upgrades to the GKE cluster and to reduce version management complexity to the number of features and level of stability required Kubernetes
KubernetesCluster should have ReleaseChannel.Channel eq "REGULAR" or ReleaseChannel.Channel eq "STABLE"
Ensure Shielded GKE Nodes are Enabled Shielded GKE Nodes provides verifiable integrity via secure boot, virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring Kubernetes
KubernetesCluster should have ShieldedNodes.Enabled
Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled Enable Integrity Monitoring for Shielded GKE Nodes to be notified of inconsistencies during the node boot sequence Kubernetes
KubernetesCluster should have NodePools with [ Config.ShieldedInstanceConfig.EnableIntegrityMonitoring ]
Ensure Secure Boot for Shielded GKE Nodes is Enabled Enable Secure Boot for Shielded GKE Nodes to verify the digital signature of node boot components Kubernetes
KubernetesCluster should have NodePools with [ Config.ShieldedInstanceConfig.EnableSecureBoot ]
Enable VPC Flow Logs and Intranode Visibility Enable VPC Flow Logs and Intranode Visibility to see pod-level traffic, even for traffic within a worker node Kubernetes
KubernetesCluster should have NetworkConfig . EnableIntraNodeVisibility
Ensure clusters are created with Private Nodes Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes with no public IP addresses Kubernetes
KubernetesCluster should have PrivateClusterConfig . EnablePrivateNodes
Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled Send logs and metrics to a remote aggregator to mitigate the risk of local tampering in the event of a breach Kubernetes
KubernetesCluster should have ( ( ( LoggingService eq "logging.googleapis.com/kubernetes" ) or ( LoggingService eq "logging.googleapis.com" ) ) and ( ( MonitoringService eq "monitoring.googleapis.com/kubernetes" ) or ( MonitoringService eq "monitoring.googleapis.com" ) ) )
Ensure that Alpha clusters are not used for production workloads Alpha clusters are not covered by an SLA and are not production-ready Kubernetes
KubernetesCluster should have EnableKubernetesAlpha
Ensure Pod Security Policy is Enabled and set as appropriate Pod Security Policy should be used to prevent privileged containers where possible and enforce namespace and workload configurations Kubernetes
KubernetesCluster should have PodSecurityPolicyConfig.Enabled
Consider GKE Sandbox for running untrusted workloads Use GKE Sandbox to restrict untrusted workloads as an additional layer of protection when running in a multi-tenant environment Kubernetes
KubernetesCluster should have NodePools with [ Config.SandboxConfig.SandboxType eq "gvisor"]
Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled Disable access to the Kubernetes API from outside the node network if it is not required. Kubernetes
KubernetesCluster should have PrivateClusterConfig . EnablePrivateEndpoint and Endpoint isPrivate ()
Name Description Service Rule
Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. IAM
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1
Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. IAM
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ]
Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. KMS
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days")
Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] )
Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. SQL
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True
Identities and credentials: Ensure that ServiceAccount has no Admin privileges. A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" )
Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser"
Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] )
Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. ComputeEngine
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ]
Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. Kubernetes
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True
Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. Kubernetes
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password
Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. Kubernetes
KubernetesCluster should have MasterAuth . ClientKey
Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. Kubernetes
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ]
Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. Kubernetes
KubernetesCluster should not have LegacyAbac . Enabled eq True
Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. IAMPolicy
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ]
Audit/log records: Ensure that logging is enabled for Cloud buckets By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. Storage
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix
Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. Kubernetes
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com"
Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. Kubernetes
KubernetesCluster should have LoggingService eq "logging.googleapis.com"
Name Description Service Rule
Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. Storage
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ]
Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. SQL
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ]
Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. SQL
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ]
Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. Kubernetes
KubernetesCluster should have Tags len ( ) gt 0
Remote access: Ensure oslogin is enabled for a Project Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. ComputeEngine
Instance should have Metadata . Items with [ Key eq "enable-oslogin" and Value like "[Tt][Rr][Uu][Ee]" ]
Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. IAM
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1
Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. IAM
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ]
Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. KMS
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days")
Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] )
Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. SQL
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True
Identities and credentials: Ensure that ServiceAccount has no Admin privileges. A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" )
Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser"
Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] )
Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. ComputeEngine
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ]
Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. Kubernetes
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True
Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. Kubernetes
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password
Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. Kubernetes
KubernetesCluster should have MasterAuth . ClientKey
Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. Kubernetes
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ]
Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. ComputeEngine
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "[Tt][Rr][Uu][Ee]" ]
Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "[Tt][Rr][Uu][Ee]" ]
Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. Kubernetes
KubernetesCluster should not have LegacyAbac . Enabled eq True
Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. IAMPolicy
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ]
Audit/log records: Ensure that logging is enabled for Cloud buckets By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. Storage
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix
Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. Kubernetes
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com"
Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. Kubernetes
KubernetesCluster should have LoggingService eq "logging.googleapis.com"
Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. Logging
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ]
Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. Monitor
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Custom Role changes It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network route changes It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network changes It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gce_network\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Communications and control network protection: Ensure the default network does not exist in a project To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. ComputeEngine
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True
Communications and control network protection: Ensure legacy networks does not exists for a project In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. VPCnetwork
VPC should not have Mode eq "LEGACY"
Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. DNS
DNSManagedZone should have DnssecConfig . State eq "on"
Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ]
Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ]
Ensure that SSH access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ]
Ensure that RDP access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ]
Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. ComputeEngine
Subnet should have PrivateIPGoogleAccess eq True
Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. VPCnetwork
VPC should have every Subnetworks with [ LogEnabled ]
Network integrity: Ensure that IP forwarding is not enabled on Instances Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward
Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. Kubernetes
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True
Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. Kubernetes
KubernetesCluster should have NetworkPolicy . Enabled eq True
Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. Kubernetes
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True
Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. Kubernetes
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true
Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ]
Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ]
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. Kubernetes
KubernetesCluster should have NodeConfig . ImageType eq "COS"
Name Description Service Rule
Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ]
Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. IAMPolicy
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ]
Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. IAM
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1
Identities and credentials: Ensure that ServiceAccount has no Admin privileges. A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" )
Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser"
Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. IAM
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ]
Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] )
Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. KMS
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days")
Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] )
Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. ComputeEngine
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ]
Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. Storage
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ]
Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. SQL
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ]
Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. SQL
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ]
Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. Kubernetes
KubernetesCluster should not have LegacyAbac . Enabled eq True
Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. Kubernetes
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password
Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. Kubernetes
KubernetesCluster should have MasterAuth . ClientKey
Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. Kubernetes
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ]
Identities and credentials: Ensure BigQuery does not have Dataset ACL which is open to all authenticated users A cloud data warehouse should not allow access to all authenticated users. Verify that the permissions applied are in line with your business use case.This could expose sensitive data to users outside of your organization. BigQuery
BigqueryDataset should not have DatasetACL with [ SpecialGroup eq "allAuthenticatedUsers" ]
Identities and credentials: Ensure BigQuery does not have Dataset ACL which grants permission to a Gmail account A cloud data warehouse should not allow access to Gmail accounts. Verify that the permissions applied are in line with your business use case.This could expose sensitive data to users outside of your organization. BigQuery
BigqueryDataset should not have DatasetACL with [ UserEmail like "@gmail\.com" ]
Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "[Tt][Rr][Uu][Ee]" ]
