Product logo
DocsBlogPricing

Policy types for @turbot/gcp-cisv2-0

GCP > CIS v2.0

Configures a default auditing level against the Google Cloud Platform Foundation Benchmark, Version 2.0.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/cis
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "default": "Skip"
}

GCP > CIS v2.0 > 1 - Identity and Access Management

This section covers recommendations addressing Identity and Access Management on Google Cloud Platform.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s01
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per GCP > CIS v2.0"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used

Configures auditing against a CIS Benchmark item.

Level: 1

Use corporate login credentials instead of personal accounts, such as Gmail accounts.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0101
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Follow the documentation and setup corporate login accounts.

Prevention:
To ensure that no email addresses outside the organization can be granted IAM permissions to its Google Cloud projects, folders or organization, turn on the Organization Policy for Domain Restricted Sharing. Learn more at: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v2.0 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0101Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts

Configures auditing against a CIS Benchmark item.

Level: 1

Setup multi-factor authentication for Google Cloud Platform accounts.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0102
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Google Cloud Console

For each Google Cloud Platform project:

1. Identify non-service accounts.
2. Setup multi-factor authentication for each account.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v2.0 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0102Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts

Configures auditing against a CIS Benchmark item.

Level: 2

Setup Security Key Enforcement for Google Cloud Platform admin accounts.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0103
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Google Cloud Console

1. Identify users with the Organization Administrator role.
2. Setup Security Key Enforcement for each account. Learn more at:https://cloud.google.com/security-key/

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v2.0 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0103Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account

Configures auditing against a CIS Benchmark item.

Level: 1

User managed service accounts should not have user-managed keys.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0104
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges

Configures auditing against a CIS Benchmark item.

Level: 1

A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0105
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0106
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer

Configures auditing against a CIS Benchmark item.

Level: 1

Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account. It is recommended that all Service Account keys are regularly rotated.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0107
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users

Configures auditing against a CIS Benchmark item.

Level: 2

It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0108
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0109
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days

Configures auditing against a CIS Benchmark item.

Level: 1

Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.

The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0110
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users

Configures auditing against a CIS Benchmark item.

Level: 2

It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0111
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0116
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Follow the documentation and setup corporate login accounts.

From Google Cloud Console

1. Go to Essential Contacts by visiting https://console.cloud.google.com/iam-admin/essential-contacts

2. Make sure the organization appears in the resource selector at the top of the page. The resource selector tells you what project, folder, or organization you are currently managing contacts for.
3. Click +Add contact
4. In the Email and Confirm Email fields, enter the email address of the contact.
5. From the Notification categories drop-down menu, select the notification categories that you want the contact to receive communications for.
6. Click Save

From Google Cloud CLI

1. To add an organization Essential Contacts run a command:

<br /> gcloud essential-contacts create --email=&quot;&lt;EMAIL&gt;&quot; &#92;&#92;<br /> --notification-categories=&quot;&lt;NOTIFICATION_CATEGORIES&gt;&quot; &#92;&#92;<br /> --organization=&lt;ORGANIZATION_ID&gt;<br />

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v2.0 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0116Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key

Configures auditing against a CIS Benchmark item.

Level: 2

When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0117
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager

Configures auditing against a CIS Benchmark item.

Level: 1

Google Cloud Functions allow you to host serverless code that is executed when an event is triggered, without the requiring the management a host operating system. These functions can also store environment variables to be used by the code that may contain authentication or other information that needs to remain confidential.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0118
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 1 - Identity and Access Management",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per GCP > CIS v2.0 > 1 - Identity and Access Management"
}

GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Enable Secret Manager API for your Project

From Google Cloud Console
1. Within the project you wish to enable, select the Navigation hamburger menu in the top left. Hover over 'APIs & Services' to under the heading 'Serverless', then select 'Enabled APIs & Services' in the menu that opens up.
2. Click the button '+ Enable APIS and Services'
3. In the Search bar, search for 'Secret Manager API' and select it.
4. Click the blue box that says 'Enable'.

