Product logo
DocsBlogPricing

@turbot/gcp-cisv1

Version
5.0.1
Released On
Jun 10, 2020
Depends On

Control Types

Policy Types

Release Notes

5.0.1 (2020-06-10)

Bug fixes

  • Minor optimisations were made to the GraphQL of the CISv1 control types to improve their performance.

5.0.0 (2020-05-20)

Control Types

Added

  • GCP > CIS v1
  • GCP > CIS v1 > 1 Identity and Access Management
  • GCP > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that corporate login credentials are used instead of Gmail accounts (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non-service accounts (Not Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are only GCP-managed service account keys for each service account (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that ServiceAccount has no Admin privileges (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that IAM users are not assigned Service Account User role at project level (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.06 Ensure user-managed/external keys for service accounts are rotated every 90 days or less (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that Separation of duties is enforced while assigning service account related roles to users (Not Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.08 Ensure Encryption keys are rotated within a period of 365 days (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that Separation of duties is enforced while assigning KMS related roles to users (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.10 Ensure API keys are not created for a project (Not Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.11 Ensure API keys are restricted to use by only specified Hosts and Apps (Not Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.12 Ensure API keys are restricted to only APIs that application needs access (Not Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.13 Ensure API keys are rotated every 90 days (Scored)
  • GCP > CIS v1 > 2 Logging and Monitoring
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.01 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project (Scored)
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.02 Ensure that sinks are configured for all Log entries (Scored)
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.03 Ensure that object versioning is enabled on log-buckets (Scored)
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.04 Ensure log metric filter and alerts exists for Project Ownership assignments/changes (Scored)
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.10 Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes (Scored)
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.11 Ensure log metric filter and alerts exists for SQL instance configuration changes (Scored)
  • GCP > CIS v1 > 3 Networking
  • GCP > CIS v1 > 3 Networking > 3.01 Ensure the default network does not exist in a project (Scored)
  • GCP > CIS v1 > 3 Networking > 3.02 Ensure legacy networks does not exists for a project (Scored)
  • GCP > CIS v1 > 3 Networking > 3.03 Ensure that DNSSEC is enabled for Cloud DNS (Not Scored)
  • GCP > CIS v1 > 3 Networking > 3.04 Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC (Not Scored)
  • GCP > CIS v1 > 3 Networking > 3.05 Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC (Not Scored)
  • GCP > CIS v1 > 3 Networking > 3.06 Ensure that SSH access is restricted from the internet (Scored)
  • GCP > CIS v1 > 3 Networking > 3.07 Ensure that RDP access is restricted from the internet (Scored)
  • GCP > CIS v1 > 3 Networking > 3.08 Ensure Private Google Access is enabled for all subnetwork in VPC Network (Scored)
  • GCP > CIS v1 > 3 Networking > 3.09 Ensure VPC Flow logs is enabled for every subnet in VPC Network (Scored)
  • GCP > CIS v1 > 4 Virtual Machines
  • GCP > CIS v1 > 4 Virtual Machines > 4.01 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs (Scored)
  • GCP > CIS v1 > 4 Virtual Machines > 4.02 Ensure "Block Project-wide SSH keys" enabled for VM instances (Scored)
  • GCP > CIS v1 > 4 Virtual Machines > 4.03 Ensure oslogin is enabled for a Project (Scored)
  • GCP > CIS v1 > 4 Virtual Machines > 4.04 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance (Scored)
  • GCP > CIS v1 > 4 Virtual Machines > 4.05 Ensure that IP forwarding is not enabled on Instances (Not Scored)
  • GCP > CIS v1 > 4 Virtual Machines > 4.06 Ensure VM disks for critical VMs are encrypted with Customer- Supplied Encryption Keys (CSEK) (Scored)
  • GCP > CIS v1 > 5 Storage
  • GCP > CIS v1 > 5 Storage > 5.01 Ensure that Cloud Storage bucket is not anonymously or publicly accessible (Scored)
  • GCP > CIS v1 > 5 Storage > 5.02 Ensure that there are no publicly accessible objects in storage buckets (Not Scored)
  • GCP > CIS v1 > 5 Storage > 5.03 Ensure that logging is enabled for Cloud storage buckets (Scored)
  • GCP > CIS v1 > 6 Cloud SQL Database Services
  • GCP > CIS v1 > 6 Cloud SQL Database Services > 6.01 Ensure that Cloud SQL database instance requires all incoming connections to use SSL (Scored)
  • GCP > CIS v1 > 6 Cloud SQL Database Services > 6.02 Ensure that Cloud SQL database Instances are not open to the world (Scored)
  • GCP > CIS v1 > 6 Cloud SQL Database Services > 6.03 Ensure that MySql database instance does not allow anyone to connect with administrative privileges. (Scored)
  • GCP > CIS v1 > 6 Cloud SQL Database Services > 6.04 Ensure that MySQL Database Instance does not allows root login from any Host (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.01 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.02 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.03 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.04 Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters (Not Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.05 Ensure Kubernetes Clusters are configured with Labels (Not Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.06 Ensure Kubernetes web UI / Dashboard is disabled (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.07 Ensure Automatic node repair is enabled for Kubernetes Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.08 Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.09 Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image (Not Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.10 Ensure Basic Authentication is disabled on Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.11 Ensure Network policy is enabled on Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.12 Ensure Kubernetes Cluster is created with Client Certificate enabled (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.13 Ensure Kubernetes Cluster is created with Alias IP ranges enabled (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.14 Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.15 Ensure Kubernetes Cluster is created with Private cluster enabled (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.17 Ensure default Service account is not used for Project access in Kubernetes Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.18 Ensure Kubernetes Clusters created with limited service account Access scopes for Project access (Scored)

