Control types for @turbot/gcp-cisv1

• GCP > CIS v1
• GCP > CIS v1 > 1 Identity and Access Management
• GCP > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that corporate login credentials are used instead of Gmail accounts (Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non-service accounts (Not Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are only GCP-managed service account keys for each service account (Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that ServiceAccount has no Admin privileges (Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that IAM users are not assigned Service Account User role at project level (Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.06 Ensure user-managed/external keys for service accounts are rotated every 90 days or less (Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that Separation of duties is enforced while assigning service account related roles to users (Not Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.08 Ensure Encryption keys are rotated within a period of 365 days (Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that Separation of duties is enforced while assigning KMS related roles to users (Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.10 Ensure API keys are not created for a project (Not Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.11 Ensure API keys are restricted to use by only specified Hosts and Apps (Not Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.12 Ensure API keys are restricted to only APIs that application needs access (Not Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.13 Ensure API keys are rotated every 90 days (Scored)
• GCP > CIS v1 > 2 Logging and Monitoring
• GCP > CIS v1 > 2 Logging and Monitoring > 2.01 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project (Scored)
• GCP > CIS v1 > 2 Logging and Monitoring > 2.02 Ensure that sinks are configured for all Log entries (Scored)
• GCP > CIS v1 > 2 Logging and Monitoring > 2.03 Ensure that object versioning is enabled on log-buckets (Scored)
• GCP > CIS v1 > 2 Logging and Monitoring > 2.04 Ensure log metric filter and alerts exists for Project Ownership assignments/changes (Scored)
• GCP > CIS v1 > 2 Logging and Monitoring > 2.10 Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes (Scored)
• GCP > CIS v1 > 2 Logging and Monitoring > 2.11 Ensure log metric filter and alerts exists for SQL instance configuration changes (Scored)
• GCP > CIS v1 > 3 Networking
• GCP > CIS v1 > 3 Networking > 3.01 Ensure the default network does not exist in a project (Scored)
• GCP > CIS v1 > 3 Networking > 3.02 Ensure legacy networks does not exists for a project (Scored)
• GCP > CIS v1 > 3 Networking > 3.03 Ensure that DNSSEC is enabled for Cloud DNS (Not Scored)
• GCP > CIS v1 > 3 Networking > 3.04 Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC (Not Scored)
• GCP > CIS v1 > 3 Networking > 3.05 Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC (Not Scored)
• GCP > CIS v1 > 3 Networking > 3.06 Ensure that SSH access is restricted from the internet (Scored)
• GCP > CIS v1 > 3 Networking > 3.07 Ensure that RDP access is restricted from the internet (Scored)
• GCP > CIS v1 > 3 Networking > 3.08 Ensure Private Google Access is enabled for all subnetwork in VPC Network (Scored)
• GCP > CIS v1 > 3 Networking > 3.09 Ensure VPC Flow logs is enabled for every subnet in VPC Network (Scored)
• GCP > CIS v1 > 4 Virtual Machines
• GCP > CIS v1 > 4 Virtual Machines > 4.01 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs (Scored)
• GCP > CIS v1 > 4 Virtual Machines > 4.02 Ensure "Block Project-wide SSH keys" enabled for VM instances (Scored)
• GCP > CIS v1 > 4 Virtual Machines > 4.03 Ensure oslogin is enabled for a Project (Scored)
• GCP > CIS v1 > 4 Virtual Machines > 4.04 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance (Scored)
• GCP > CIS v1 > 4 Virtual Machines > 4.05 Ensure that IP forwarding is not enabled on Instances (Not Scored)
• GCP > CIS v1 > 4 Virtual Machines > 4.06 Ensure VM disks for critical VMs are encrypted with Customer- Supplied Encryption Keys (CSEK) (Scored)
• GCP > CIS v1 > 5 Storage
• GCP > CIS v1 > 5 Storage > 5.01 Ensure that Cloud Storage bucket is not anonymously or publicly accessible (Scored)
• GCP > CIS v1 > 5 Storage > 5.02 Ensure that there are no publicly accessible objects in storage buckets (Not Scored)
• GCP > CIS v1 > 5 Storage > 5.03 Ensure that logging is enabled for Cloud storage buckets (Scored)
• GCP > CIS v1 > 6 Cloud SQL Database Services
• GCP > CIS v1 > 6 Cloud SQL Database Services > 6.01 Ensure that Cloud SQL database instance requires all incoming connections to use SSL (Scored)
• GCP > CIS v1 > 6 Cloud SQL Database Services > 6.02 Ensure that Cloud SQL database Instances are not open to the world (Scored)
• GCP > CIS v1 > 6 Cloud SQL Database Services > 6.03 Ensure that MySql database instance does not allow anyone to connect with administrative privileges. (Scored)
• GCP > CIS v1 > 6 Cloud SQL Database Services > 6.04 Ensure that MySQL Database Instance does not allows root login from any Host (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine
• GCP > CIS v1 > 7 Kubernetes Engine > 7.01 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.02 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.03 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.04 Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters (Not Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.05 Ensure Kubernetes Clusters are configured with Labels (Not Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.06 Ensure Kubernetes web UI / Dashboard is disabled (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.07 Ensure Automatic node repair is enabled for Kubernetes Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.08 Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.09 Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image (Not Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.10 Ensure Basic Authentication is disabled on Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.11 Ensure Network policy is enabled on Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.12 Ensure Kubernetes Cluster is created with Client Certificate enabled (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.13 Ensure Kubernetes Cluster is created with Alias IP ranges enabled (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.14 Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.15 Ensure Kubernetes Cluster is created with Private cluster enabled (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.17 Ensure default Service account is not used for Project access in Kubernetes Clusters (Scored)
• GCP > CIS v1 > 7 Kubernetes Engine > 7.18 Ensure Kubernetes Clusters created with limited service account Access scopes for Project access (Scored)

