Control types for @turbot/gcp-cisv2-0
- GCP > CIS v2.0
- GCP > CIS v2.0 > 1 - Identity and Access Management
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
- GCP > CIS v2.0 > 2 - Logging and Monitoring
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
- GCP > CIS v2.0 > 3 - Networking
- GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
- GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
- GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
- GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
- GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
- GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
- GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
- GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
- GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
- GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
- GCP > CIS v2.0 > 4 - Virtual Machines
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
- GCP > CIS v2.0 > 5 - Storage
- GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
- GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
- GCP > CIS v2.0 > 7 - BigQuery
- GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
- GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
- GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
GCP > CIS v2.0
Configures a default auditing level against the Google Cloud Platform Foundation Benchmark, Version 2.0.
GCP > CIS v2.0 > 1 - Identity and Access Management
This section covers recommendations addressing Identity and Access Management on Google Cloud Platform.
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
Configures auditing against a CIS Benchmark item.
Level: 1
Use corporate login credentials instead of personal accounts, such as Gmail accounts.
tmod:@turbot/gcp-cisv2-0#/control/types/r0101
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
Configures auditing against a CIS Benchmark item.
Level: 1
Setup multi-factor authentication for Google Cloud Platform accounts.
tmod:@turbot/gcp-cisv2-0#/control/types/r0102
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
Configures auditing against a CIS Benchmark item.
Level: 2
Setup Security Key Enforcement for Google Cloud Platform admin accounts.
tmod:@turbot/gcp-cisv2-0#/control/types/r0103
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
Configures auditing against a CIS Benchmark item.
Level: 1
User managed service accounts should not have user-managed keys.
tmod:@turbot/gcp-cisv2-0#/control/types/r0104
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
Configures auditing against a CIS Benchmark item.
Level: 1
A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount.
tmod:@turbot/gcp-cisv2-0#/control/types/r0105
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to assign the Service Account User (iam.serviceAccountUser)
and Service Account Token Creator (iam.serviceAccountTokenCreator)
roles to a user for a specific service account rather than assigning the role to a user at project level.
tmod:@turbot/gcp-cisv2-0#/control/types/r0106
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
Configures auditing against a CIS Benchmark item.
Level: 1
Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account. It is recommended that all Service Account keys are regularly rotated.
tmod:@turbot/gcp-cisv2-0#/control/types/r0107
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
Configures auditing against a CIS Benchmark item.
Level: 2
It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.
tmod:@turbot/gcp-cisv2-0#/control/types/r0108
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended that the IAM policy on Cloud KMS cryptokeys
should restrict anonymous and/or public access.
tmod:@turbot/gcp-cisv2-0#/control/types/r0109
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
Configures auditing against a CIS Benchmark item.
Level: 1
Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.
The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO
or RFC3339
format, and the rotation period must be in the form INTEGER[UNIT]
, where units can be one of seconds (s), minutes (m), hours (h) or days (d).
tmod:@turbot/gcp-cisv2-0#/control/types/r0110
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
Configures auditing against a CIS Benchmark item.
Level: 2
It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.
tmod:@turbot/gcp-cisv2-0#/control/types/r0111
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.
tmod:@turbot/gcp-cisv2-0#/control/types/r0116
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
Configures auditing against a CIS Benchmark item.
Level: 2
When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).
tmod:@turbot/gcp-cisv2-0#/control/types/r0117
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
Configures auditing against a CIS Benchmark item.
Level: 1
Google Cloud Functions allow you to host serverless code that is executed when an event is triggered, without the requiring the management a host operating system. These functions can also store environment variables to be used by the code that may contain authentication or other information that needs to remain confidential.
tmod:@turbot/gcp-cisv2-0#/control/types/r0118
GCP > CIS v2.0 > 2 - Logging and Monitoring
This section covers recommendations addressing Logging and Monitoring on Google Cloud Platform.
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data.
tmod:@turbot/gcp-cisv2-0#/control/types/r0201
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).
tmod:@turbot/gcp-cisv2-0#/control/types/r0202
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
Configures auditing against a CIS Benchmark item.