Policy Types

Added

  • GCP > CIS v1
  • GCP > CIS v1 > 1 Identity and Access Management
  • GCP > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that corporate login credentials are used instead of Gmail accounts (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non-service accounts (Not Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non-service accounts (Not Scored) > Attestation
  • GCP > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are only GCP-managed service account keys for each service account (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are only GCP-managed service account keys for each service account (Scored) > Attestation
  • GCP > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that ServiceAccount has no Admin privileges (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that IAM users are not assigned Service Account User role at project level (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.06 Ensure user-managed/external keys for service accounts are rotated every 90 days or less (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that Separation of duties is enforced while assigning service account related roles to users (Not Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.08 Ensure Encryption keys are rotated within a period of 365 days (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that Separation of duties is enforced while assigning KMS related roles to users (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.10 Ensure API keys are not created for a project (Not Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.10 Ensure API keys are not created for a project (Not Scored) > Attestation
  • GCP > CIS v1 > 1 Identity and Access Management > 1.11 Ensure API keys are restricted to use by only specified Hosts and Apps (Not Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.11 Ensure API keys are restricted to use by only specified Hosts and Apps (Not Scored) > Attestation
  • GCP > CIS v1 > 1 Identity and Access Management > 1.12 Ensure API keys are restricted to only APIs that application needs access (Not Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.12 Ensure API keys are restricted to only APIs that application needs access (Not Scored) > Attestation
  • GCP > CIS v1 > 1 Identity and Access Management > 1.13 Ensure API keys are rotated every 90 days (Scored)
  • GCP > CIS v1 > 1 Identity and Access Management > 1.13 Ensure API keys are rotated every 90 days (Scored) > Attestation
  • GCP > CIS v1 > 2 Logging and Monitoring
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.01 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project (Scored)
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.02 Ensure that sinks are configured for all Log entries (Scored)
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.03 Ensure that object versioning is enabled on log-buckets (Scored)
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.04 Ensure log metric filter and alerts exists for Project Ownership assignments/changes (Scored)
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.10 Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes (Scored)
  • GCP > CIS v1 > 2 Logging and Monitoring > 2.11 Ensure log metric filter and alerts exists for SQL instance configuration changes (Scored)
  • GCP > CIS v1 > 3 Networking
  • GCP > CIS v1 > 3 Networking > 3.01 Ensure the default network does not exist in a project (Scored)
  • GCP > CIS v1 > 3 Networking > 3.02 Ensure legacy networks does not exists for a project (Scored)
  • GCP > CIS v1 > 3 Networking > 3.03 Ensure that DNSSEC is enabled for Cloud DNS (Not Scored)
  • GCP > CIS v1 > 3 Networking > 3.04 Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC (Not Scored)
  • GCP > CIS v1 > 3 Networking > 3.05 Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC (Not Scored)
  • GCP > CIS v1 > 3 Networking > 3.06 Ensure that SSH access is restricted from the internet (Scored)
  • GCP > CIS v1 > 3 Networking > 3.07 Ensure that RDP access is restricted from the internet (Scored)