From Google Cloud CLI
1. Within the project you wish to enable the API in, run the following command.

gcloud services enable Secret Manager API

Reviewing Environment Variables That Should Be Migrated to Secret Manager

From Google Cloud Console
1. Log in to the Google Cloud Web Portal (https://console.cloud.google.com/)
2. Go to Cloud Functions
3. Click on a function name from the list
4. Click on Edit and review the Runtime environment for variables that should be secrets. Leave this list open for the next step.

From Google Cloud CLI
1. To view a list of your cloud functions run

gcloud functions list

2. For each cloud function run the following command.

gcloud functions describe &lt;function_name&gt;

3. Review the settings of the buildEnvironmentVariables and environmentVariables. Keep this information for the next step.

Migrating Environment Variables to Secrets within the Secret Manager

From Google Cloud Console
1. Go to the Secret Manager page in the Cloud Console.
2. On the Secret Manager page, click Create Secret.
3. On the Create secret page, under Name, enter the name of the Environment Variable you are replacing. This will then be the Secret Variable you will reference in your code.
4. You will also need to add a version. This is the actual value of the variable that will be referenced from the code. To add a secret version when creating the initial secret, in the Secret value field, enter the value from the Environment Variable you are replacing.
5. Leave the Regions section unchanged.
6. Click the Create secret button.
7. Repeat for all Environment Variables

From Google Cloud CLI
1. Run the following command with the Environment Variable name you are replacing in the &lt;secret-id&gt;. It is most secure to point this command to a file with the Environment Variable value located in it, as if you entered it via command line it would show up in your shell's command history.

gcloud secrets create &lt;secret-id&gt; --data-file=&quot;/path/to/file.txt&quot;

Granting your Runtime's Service Account Access to Secrets

From Google Cloud Console
1. Within the project containing your runtime login with account that has the 'roles/secretmanager.secretAccessor' permission.
2. Select the Navigation hamburger menu in the top left. Hover over 'Security' to under the then select 'Secret Manager' in the menu that opens up.
3. Click the name of a secret listed in this screen.
4. If it is not already open, click Show Info Panel in this screen to open the panel.
5.In the info panel, click Add principal.
6.In the New principals field, enter the service account your function uses for its identity. (If you need help locating or updating your runtime's service account, please see the 'docs/securing/function-identity#runtime_service_account' reference.)
7. In the Select a role dropdown, choose Secret Manager and then Secret Manager Secret Accessor.

From Google Cloud CLI

As of the time of writing, using Google CLI to list Runtime variables is only in beta. Because this is likely to change we are not including it here.

Modifying the Code to use the Secrets in Secret Manager

From Google Cloud Console

This depends heavily on which language your runtime is in. For the sake of the brevity of this recommendation, please see the '/docs/creating-and-accessing-secrets#access' reference for language specific instructions.

From Google Cloud CLI

This depends heavily on which language your runtime is in. For the sake of the brevity of this recommendation, please see the' /docs/creating-and-accessing-secrets#access' reference for language specific instructions.

Deleting the Insecure Environment Variables - Be certain to do this step last. Removing variables from code actively referencing them will prevent it from completing successfully.

From Google Cloud Console
1. Select the Navigation hamburger menu in the top left. Hover over 'Security' then select 'Secret Manager' in the menu that opens up.
2. Click the name of a function. Click Edit.
3. Click Runtime, build and connections settings to expand the advanced configuration options.
4. Click 'Security'. Hover over the secret you want to remove, then click 'Delete'.
5. Click Next. Click Deploy. The latest version of the runtime will now reference the secrets in Secret Manager.

From Google Cloud CLI

gcloud functions deploy &lt;Function name&gt;--remove-env-vars &lt;env vars&gt;

If you need to find the env vars to remove, they are from the step where 'gcloud functions describe <function_name>' was run.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v2.0 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0118Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s01Attestation
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per GCP > CIS v2.0 > Maximum Attestation Duration"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring

This section covers recommendations addressing Logging and Monitoring on Google Cloud Platform.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s02
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per GCP > CIS v2.0"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0201
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0202
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock

Configures auditing against a CIS Benchmark item.

Level: 2

Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0203
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes

Configures auditing against a CIS Benchmark item.