Level: 2
Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.
tmod:@turbot/gcp-cisv2-0#/control/types/r0203
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
Configures auditing against a CIS Benchmark item.
Level: 1
In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all roles/Owner
assignments should be monitored.
Members (users/Service-Accounts) with a role assignment to primitive role roles/Owner
are project owners.
The project owner has all the privileges on the project the role belongs to. These are summarized below:
- All viewer permissions on all GCP Services within the project
- Permissions for actions that modify the state of all GCP services within the project
- Manage roles and permissions for a project and all resources within the project
- Set up billing for a project
Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.
tmod:@turbot/gcp-cisv2-0#/control/types/r0204
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
Configures auditing against a CIS Benchmark item.
Level: 1
Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, "who did what, where, and when?" within GCP projects.
Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.
tmod:@turbot/gcp-cisv2-0#/control/types/r0205
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.
tmod:@turbot/gcp-cisv2-0#/control/types/r0206
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
Configures auditing against a CIS Benchmark item.
Level: 2
It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.
tmod:@turbot/gcp-cisv2-0#/control/types/r0207
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
Configures auditing against a CIS Benchmark item.
Level: 2
It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.
tmod:@turbot/gcp-cisv2-0#/control/types/r0208
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
Configures auditing against a CIS Benchmark item.
Level: 2
It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.
tmod:@turbot/gcp-cisv2-0#/control/types/r0209
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
Configures auditing against a CIS Benchmark item.
Level: 2
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.
tmod:@turbot/gcp-cisv2-0#/control/types/r0210
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
Configures auditing against a CIS Benchmark item.
Level: 2
It is recommended that a metric filter and alarm be established for SQL instance configuration changes.
tmod:@turbot/gcp-cisv2-0#/control/types/r0211
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
Configures auditing against a CIS Benchmark item.
Level: 1
Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.
tmod:@turbot/gcp-cisv2-0#/control/types/r0212
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
Configures auditing against a CIS Benchmark item.
Level: 1
GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.
tmod:@turbot/gcp-cisv2-0#/control/types/r0213
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
Configures auditing against a CIS Benchmark item.
Level: 2
GCP Access Transparency provides audit logs for all actions that Google personnel take in your Google Cloud resources.
tmod:@turbot/gcp-cisv2-0#/control/types/r0214
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
Configures auditing against a CIS Benchmark item.
Level: 2
GCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects. You can then select users within your organization who can approve these requests through giving them a security role in IAM. All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve. This adds an additional control and logging of who in your organization approved/denied these requests.
tmod:@turbot/gcp-cisv2-0#/control/types/r0215
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
Configures auditing against a CIS Benchmark item.
Level: 2
Logging enabled on a HTTPS Load Balancer will show all network traffic and its destination.
tmod:@turbot/gcp-cisv2-0#/control/types/r0216
GCP > CIS v2.0 > 3 - Networking
This section covers recommendations addressing networking on Google Cloud Platform.
GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
Configures auditing against a CIS Benchmark item.
Level: 2
To prevent use of default
network, a project should not have a default
network.
tmod:@turbot/gcp-cisv2-0#/control/types/r0301
GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
Configures auditing against a CIS Benchmark item.
Level: 1
In order to prevent use of legacy networks, a project should not have a legacy network configured. As of now, Legacy Networks are gradually being phased out, and you can no longer create projects with them. This recommendation is to check older projects to ensure that they are not using Legacy Networks.
tmod:@turbot/gcp-cisv2-0#/control/types/r0302
GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
Configures auditing against a CIS Benchmark item.
Level: 1
Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.
tmod:@turbot/gcp-cisv2-0#/control/types/r0303
GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
Configures auditing against a CIS Benchmark item.
Level: 1
NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.
tmod:@turbot/gcp-cisv2-0#/control/types/r0304
GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
Configures auditing against a CIS Benchmark item.
Level: 1
NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.
DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.
tmod:@turbot/gcp-cisv2-0#/control/types/r0305
GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
Configures auditing against a CIS Benchmark item.
Level: 2
GCP Firewall Rules
are specific to a VPC Network
. Each rule either allows
or denies
traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4
address or IPv4 block in CIDR
notation can be used. Generic (0.0.0.0/0)
incoming traffic from the internet to VPC or VM instance using SSH
on Port 22
can be avoided.
tmod:@turbot/gcp-cisv2-0#/control/types/r0306
GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
Configures auditing against a CIS Benchmark item.
Level: 2
GCP Firewall Rules
are specific to a VPC Network
. Each rule either allows
or denies
traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an IPv4
address or IPv4 block in CIDR
notation can be used. Generic (0.0.0.0/0)
incoming traffic from the Internet to a VPC or VM instance using RDP
on Port 3389
can be avoided.
tmod:@turbot/gcp-cisv2-0#/control/types/r0307
GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
Configures auditing against a CIS Benchmark item.
Level: 2
Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.
tmod:@turbot/gcp-cisv2-0#/control/types/r0308
GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
Configures auditing against a CIS Benchmark item.
Level: 1
Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers. To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile; or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or (3) a CUSTOM profile that does not support any of the following features:<br />TLS_RSA_WITH_AES_128_GCM_SHA256<br />TLS_RSA_WITH_AES_256_GCM_SHA384<br />TLS_RSA_WITH_AES_128_CBC_SHA<br />TLS_RSA_WITH_AES_256_CBC_SHA<br />TLS_RSA_WITH_3DES_EDE_CBC_SHA<br />
tmod:@turbot/gcp-cisv2-0#/control/types/r0309
GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
Configures auditing against a CIS Benchmark item.
Level: 2
IAP authenticates the user requests to your apps via a Google single sign in. You can then manage these users with permissions to control access. It is recommended to use both IAP permissions and firewalls to restrict this access to your apps with sensitive information.
tmod:@turbot/gcp-cisv2-0#/control/types/r0310
GCP > CIS v2.0 > 4 - Virtual Machines
This section contains recommendations to address virtual machines on Google Cloud Platform.
GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.
tmod:@turbot/gcp-cisv2-0#/control/types/r0401
GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
Configures auditing against a CIS Benchmark item.
Level: 1
To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account
with Scope Allow full access to all Cloud APIs
.
tmod:@turbot/gcp-cisv2-0#/control/types/r0402
GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.
tmod:@turbot/gcp-cisv2-0#/control/types/r0403
GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
Configures auditing against a CIS Benchmark item.
Level: 1
Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
tmod:@turbot/gcp-cisv2-0#/control/types/r0404
GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
Configures auditing against a CIS Benchmark item.
Level: 1
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.
tmod:@turbot/gcp-cisv2-0#/control/types/r0405
GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
Configures auditing against a CIS Benchmark item.
Level: 1
Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.
Forwarding of data packets should be disabled to prevent data loss or information disclosure.
tmod:@turbot/gcp-cisv2-0#/control/types/r0406
GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
Configures auditing against a CIS Benchmark item.
Level: 2
Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
tmod:@turbot/gcp-cisv2-0#/control/types/r0407
GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
Configures auditing against a CIS Benchmark item.
Level: 2
To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.
tmod:@turbot/gcp-cisv2-0#/control/types/r0408
GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
Configures auditing against a CIS Benchmark item.
Level: 2
Compute instances should not be configured to have external IP addresses.
tmod:@turbot/gcp-cisv2-0#/control/types/r0409
GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
Configures auditing against a CIS Benchmark item.
Level: 2
In order to maintain the highest level of security all connections to an application should be secure by default.
tmod:@turbot/gcp-cisv2-0#/control/types/r0410
GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
Configures auditing against a CIS Benchmark item.
Level: 2
Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).
Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYCTM CPUs. Customer data will stay encrypted while it is used, indexed, queried, or trained on. Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.
tmod:@turbot/gcp-cisv2-0#/control/types/r0411
GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
Configures auditing against a CIS Benchmark item.