Remote access: Ensure oslogin is enabled for a Project Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. ComputeEngine
Instance should have Metadata . Items with [ Key eq "enable-oslogin" and Value like "[Tt][Rr][Uu][Ee]" ]
Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. ComputeEngine
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "[Tt][Rr][Uu][Ee]" ]
Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. Kubernetes
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True
Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. Kubernetes
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True
Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. Monitor
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Custom Role changes It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network route changes It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network changes It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gce_network\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure that IP forwarding is not enabled on Instances Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward
Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. Kubernetes
KubernetesCluster should have NetworkPolicy . Enabled eq True
Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. Kubernetes
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True
Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. SQL
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True
Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. Kubernetes
KubernetesCluster should have Tags len ( ) gt 0
Baseline security configuration of systems: Ensure Kubernetes Cluster is created with Private cluster enabled A private cluster is a cluster that makes your master inaccessible from the public internet. In a private cluster, nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. Nodes have addressed only in the private RFC 1918 address space. Nodes and masters communicate with each other privately using VPC peering. Kubernetes
KubernetesCluster should have PrivateClusterConfig . EnablePrivateEndpoint eq True
Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. Kubernetes
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true
Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ]
Backups of information: Ensure SQL Instances have Backup enabled Enable database backups on mission-critical systems.Lack of backups can result in permanent data loss if database is lost or corrupted. SQL
SqlInstance should not have Settings . BackupConfiguration . Enabled eq false
Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. Logging
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ]
Audit/log records: Ensure that logging is enabled for Cloud buckets By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. Storage
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix
Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. Kubernetes
KubernetesCluster should have LoggingService eq "logging.googleapis.com"
Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. Kubernetes
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com"
Communications and control network protection: Ensure the default network does not exist in a project To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. ComputeEngine
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True
Communications and control network protection: Ensure legacy networks does not exists for a project In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. VPCnetwork
VPC should not have Mode eq "LEGACY"
Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. DNS
DNSManagedZone should have DnssecConfig . State eq "on"
Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ]
Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ]
Ensure that SSH access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ]
Ensure that RDP access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ]
Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. ComputeEngine
Subnet should have PrivateIPGoogleAccess eq True
Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. VPCnetwork
VPC should have every Subnetworks with [ LogEnabled ]
Communications and control network protection: Ensure FirewallRule doesn't have any rule that allows incoming traffic on all ports Exposing all ports adds risk of exposure or compromise for all current and future network services running on the instance. Change firewall rule to only expose required ports. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Ports with [ FromPort eq 0 and ToPort eq 65535 ] ]
Name Description Service Rule
Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. Storage
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ]
Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. SQL
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ]
Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. SQL
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ]
Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. Kubernetes
KubernetesCluster should have Tags len ( ) gt 0
Remote access: Ensure oslogin is enabled for a Project Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. ComputeEngine
Instance should have Metadata . Items with [ Key eq "enable-oslogin" and Value like "[Tt][Rr][Uu][Ee]" ]
Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. IAM
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1
Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. IAM
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ]
Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. KMS
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days")
Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] )
Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. SQL
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True
Identities and credentials: Ensure that ServiceAccount has no Admin privileges. A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" )
Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser"
Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] )
Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. ComputeEngine
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ]
Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. Kubernetes
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True
Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. Kubernetes
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password
Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. Kubernetes
KubernetesCluster should have MasterAuth . ClientKey
Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. Kubernetes
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ]
Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. ComputeEngine
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "[Tt][Rr][Uu][Ee]" ]
Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "[Tt][Rr][Uu][Ee]" ]
Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. Kubernetes
KubernetesCluster should not have LegacyAbac . Enabled eq True
Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. IAMPolicy
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ]
Audit/log records: Ensure that logging is enabled for Cloud buckets By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. Storage
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix
Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. Kubernetes
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com"
Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. Kubernetes
KubernetesCluster should have LoggingService eq "logging.googleapis.com"
Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. Logging
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ]
Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. Monitor
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Custom Role changes It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network route changes It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network changes It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gce_network\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Communications and control network protection: Ensure the default network does not exist in a project To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. ComputeEngine
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True
Communications and control network protection: Ensure legacy networks does not exists for a project In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. VPCnetwork
VPC should not have Mode eq "LEGACY"
Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. DNS
DNSManagedZone should have DnssecConfig . State eq "on"
Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ]
Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ]
Ensure that SSH access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ]
Ensure that RDP access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ]
Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. ComputeEngine
Subnet should have PrivateIPGoogleAccess eq True
Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. VPCnetwork
VPC should have every Subnetworks with [ LogEnabled ]
Network integrity: Ensure that IP forwarding is not enabled on Instances Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward
Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. Kubernetes
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True
Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. Kubernetes
KubernetesCluster should have NetworkPolicy . Enabled eq True
Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. Kubernetes
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True
Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. Kubernetes
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true
Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ]
Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ]
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. Kubernetes
KubernetesCluster should have NodeConfig . ImageType eq "COS"
Name Description Service Rule
Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. Storage
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ]
Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. SQL
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ]
Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. SQL
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ]
Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. Kubernetes
KubernetesCluster should have Tags len ( ) gt 0
Remote access: Ensure oslogin is enabled for a Project Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users. ComputeEngine
Instance should have Metadata . Items with [ Key eq "enable-oslogin" and Value like "[Tt][Rr][Uu][Ee]" ]
Identities and credentials: Ensure that there are only GCP-managed service account keys for each service account User managed service account should not have user managed keys. Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation. IAM
ServiceAccount should not have Email like "iam\.gserviceaccount\.com$" and Keys len ( ) gt 1
Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. IAM
ServiceAccount should have every Keys with [ Validity . AfterTime isLaterThan ( -90, "days" ) ]
Identities and credentials: Ensure Encryption keys are rotated within a period of 365 days A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure the rotation period is set to a specific time. KMS
KMSKey should have RotationPeriod lte 31536000 and NextRotationTime isEarlierThan (365, "days")
Identities and credentials: Ensure that Separation of duties is enforced while assigning KMS related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data that that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered a best practice. Any user(s) should not have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/cloudkms.admin" ] and Roles with [ id in ("roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter" ) ] )
Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. SQL
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True
Identities and credentials: Ensure that ServiceAccount has no Admin privileges. A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" )
Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser"
Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] )
Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. ComputeEngine
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ]
Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. Kubernetes
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True
Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. Kubernetes
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password
Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. Kubernetes
KubernetesCluster should have MasterAuth . ClientKey
Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. Kubernetes
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ]
Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. ComputeEngine
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "[Tt][Rr][Uu][Ee]" ]
Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "[Tt][Rr][Uu][Ee]" ]
Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. Kubernetes
KubernetesCluster should not have LegacyAbac . Enabled eq True
Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. IAMPolicy
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ]
Audit/log records: Ensure that logging is enabled for Cloud buckets By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. Storage
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix
Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. Kubernetes
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com"
Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. Kubernetes
KubernetesCluster should have LoggingService eq "logging.googleapis.com"
Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. Logging
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ]
Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. Monitor
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Custom Role changes It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network route changes It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network changes It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gce_network\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Communications and control network protection: Ensure the default network does not exist in a project To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. ComputeEngine
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True
Communications and control network protection: Ensure legacy networks does not exists for a project In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. VPCnetwork
VPC should not have Mode eq "LEGACY"
Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. DNS
DNSManagedZone should have DnssecConfig . State eq "on"
Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ]
Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ]
Ensure that SSH access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ]
Ensure that RDP access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ]
Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. ComputeEngine
Subnet should have PrivateIPGoogleAccess eq True
Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. VPCnetwork
VPC should have every Subnetworks with [ LogEnabled ]
Network integrity: Ensure that IP forwarding is not enabled on Instances Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward
Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. Kubernetes
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True
Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. Kubernetes
KubernetesCluster should have NetworkPolicy . Enabled eq True
Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. Kubernetes
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True
Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. Kubernetes
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true
Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ]
Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ]
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. Kubernetes
KubernetesCluster should have NodeConfig . ImageType eq "COS"
Name Description Service Rule
Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible Allowing anonymous and/or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous and/or public access to a bucket is not allowed. Storage
Bucket should not have Policies with [ Members . AllUsers eq True or Members . AllAuthenticatedUsers eq True ]
Identities and credentials: Ensure that Cloud SQL database Instances are not open to the world To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it. Authorized networks should not have IPs/networks configured to 0.0.0.0 or /0 which will allow access to the instance from anywhere in the world. SQL
SqlInstance should not have Settings . IpConfiguration . AuthorizedNetworks with [ CIDR eq 0.0.0.0/0 ]
Identities and credentials: Ensure that MySQL Database Instance does not allows root login from any Host When root access is allowed for any host, any host from authorized networks can attempt to authenticate to a MySql Database Instance using administrative privileges. To minimize attack surface root access can explicitly allowed from only trusted IPs (Hosts) to support database related administrative tasks. SQL
SqlInstance where DatabaseType eq "MYSQL" should not have Users with [ Name eq "root" and Host in ("%", "0.0.0.0", "/0") ]
Baseline security configuration of systems: Ensure Kubernetes Clusters are configured with Labels Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings. Labels can also be used to apply specific security settings and 'auto configure' objects at creation. Kubernetes
KubernetesCluster should have Tags len ( ) gt 0
Data-in-transit is protected: Ensure that Cloud SQL database instance requires all incoming connections to use SSL SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances. SQL
SqlInstance should have Settings . IpConfiguration . RequireSsl eq True
Identities and credentials: Ensure that ServiceAccount has no Admin privileges. A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and ( Role . id in ("roles/editor", "roles/owner") or Role . id like ".*Admin$" )
Identities and credentials: Ensure that IAM users are not assigned Service Account User role at project level It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. A service account is a special Google account that belongs to application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the Google API of a service, so that the users aren't directly involved. In addition to being an identity, a service account is a resource which has IAM policies attached to it. These policies determine who can use the service account. In order to implement least privileges best practices, IAM users should not be assigned Service Account User role at project level. Instead iam.serviceAccountUser role should be assigned to a user for a specific service account giving a user access to the service account. IAMPolicy
IAMPolicy should not have Members . ServiceEmails with [ Email like "iam\.gserviceaccount\.com$" ] and Role . id eq "roles/iam.serviceAccountUser"
Identities and credentials: Ensure that Separation of duties is enforced while assigning service account related roles to users It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances. Any user(s) should not have Service Account Admin and Service Account User, both roles assigned at a time. IAMPolicy
IAMPolicyUser should not have ( Roles with [ id eq "roles/iam.serviceAccountAdmin" ] and Roles with [ id eq "roles/iam.serviceAccountUser" ] )
Identities and credentials: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. ComputeEngine
Instance should not have ServiceAccounts with [ Scopes with [ Value eq "https://www.googleapis.com/auth/cloud-platform" ] ]