Level: 1

In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all roles/Owner assignments should be monitored.
Members (users/Service-Accounts) with a role assignment to primitive role roles/Owner are project owners.

The project owner has all the privileges on the project the role belongs to. These are summarized below:
- All viewer permissions on all GCP Services within the project
- Permissions for actions that modify the state of all GCP services within the project
- Manage roles and permissions for a project and all resources within the project
- Set up billing for a project

Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0204
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes

Configures auditing against a CIS Benchmark item.

Level: 1

Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, "who did what, where, and when?" within GCP projects.

Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0205
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0206
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes

Configures auditing against a CIS Benchmark item.

Level: 2

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0207
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes

Configures auditing against a CIS Benchmark item.

Level: 2

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0208
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes

Configures auditing against a CIS Benchmark item.

Level: 2

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0209
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes

Configures auditing against a CIS Benchmark item.

Level: 2

It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0210
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes

Configures auditing against a CIS Benchmark item.

Level: 2

It is recommended that a metric filter and alarm be established for SQL instance configuration changes.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0211
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks

Configures auditing against a CIS Benchmark item.

Level: 1

Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0212
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled

Configures auditing against a CIS Benchmark item.

Level: 1

GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0213
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'

Configures auditing against a CIS Benchmark item.

Level: 2

GCP Access Transparency provides audit logs for all actions that Google personnel take in your Google Cloud resources.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0214
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Google Cloud Console

Add privileges to enable Access Transparency

1. From the Google Cloud Home, within the project you wish to check, click on the Navigation hamburger menu in the top left. Hover over the 'IAM and Admin'. Select IAM in the top of the column that opens.
2. Click the blue button the says +add at the top of the screen.
3. In the principals field, select a user or group by typing in their associated email address.
4. Click on the role field to expand it. In the filter field enter Access Transparency Admin and select it.
5. Click save.

Verify that the Google Cloud project is associated with a billing account

1. From the Google Cloud Home, click on the Navigation hamburger menu in the top left. Select Billing.
2. If you see This project is not associated with a billing account you will need to enter billing information or switch to a project with a billing account.

Enable Access Transparency

1. From the Google Cloud Home, click on the Navigation hamburger menu in the top left. Hover over the IAM & Admin Menu. Select settings in the middle of the column that opens.
2. Click the blue button labeled Enable Access Transparency for Organization

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v2.0 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0214Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'

Configures auditing against a CIS Benchmark item.

Level: 2

GCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects. You can then select users within your organization who can approve these requests through giving them a security role in IAM. All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve. This adds an additional control and logging of who in your organization approved/denied these requests.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0215
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer

Configures auditing against a CIS Benchmark item.

Level: 2

Logging enabled on a HTTPS Load Balancer will show all network traffic and its destination.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0216
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 2 - Logging and Monitoring",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 2 - Logging and Monitoring"
}

GCP > CIS v2.0 > 2 - Logging and Monitoring > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set
further in the future than is specified here.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s02Attestation
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per GCP > CIS v2.0 > Maximum Attestation Duration"
}

GCP > CIS v2.0 > 3 - Networking

This section covers recommendations addressing networking on Google Cloud Platform.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s03
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per GCP > CIS v2.0"
}

GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project

Configures auditing against a CIS Benchmark item.

Level: 2

To prevent use of default network, a project should not have a default network.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0301
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 3 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 3 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 3 - Networking"
}

GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects

Configures auditing against a CIS Benchmark item.

Level: 1

In order to prevent use of legacy networks, a project should not have a legacy network configured. As of now, Legacy Networks are gradually being phased out, and you can no longer create projects with them. This recommendation is to check older projects to ensure that they are not using Legacy Networks.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0302
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 3 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 3 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 3 - Networking"
}

GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS

Configures auditing against a CIS Benchmark item.

Level: 1

Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0303
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 3 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 3 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 3 - Networking"
}

GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC

Configures auditing against a CIS Benchmark item.

Level: 1

NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.

DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0304
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 3 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 3 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 3 - Networking"
}

GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC

Configures auditing against a CIS Benchmark item.

Level: 1

NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.

DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0305
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 3 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 3 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 3 - Networking"
}

GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet

Configures auditing against a CIS Benchmark item.

Level: 2

GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.

Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using SSH on Port 22 can be avoided.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0306
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 3 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 3 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 3 - Networking"
}

GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet

Configures auditing against a CIS Benchmark item.

Level: 2

GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.

Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP on Port 3389 can be avoided.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0307
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 3 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 3 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 3 - Networking"
}

GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network

Configures auditing against a CIS Benchmark item.

Level: 2

Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0308
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 3 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 3 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 3 - Networking"
}

GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites

Configures auditing against a CIS Benchmark item.

Level: 1

Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers. To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile; or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or (3) a CUSTOM profile that does not support any of the following features:

<br />TLS_RSA_WITH_AES_128_GCM_SHA256<br />TLS_RSA_WITH_AES_256_GCM_SHA384<br />TLS_RSA_WITH_AES_128_CBC_SHA<br />TLS_RSA_WITH_AES_256_CBC_SHA<br />TLS_RSA_WITH_3DES_EDE_CBC_SHA<br />

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0309
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 3 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 3 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 3 - Networking"
}

GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'

Configures auditing against a CIS Benchmark item.

Level: 2

IAP authenticates the user requests to your apps via a Google single sign in. You can then manage these users with permissions to control access. It is recommended to use both IAP permissions and firewalls to restrict this access to your apps with sensitive information.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0310
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 3 - Networking",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 3 - Networking",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 3 - Networking"
}

GCP > CIS v2.0 > 4 - Virtual Machines

This section contains recommendations to address virtual machines on Google Cloud Platform.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s04
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per GCP > CIS v2.0"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0401
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs

Configures auditing against a CIS Benchmark item.

Level: 1

To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0402
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0403
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project

Configures auditing against a CIS Benchmark item.

Level: 1

Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0404
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance

Configures auditing against a CIS Benchmark item.

Level: 1

Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.

If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0405
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances

Configures auditing against a CIS Benchmark item.

Level: 1

Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.

Forwarding of data packets should be disabled to prevent data loss or information disclosure.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0406
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)

Configures auditing against a CIS Benchmark item.

Level: 2

Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0407
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled

Configures auditing against a CIS Benchmark item.

Level: 2

To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0408
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses

Configures auditing against a CIS Benchmark item.

Level: 2

Compute instances should not be configured to have external IP addresses.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0409
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections

Configures auditing against a CIS Benchmark item.

Level: 2

In order to maintain the highest level of security all connections to an application should be secure by default.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0410
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Add a line to the app.yaml file controlling the application which enforces secure connections. For example

<br />handlers:<br />- url: /.*<br />**secure: always**<br />redirect_http_response_code: 301<br />script: auto<br />

[https://cloud.google.com/appengine/docs/standard/python3/config/appref]

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v2.0 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0410Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled

Configures auditing against a CIS Benchmark item.

Level: 2

Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).

Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYCTM CPUs. Customer data will stay encrypted while it is used, indexed, queried, or trained on. Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0411
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects

Configures auditing against a CIS Benchmark item.

Level: 2

Google Cloud Virtual Machines have the ability via an OS Config agent API to periodically (about every 10 minutes) report OS inventory data. A patch compliance API periodically reads this data, and cross references metadata to determine if the latest updates are installed.

This is not the only Patch Management solution available to your organization and you should weigh your needs before committing to using this method.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0412
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 4 - Virtual Machines",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 4 - Virtual Machines",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per GCP > CIS v2.0 > 4 - Virtual Machines"
}

GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Google Cloud Console

Enabling OS Patch Management on a Project by Project Basis

Install OS Config API for the Project

1. Navigate into a project. In the expanded portal menu located at the top left of the screen hover over "APIs & Services". Then in the menu right of that select "API Libraries"
2. Search for "VM Manager (OS Config API) or scroll down in the left hand column and select the filter labeled "Compute" where it is the last listed. Open this API.
3. Click the blue 'Enable' button.

