How To

Real-time GCP v2.0.0 CIS Benchmark assessments

Assess your security posture with automated GCP CIS v2.0.0 assessments that provide real-time dashboard updates and instant alerts.

Turbot Team
5 min. read - May 15, 2024
Assess your security posture with automated GCP CIS v2.0.0 assessments that provide  real-time dashboard updates and instant alerts.

Center for Internet Security (CIS) benchmarks for GCP are widely used by cloud teams as guidance to configure their GCP projects securely. The latest iteration, GCP CIS v2.0.0, includes over 80 recommendations to evaluate your posture against best practices.

Turbot Guardrails now supports the GCP CIS v2.0.0 Benchmark. Use it to enable continuous monitoring of your cloud environment's security posture, and to ensure compliance with industry standards as resources are created and modified.

Go beyond CIS reporting with Guardrails

Traditional compliance assessments rely on periodic scans of your environment, which only give you a point-in-time view of your security posture. But the cloud is dynamic, resources change rapidly, misconfigurations and security gaps can happen anytime.

Turbot Guardrails evaluates your GCP resources against the CIS v2.0.0 Benchmark in real-time. As resources are created or modified, Guardrails instantly assesses them for compliance, giving you an always up-to-date view of your security posture.

Key Features of Turbot Guardrails' CIS Benchmark controls:

  1. Instant Evaluation. As new AWS resources are created or modified, Guardrails immediately assesses them against the relevant CIS controls, providing instant feedback on your compliance status.
  2. Real-time Alerts. Stay informed about critical changes in your compliance posture with real-time alerts. Guardrails can send notifications to Slack, MS Teams, and email, so you and your team always know when benchmarks aren't green.
  3. Take action. By default, Guardrails will alert on misconfigurations. You can use Guardrails' quick actions to fix mistakes, and you can set continuous enforcement.
  4. Controlled Attestations. Some CIS controls are manual and require attestations. Track evidence of your reviews and set reminders to re-evaluate the control next audit period.
  5. Set Exceptions. Not all organizations require every CIS Benchmark recommendation. Set time-based exceptions to ignore recommendations per account or per resource when not applicable.
  6. Comprehensive Reporting. See an always up-to-date view of your compliance status, from sections of the benchmark to per-resource compliance, in the Guardrails console. Generate detailed reports, including CSV exports for easy sharing and analysis.

How to monitor GCP CIS v2.0.0 using Guardrails

Install the GCP CIS mods

To get started, install the @turbot/cis and the @turbot/gcp-cisv2-0 mods.

Enable the GCP CIS Benchmark

Once installed, set the policy for GCP > CIS v2.0 to Check: All CIS Benchmarks.

Enable GCP CIS v2.0.0 Policy

Guardrails will immediately assess all applicable resources for compliance to GCP CIS Benchmark v2.0.0.

GCP CIS v2.0.0 Benchmark

Assess your CIS adherence

See control status for each benchmark section.

GCP CIS v2.0.0 Storage Accounts recommendations

In this example, 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled we can see all the GCP Storage Accounts are reporting in ALARM and OK states.

GCP CIS v2.0.0 5.2 recommendation

In some cases you may need to suppress or ignore the control on a resource, with any Guardrails policy you can set time based exceptions for one or many resources.

GCP CIS v2.0.0 Exception

In this case we set the policy to Skip the acme-demo-turbot-gcp-2 bucket for 30 days. This bucket now shows it's in a skipped state and will be reassessed automatically after the expiration period.

GCP CIS v2.0.0 Skipped Recommendation

Instant GCP CIS alerts

When creating or updating cloud resources, Guardrails instantly provides feedback on the state of the recommendation in the console. In this example we created acme-demo-gcp which was instantly discovered and evaluated for CIS compliance within seconds.

GCP CIS v2.0.0 Alert

Beyond alerts in the Turbot Guardrails console, you and your team members can subscribe to alerts via email, MS Teams or Slack alerts.

GCP CIS v2.0.0 Alert in Slack

Take action on your CIS alerts

Guardrails quick actions provide direct links to the Guardrails console where you can immediately apply fixes. This enables workflows that keep human approvers in the loop.

GCP CIS v2.0.0 Guardrails Enforce Policy

In Instant AWS CIS v3.0.0 Benchmark compliance, using AWS as the example, we show how you can go further by setting guardrails that continuously enforce CIS recommendations with no human intervention.

See it in action


Level up your security posture with Guardrails

Elevate your compliance game with Turbot Guardrails and experience real-time adherence to the GCP CIS v2.0.0 Benchmark. With real-time awareness of your security posture, and flexible reporting, Guardrails makes it quick and easy to address any deviation from best practices.

Turbot Guardrails also supports the latest CIS assessments for AWS and Azure. Try all the CIS Benchmarks, using the 14-day free trial, to gain instant feedback on your adherence to CIS recommendations.