Access permissions and authorizations: Ensure Kubernetes web UI / Dashboard is disabled You should disable the Kubernetes Web UI (Dashboard) when running on Kubernetes Engine. The Kubernetes Web UI (Dashboard) is backed by a highly privileged Kubernetes Service Account. Kubernetes
KubernetesCluster should have AddonsConfig . KubernetesDashboard . Disabled eq True
Identities and credentials: Ensure Basic Authentication is disabled on Kubernetes Engine Clusters Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. Kubernetes
KubernetesCluster should not have MasterAuth . Username and MasterAuth . Password
Identities and credentials: Ensure Kubernetes Cluster is created with Client Certificate enabled If you disable client certificate generation to create a cluster without a client certificate. You will still be able to authenticate to the cluster with basic auth or IAM. But basic auth allows a user to authenticate to the cluster with a username and password which are stored in plain text without any encryption and might lead brute force attacks. Kubernetes
KubernetesCluster should have MasterAuth . ClientKey
Identities and credentials: Ensure default Service account is not used for Project access in Kubernetes Clusters A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. Kubernetes
KubernetesCluster should not have NodePools with [ Config . ServiceAccount eq "default" ]
Remote access: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. ComputeEngine
Instance should not have Metadata . Items with [ Key eq "serial-port-enable" and Value like "[Tt][Rr][Uu][Ee]" ]
Remote access: Ensure "Block Project-wide SSH keys" enabled for VM instances Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should have Metadata . Items with [ Key eq "block-project-ssh-keys" and Value like "[Tt][Rr][Uu][Ee]" ]
Identities and credentials: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. Kubernetes
KubernetesCluster should not have LegacyAbac . Enabled eq True
Identities and credentials: Ensure that corporate login credentials are used instead of Gmail accounts Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. IAMPolicy
IAMPolicy should not have Members . UserEmails with [ Email like "@gmail\.com$" ]
Audit/log records: Ensure that logging is enabled for Cloud buckets By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. Storage
Bucket should have Logging . LogBucket and Logging . LogObjectPrefix
Audit/log records: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters Stackdriver Monitoring will monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances. Kubernetes
KubernetesCluster should have MonitoringService eq "monitoring.googleapis.com"
Audit/log records: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. Kubernetes
KubernetesCluster should have LoggingService eq "logging.googleapis.com"
Audit/log records: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data. It is recommended to have effective default audit config configured in such a way that: 1. logtype is set to DATA_READ (to logs user activity tracking) and DATA_WRITES (to log changes/tampering to user data); 2. audit config is enabled for all the services supported by Data Access audit logs feature; 3. Logs should be captured for all users. i.e. there are no exempted users in any of the audit config section. This will ensure overriding audit config will not contradict the requirement. Logging
GCP should have atleast one AuditConfigs with [ Service eq "allServices" and AuditLogConfigs with [ LogType eq "DATA_READ" ] and AuditLogConfigs with [ LogType eq "DATA_WRITE" ] and AuditLogConfigs with [ LogType eq "ADMIN_READ" ] ] and every AuditConfigs with [ HasExemptedMembers eq False ]
Network integrity: Ensure log metric filter and alerts exists for Project Ownership assignments/changes In order to prevent unnecessarily project ownership assignments to users/service- accounts and further misuses of project and resources, all roles/Owner assignments should be monitored. Project Ownership Having highest level of privileges on a project, to avoid misuse of project resources project ownership assignment/change actions mentioned should be monitored and alerted to concerned recipients. Monitor
GCP should have any LogMetrics with [ Filter like "\(\s*protoPayload.serviceName\s*=\s*\"cloudresourcemanager\.googleapis\.com\"\s*\)\s+AND\s+\(\s*ProjectOwnership\s+OR\s+projectOwnerInvitee\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"REMOVE\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)\s+OR\s+\(\s*protoPayload\.serviceData\.policyDelta\.bindingDeltas\.action\s*=\s*\"ADD\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.bindingDeltas\.role\s*=\s*\"roles/owner\"\s*\)" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Audit Configuration Changes Admin activity and Data access logs produced by Cloud audit logging enables security analysis, resource change tracking, and compliance auditing. Configuring metric filter and alerts for Audit Configuration Changes ensures recommended state of audit configuration and hence, all the activities in project are audit-able at any point in time. Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"SetIamPolicy\"\s+AND\s+protoPayload\.serviceData\.policyDelta\.auditConfigDeltas:\*.*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Custom Role changes It is recommended that a metric filter and alarm be established for changes IAM Role creation, deletion and updating activities. Monitoring role creation, deletion and updating activities will help in identifying over-privileged role at early stages. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"iam_role\"\s+AND\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.CreateRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.DeleteRole\"\s+OR\s+protoPayload\.methodName\s*=\s*\"google\.iam\.admin\.v1\.UpdateRole\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC Network Firewall rule changes It is recommended that a metric filter and alarm be established for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_firewall_rule\"\s+AND\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.firewalls\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network route changes It is recommended that a metric filter and alarm be established for VPC network route changes. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*\"gce_route\"\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.routes\.insert\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for VPC network changes It is recommended that a metric filter and alarm be established for VPC network changes. It is possible to have more than 1 VPC within an project, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs.Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gce_network\s+AND\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.insert\"\s+OR\s+protoPayload\.methodName\s*=\s*\"beta\.compute\.networks\.patch\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.delete\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.removePeering\"\s+OR\s+protoPayload\.methodName\s*=\s*\"v1\.compute\.networks\.addPeering\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. Monitor