Add MetaData Tags for OSConfig Parsing

1. From the main Google Cloud console, open the portal menu in the top left. Mouse over Computer Engine to expand the menu next to it.
2. Under the "Settings" heading, select "Metadata".
3. In this view there will be a list of the project wide metadata tags for VMs. Click edit and 'add item' in the key column type 'enable-osconfig' and in the value column set it to 'true'.

From Command Line

1. For project wide tagging, run the following command

<br /> gcloud compute project-info add-metadata &#92;&#92;<br /> --project &lt;PROJECT_ID&gt;&#92;&#92;<br /> --metadata=enable-osconfig=TRUE<br />

Please see the reference /compute/docs/troubleshooting/vm-manager/verify-setup#metadata-enabled at the bottom for more options like instance specific tagging.

Note: Adding a new tag via commandline may overwrite existing tags. You will need to do this at a time of low usage for the least impact.

Install and Start the Local OSConfig for Data Parsing

There is no way to centrally manage or start the Local OSConfig agent. Please view the reference of manage-os#agent-install to view specific operating system commands.

Setup a project wide Service Account

Please view Recommendation 4.1 to view how to setup a service account. Rerun the audit procedure to test if it has taken effect.

Enable NAT or Configure Private Google Access to allow Access to Public Update Hosting

For the sake of brevity, please see the attached resources to enable NAT or Private Google Access. Rerun the audit procedure to test if it has taken effect.

From Command Line:

Install OS Config API for the Project

1. In each project you wish to audit run gcloud services enable osconfig.googleapis.com

Install and Start the Local OSConfig for Data Parsing

Please view the reference of manage-os#agent-install to view specific operating system commands.

Setup a project wide Service Account

Please view Recommendation 4.1 to view how to setup a service account. Rerun the audit procedure to test if it has taken effect.

Enable NAT or Configure Private Google Access to allow Access to Public Update Hosting

For the sake of brevity, please see the attached resources to enable NAT or Private Google Access. Rerun the audit procedure to test if it has taken effect.

Determine if Instances can connect to public update hosting

Linux
Debian Based Operating Systems

<br />sudo apt update<br />

The output should have a numbered list of lines with Hit: URL of updates.

Redhat Based Operating Systems

<br />yum check-update<br />

The output should show a list of packages that have updates available.

Windows

<br />ping http://windowsupdate.microsoft.com/<br />

The ping should successfully be delivered and received.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v2.0 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0412Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v2.0 > 4 - Virtual Machines > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s04Attestation
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per GCP > CIS v2.0 > Maximum Attestation Duration"
}

GCP > CIS v2.0 > 5 - Storage

This section covers recommendations addressing storage on Google Cloud Platform.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s05
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per GCP > CIS v2.0"
}

GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0501
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 5 - Storage",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 5 - Storage",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 5 - Storage"
}

GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled

Configures auditing against a CIS Benchmark item.

Level: 2

It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0502
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 5 - Storage",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 5 - Storage",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 5 - Storage"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services

This section contains recommendations to follow to secure Cloud SQL database services.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s06
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks except attestations",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks except attestations",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per GCP > CIS v2.0"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database

Covers security recommendations addressing Cloud SQL for MySQL on Google Cloud Platform.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s0601
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "Skip"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database instances.

This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060101
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark using attestation"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console using https://console.cloud.google.com/sql/
2. Select the instance to open its Overview page.
3. Select Access Control > Users.
4. Click the More actions icon for the user to be updated.
5. Select Change password, specify a New password, and click OK.

From Google Cloud CLI

1. Set a password to a MySql instance:

gcloud sql users set-password root --host=&lt;host&gt; --instance=&lt;instance_name&gt; --prompt-for-password

2. A prompt will appear, requiring the user to enter a password:

Instance Password:

3. With a successful password configured, the following message should be seen:

Updating Cloud SQL user...done.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v2.0 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060101Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060102
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060103
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database

Covers security recommendations addressing Cloud SQL for PostgreSQL on Google Cloud Platform.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s0602
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "Skip"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter

Configures auditing against a CIS Benchmark item.

Level: 2

The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are:

- TERSE
- DEFAULT
- VERBOSE

TERSE excludes the logging of DETAIL, HINT, QUERY, and CONTEXT error information.