Level: 2
Google Cloud Virtual Machines have the ability via an OS Config agent API to periodically (about every 10 minutes) report OS inventory data. A patch compliance API periodically reads this data, and cross references metadata to determine if the latest updates are installed.
This is not the only Patch Management solution available to your organization and you should weigh your needs before committing to using this method.
tmod:@turbot/gcp-cisv2-0#/control/types/r0412
GCP > CIS v2.0 > 5 - Storage
This section covers recommendations addressing storage on Google Cloud Platform.
GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.
tmod:@turbot/gcp-cisv2-0#/control/types/r0501
GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
Configures auditing against a CIS Benchmark item.
Level: 2
It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.
tmod:@turbot/gcp-cisv2-0#/control/types/r0502
GCP > CIS v2.0 > 6 - Cloud SQL Database Services
This section contains recommendations to follow to secure Cloud SQL database services.
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database
Covers security recommendations addressing Cloud SQL for MySQL on Google Cloud Platform.
tmod:@turbot/gcp-cisv2-0#/control/types/s0601
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to set a password for the administrative user (root
by default) to prevent unauthorized access to the SQL database instances.
This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.
tmod:@turbot/gcp-cisv2-0#/control/types/r060101
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to set skip_show_database
database flag for Cloud SQL Mysql instance to on
.
tmod:@turbot/gcp-cisv2-0#/control/types/r060102
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to set the local_infile
database flag for a Cloud SQL MySQL instance to off
.
tmod:@turbot/gcp-cisv2-0#/control/types/r060103
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database
Covers security recommendations addressing Cloud SQL for PostgreSQL on Google Cloud Platform.
tmod:@turbot/gcp-cisv2-0#/control/types/s0602
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
Configures auditing against a CIS Benchmark item.
Level: 2
The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are:
- TERSE
- DEFAULT
- VERBOSETERSE
excludes the logging of DETAIL
, HINT
, QUERY
, and CONTEXT
error information.VERBOSE
output includes the SQLSTATE
error code, source code file name, function name, and line number that generated the error.
Ensure an appropriate value is set to 'DEFAULT' or stricter.
tmod:@turbot/gcp-cisv2-0#/control/types/r060201
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
Configures auditing against a CIS Benchmark item.
Level: 1
Enabling the log_connections
setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.
tmod:@turbot/gcp-cisv2-0#/control/types/r060202
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
Configures auditing against a CIS Benchmark item.
Level: 1
Enabling the log_disconnections
setting logs the end of each session, including the session duration.
tmod:@turbot/gcp-cisv2-0#/control/types/r060203
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
Configures auditing against a CIS Benchmark item.
Level: 2
The value of log_statement
flag determined the SQL statements that are logged. Valid values are:
- none
- ddl
- mod
- all
The value ddl
logs all data definition statements. The value mod
logs all ddl statements, plus data-modifying statements.
The statements are logged after a basic parsing is done and statement type is determined, thus this does not logs statements with errors. When using extended query protocol, logging occurs after an Execute message is received and values of the Bind parameters are included.
A value of 'ddl' is recommended unless otherwise directed by your organization's logging policy.
tmod:@turbot/gcp-cisv2-0#/control/types/r060204
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
Configures auditing against a CIS Benchmark item.
Level: 1
The log_min_messages
flag defines the minimum message severity level that is considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5
, DEBUG4
, DEBUG3
, DEBUG2
, DEBUG1
, INFO
, NOTICE
, WARNING
, ERROR
, LOG
, FATAL
, and PANIC
. Each severity level includes the subsequent levels mentioned above. ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.
tmod:@turbot/gcp-cisv2-0#/control/types/r060205
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
Configures auditing against a CIS Benchmark item.