GCP should have any LogMetrics with [ Filter like ".*resource\.type\s*=\s*gcs_bucket\s+AND\s+protoPayload\.methodName\s*=\s*\"storage\.setIamPermissions\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Network integrity: Ensure log metric filter and alerts exists for SQL instance configuration changes It is recommended that a metric filter and alarm be established for SQL Instance configuration changes. Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. A few of the configurable Options which may impact security posture of a SQL Instance: Enable auto backups and high availability: Misconfiguration may adversely impact Business continuity, Disaster Recovery and High Availability; Authorize networks : Misconfiguration may increase exposure to the untrusted networks Monitor
GCP should have any LogMetrics with [ Filter like ".*protoPayload\.methodName\s*=\s*\"cloudsql\.instances\.update\".*" and AlertPolicies len ( ) gt 0 and AlertPolicies with [ Enabled eq True ] ]
Communications and control network protection: Ensure the default network does not exist in a project To prevent use of default network, a project should not have a default network.The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network. ComputeEngine
VPC should not have Name eq "default" and AutoCreateSubnetworks eq True
Communications and control network protection: Ensure legacy networks does not exists for a project In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. You cannot create subnetworks in a legacy network or switch from legacy to auto or custom subnet networks. Legacy networks can thus have an impact for high network traffic projects and subject to the single point of contention or failure. VPCnetwork
VPC should not have Mode eq "LEGACY"
Communications and control network protection: Ensure that DNSSEC is enabled for Cloud DNS Cloud DNS is a fast, reliable and cost-effective Domain Name System that powers millions of domains on the internet. DNSSEC in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. DNS
DNSManagedZone should have DnssecConfig . State eq "on"
Communications and control network protection: Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "keySigning" and Algorithm eq "rsasha1" ]
Communications and control network protection: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for zone signing should be a recommended one and it should not be weak. DNS
DNSManagedZone should not have any DnssecConfig . DefaultKeySpecs with [ KeyType eq "zoneSigning" and Algorithm eq "rsasha1" ]
Ensure that SSH access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through SSH with default Port 22 assigned to googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 22 and ToPort gte 22 ] ]
Ensure that RDP access is restricted from the internet This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from Internet through RDP with default Port 3389 assigned to a googlecloud firewall rule. We need to restrict generic access from Internet to specific IP Range. VPCnetwork
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and SourceRanges with [ Value eq 0.0.0.0/0 ] and Allowed with [ Protocol in ("all", "tcp") and Ports with [ FromPort lte 3389 and ToPort gte 3389 ] ]
Communications and control network protection: Ensure Private Google Access is enabled for all subnetwork in VPC Network VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Private Google Access is enabled, VM instances in a subnet can reach the Google Cloud and Developer APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services. Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services. ComputeEngine
Subnet should have PrivateIPGoogleAccess eq True
Communications and control network protection: Ensure VPC Flow logs is enabled for every subnet in VPC Network Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows. It is recommended that Flow Logs be enabled for every business critical VPC subnet. VPCnetwork
VPC should have every Subnetworks with [ LogEnabled ]
Network integrity: Ensure that IP forwarding is not enabled on Instances Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. ComputeEngine
Instance where not ( Name like "^gke-" and Tags with [ Name eq "goog-gke-node" and Value eq "" ] ) should not have CanIpForward
Access permissions and authorizations: Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters By Enabling, Master authorized networks blocks untrusted IP addresses from outside Google Cloud Platform and Addresses from inside GCP (such as traffic from Compute Engine VMs) which can reach your master through HTTPS provided that they have the necessary Kubernetes credentials. Kubernetes
KubernetesCluster should have MasterAuthorizedNetworksConfig . Enabled eq True
Network integrity: Ensure Network policy is enabled on Kubernetes Engine Clusters A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. Kubernetes
KubernetesCluster should have NetworkPolicy . Enabled eq True
Network integrity: Ensure Kubernetes Cluster is created with Alias IP ranges enabled With Alias IPs ranges enabled, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources; the networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs; firewall controls for Pods can be applied separately from their nodes; Alias IPs allow Pods to directly access hosted services without using a NAT gateway. Kubernetes
KubernetesCluster should have IpAllocationPolicy . UseIpAliases eq True
Baseline security configuration of systems: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. Kubernetes
KubernetesCluster should have Subnetwork . PrivateIPGoogleAccess eq true
Backups of information: Ensure `Automatic node repair` is enabled for Kubernetes Clusters Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoRepair eq True ]
Software asset inventory: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. Kubernetes
KubernetesCluster should have NodePools with [ Management . AutoUpgrade eq True ]
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. Kubernetes
KubernetesCluster should have NodeConfig . ImageType eq "COS"