VERBOSE output includes the SQLSTATE error code, source code file name, function name, and line number that generated the error.

Ensure an appropriate value is set to 'DEFAULT' or stricter.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060201
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 1

Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060202
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'

Configures auditing against a CIS Benchmark item.

Level: 1

Enabling the log_disconnections setting logs the end of each session, including the session duration.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060203
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately

Configures auditing against a CIS Benchmark item.

Level: 2

The value of log_statement flag determined the SQL statements that are logged. Valid values are:

- none
- ddl
- mod
- all

The value ddl logs all data definition statements. The value mod logs all ddl statements, plus data-modifying statements.

The statements are logged after a basic parsing is done and statement type is determined, thus this does not logs statements with errors. When using extended query protocol, logging occurs after an Execute message is received and values of the Bind parameters are included.

A value of 'ddl' is recommended unless otherwise directed by your organization's logging policy.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060204
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'

Configures auditing against a CIS Benchmark item.

Level: 1

The log_min_messages flag defines the minimum message severity level that is considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060205
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter

Configures auditing against a CIS Benchmark item.

Level: 1

The log_min_error_statement flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. Ensure a value of ERROR or stricter is set.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060206
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'

Configures auditing against a CIS Benchmark item.

Level: 1

The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060207
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure cloudsql.enable_pgaudit database flag for Cloud SQL PostgreSQL instance is set to on to allow for centralized logging.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060208
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private

Configures auditing against a CIS Benchmark item.

Level: 1

Instance addresses can be public IP or private IP. Public IP means that the instance is accessible through the public internet. In contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC).

Limiting network access to your database will limit potential attacks.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060209
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server

Covers security recommendations addressing Cloud SQL for SQL Server on Google Cloud Platform.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s0603
Category
Parent
Targets
Schema
{
  "type": "string",
  "default": "Skip"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060301
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060302
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to check the user connections for a Cloud SQL SQL Server instance to ensure that it is not artificially limiting connections.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060303
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060304
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060305
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to on.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060306
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance to off.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r060307
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to enforce all incoming connections to SQL database instance to use SSL.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0604
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses

Configures auditing against a CIS Benchmark item.

Level: 1

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0605
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs

Configures auditing against a CIS Benchmark item.

Level: 2

It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0606
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended to have all SQL database instances set to enable automated backups.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0607
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 6 - Cloud SQL Database Services"
}

GCP > CIS v2.0 > 6 - Cloud SQL Database Services > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s06Attestation
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > Maximum Attestation Duration",
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > Maximum Attestation Duration",
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Per GCP > CIS v2.0 > Maximum Attestation Duration"
}

GCP > CIS v2.0 > 7 - BigQuery

This section addresses Google Cloud Platform BigQuery. BigQuery is a serverless, highly-scalable, and cost-effective cloud data warehouse with an in-memory BI Engine and machine learning built in.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/s07
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0",
  "Skip",
  "Check: All CIS Benchmarks"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0",
    "Skip",
    "Check: All CIS Benchmarks"
  ],
  "example": [
    "Skip"
  ],
  "default": "Per GCP > CIS v2.0"
}

GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible

Configures auditing against a CIS Benchmark item.

Level: 1

It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0701
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 7 - BigQuery",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 7 - BigQuery",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 7 - BigQuery"
}

GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)

Configures auditing against a CIS Benchmark item.

Level: 2

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0702
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 7 - BigQuery",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 7 - BigQuery",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 7 - BigQuery"
}

GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets

Configures auditing against a CIS Benchmark item.

Level: 2

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/r0703
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v2.0 > 7 - BigQuery",
  "Skip",
  "Check: Benchmark"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v2.0 > 7 - BigQuery",
    "Skip",
    "Check: Benchmark"
  ],
  "default": "Per GCP > CIS v2.0 > 7 - BigQuery"
}

GCP > CIS v2.0 > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set
further in the future than is specified here.

URI
tmod:@turbot/gcp-cisv2-0#/policy/types/attestation
Category
Parent
Targets
Valid Value
[
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Skip"
}