Level: 1
The log_min_error_statement
flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5
, DEBUG4
, DEBUG3
, DEBUG2
, DEBUG1
, INFO
, NOTICE
, WARNING
, ERROR
, LOG
, FATAL
, and PANIC
. Each severity level includes the subsequent levels mentioned above. Ensure a value of ERROR
or stricter is set.
tmod:@turbot/gcp-cisv2-0#/control/types/r060206
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
Configures auditing against a CIS Benchmark item.
Level: 1
The log_min_duration_statement
flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement
is disabled, i.e., a value of -1
is set.
tmod:@turbot/gcp-cisv2-0#/control/types/r060207
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
Configures auditing against a CIS Benchmark item.
Level: 1
Ensure cloudsql.enable_pgaudit
database flag for Cloud SQL PostgreSQL instance is set to on
to allow for centralized logging.
tmod:@turbot/gcp-cisv2-0#/control/types/r060208
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
Configures auditing against a CIS Benchmark item.
Level: 1
Instance addresses can be public IP or private IP. Public IP means that the instance is accessible through the public internet. In contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC).
Limiting network access to your database will limit potential attacks.
tmod:@turbot/gcp-cisv2-0#/control/types/r060209
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server
Covers security recommendations addressing Cloud SQL for SQL Server on Google Cloud Platform.
tmod:@turbot/gcp-cisv2-0#/control/types/s0603
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to set external scripts enabled
database flag for Cloud SQL SQL Server instance to off
.
tmod:@turbot/gcp-cisv2-0#/control/types/r060301
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to set cross db ownership chaining
database flag for Cloud SQL SQL Server instance to off
.
tmod:@turbot/gcp-cisv2-0#/control/types/r060302
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to check the user connections
for a Cloud SQL SQL Server instance to ensure that it is not artificially limiting connections.
tmod:@turbot/gcp-cisv2-0#/control/types/r060303
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended that, user options
database flag for Cloud SQL SQL Server instance should not be configured.
tmod:@turbot/gcp-cisv2-0#/control/types/r060304
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to set remote access
database flag for Cloud SQL SQL Server instance to off
.
tmod:@turbot/gcp-cisv2-0#/control/types/r060305
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to set 3625 (trace flag)
database flag for Cloud SQL SQL Server instance to on
.
tmod:@turbot/gcp-cisv2-0#/control/types/r060306
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to set contained database authentication
database flag for Cloud SQL on the SQL Server instance to off
.
tmod:@turbot/gcp-cisv2-0#/control/types/r060307
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to enforce all incoming connections to SQL database instance to use SSL.
tmod:@turbot/gcp-cisv2-0#/control/types/r0604
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
Configures auditing against a CIS Benchmark item.
Level: 1
Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses.
tmod:@turbot/gcp-cisv2-0#/control/types/r0605
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
Configures auditing against a CIS Benchmark item.
Level: 2
It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.
tmod:@turbot/gcp-cisv2-0#/control/types/r0606
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended to have all SQL database instances set to enable automated backups.
tmod:@turbot/gcp-cisv2-0#/control/types/r0607
GCP > CIS v2.0 > 7 - BigQuery
This section addresses Google Cloud Platform BigQuery. BigQuery is a serverless, highly-scalable, and cost-effective cloud data warehouse with an in-memory BI Engine and machine learning built in.
GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
Configures auditing against a CIS Benchmark item.
Level: 1
It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.
tmod:@turbot/gcp-cisv2-0#/control/types/r0701
GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
Configures auditing against a CIS Benchmark item.
Level: 2
BigQuery by default encrypts the data as rest by employing Envelope Encryption
using Google managed cryptographic keys. The data is encrypted using the data encryption keys
and data encryption keys themselves are further encrypted using key encryption keys
. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
tmod:@turbot/gcp-cisv2-0#/control/types/r0702
GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
Configures auditing against a CIS Benchmark item.
Level: 2
BigQuery by default encrypts the data as rest by employing Envelope Encryption
using Google managed cryptographic keys. The data is encrypted using the data encryption keys
and data encryption keys themselves are further encrypted using key encryption keys
. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.
tmod:@turbot/gcp-cisv2-0#/control/types/r0703