  • GCP > CIS v1 > 3 Networking > 3.08 Ensure Private Google Access is enabled for all subnetwork in VPC Network (Scored)
  • GCP > CIS v1 > 3 Networking > 3.09 Ensure VPC Flow logs is enabled for every subnet in VPC Network (Scored)
  • GCP > CIS v1 > 4 Virtual Machines
  • GCP > CIS v1 > 4 Virtual Machines > 4.01 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs (Scored)
  • GCP > CIS v1 > 4 Virtual Machines > 4.02 Ensure "Block Project-wide SSH keys" enabled for VM instances (Scored)
  • GCP > CIS v1 > 4 Virtual Machines > 4.03 Ensure oslogin is enabled for a Project (Scored)
  • GCP > CIS v1 > 4 Virtual Machines > 4.04 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance (Scored)
  • GCP > CIS v1 > 4 Virtual Machines > 4.05 Ensure that IP forwarding is not enabled on Instances (Not Scored)
  • GCP > CIS v1 > 4 Virtual Machines > 4.06 Ensure VM disks for critical VMs are encrypted with Customer- Supplied Encryption Keys (CSEK) (Scored)
  • GCP > CIS v1 > 5 Storage
  • GCP > CIS v1 > 5 Storage > 5.01 Ensure that Cloud Storage bucket is not anonymously or publicly accessible (Scored)
  • GCP > CIS v1 > 5 Storage > 5.02 Ensure that there are no publicly accessible objects in storage buckets (Not Scored)
  • GCP > CIS v1 > 5 Storage > 5.03 Ensure that logging is enabled for Cloud storage buckets (Scored)
  • GCP > CIS v1 > 6 Cloud SQL Database Services
  • GCP > CIS v1 > 6 Cloud SQL Database Services > 6.01 Ensure that Cloud SQL database instance requires all incoming connections to use SSL (Scored)
  • GCP > CIS v1 > 6 Cloud SQL Database Services > 6.02 Ensure that Cloud SQL database Instances are not open to the world (Scored)
  • GCP > CIS v1 > 6 Cloud SQL Database Services > 6.03 Ensure that MySql database instance does not allow anyone to connect with administrative privileges. (Scored)
  • GCP > CIS v1 > 6 Cloud SQL Database Services > 6.03 Ensure that MySql database instance does not allow anyone to connect with administrative privileges. (Scored) > Attestation
  • GCP > CIS v1 > 6 Cloud SQL Database Services > 6.04 Ensure that MySQL Database Instance does not allows root login from any Host (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.01 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.02 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.03 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.04 Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters (Not Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.05 Ensure Kubernetes Clusters are configured with Labels (Not Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.06 Ensure Kubernetes web UI / Dashboard is disabled (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.07 Ensure Automatic node repair is enabled for Kubernetes Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.08 Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.09 Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image (Not Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.10 Ensure Basic Authentication is disabled on Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.11 Ensure Network policy is enabled on Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.12 Ensure Kubernetes Cluster is created with Client Certificate enabled (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.13 Ensure Kubernetes Cluster is created with Alias IP ranges enabled (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.14 Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.15 Ensure Kubernetes Cluster is created with Private cluster enabled (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.17 Ensure default Service account is not used for Project access in Kubernetes Clusters (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.18 Ensure Kubernetes Clusters created with limited service account Access scopes for Project access (Scored)
  • GCP > CIS v1 > 7 Kubernetes Engine > 7.18 Ensure Kubernetes Clusters created with limited service account Access scopes for Project access (Scored) > Attestation
  • GCP > CIS v1 > Maximum Attestation Duration