GCP > CIS v1

Configures a default auditing level against the Google Cloud Platform Foundation Benchmark, Version 1.

GCP > CIS v1 > 1 Identity and Access Management

Covers recommendations addressing Identity and Access Management.

GCP > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that corporate login credentials are used instead of Gmail accounts (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources.

GCP > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non-service accounts (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Setup multi-factor authentication for Google Cloud Platform accounts.

GCP > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are only GCP-managed service account keys for each service account (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

User managed service account should not have user managed keys.

GCP > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that ServiceAccount has no Admin privileges (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Enrolling ServiceAccount with Admin rights gives full access to assigned application or a VM, ServiceAccount Access holder can perform critical actions like delete, update change settings etc. without the intervention of user, so It's recommended not to have Admin rights.

GCP > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that IAM users are not assigned Service Account User role at project level (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level.

GCP > CIS v1 > 1 Identity and Access Management > 1.06 Ensure user-managed/external keys for service accounts are rotated every 90 days or less (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.

GCP > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that Separation of duties is enforced while assigning service account related roles to users (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.

Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.

Any user(s) should not have Service Account Admin and Service Account User , both roles assigned at a time.

GCP > CIS v1 > 1 Identity and Access Management > 1.08 Ensure Encryption keys are rotated within a period of 365 days (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. Access to resources.

GCP > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that Separation of duties is enforced while assigning KMS related roles to users (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.

GCP > CIS v1 > 1 Identity and Access Management > 1.10 Ensure API keys are not created for a project (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.

GCP > CIS v1 > 1 Identity and Access Management > 1.11 Ensure API keys are restricted to use by only specified Hosts and Apps (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage only from trusted hosts, HTTP referrers and apps.

GCP > CIS v1 > 1 Identity and Access Management > 1.12 Ensure API keys are restricted to only APIs that application needs access (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

API keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application.

GCP > CIS v1 > 1 Identity and Access Management > 1.13 Ensure API keys are rotated every 90 days (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to rotate API keys every 90 days.

GCP > CIS v1 > 2 Logging and Monitoring

Covers recommendations addressing Logging and Monitoring.

GCP > CIS v1 > 2 Logging and Monitoring > 2.01 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project (Scored)

Configures auditing against a CIS Benchmark item. Level: 1 (Scored) It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data.

GCP > CIS v1 > 2 Logging and Monitoring > 2.02 Ensure that sinks are configured for all Log entries (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to create sink which will export copies of all the log entries.

GCP > CIS v1 > 2 Logging and Monitoring > 2.03 Ensure that object versioning is enabled on log-buckets (Scored)

Configures auditing against a CIS Benchmark item. Level: 1 (Scored) It is recommended to enable object versioning on log-buckets.

GCP > CIS v1 > 2 Logging and Monitoring > 2.04 Ensure log metric filter and alerts exists for Project Ownership assignments/changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to create sink which will export copies of all the log entries.

GCP > CIS v1 > 2 Logging and Monitoring > 2.10 Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.

GCP > CIS v1 > 2 Logging and Monitoring > 2.11 Ensure log metric filter and alerts exists for SQL instance configuration changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended that a metric filter and alarm be established for SQL Instance configuration changes.

GCP > CIS v1 > 3 Networking

Covers recommendations addressing Networking.

GCP > CIS v1 > 3 Networking > 3.01 Ensure the default network does not exist in a project (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network.

GCP > CIS v1 > 3 Networking > 3.02 Ensure legacy networks does not exists for a project (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

In order to prevent use of legacy networks, a project should not have a legacy network configured.

GCP > CIS v1 > 3 Networking > 3.03 Ensure that DNSSEC is enabled for Cloud DNS (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

To protect their domains against DNS hijacking and man-in-the-middle and other attacks, DNSSEC in cloud DNS should be enabled.

GCP > CIS v1 > 3 Networking > 3.04 Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be recommended one and it should not be weak.

GCP > CIS v1 > 3 Networking > 3.05 Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be recommended one and it should not be weak.

GCP > CIS v1 > 3 Networking > 3.06 Ensure that SSH access is restricted from the internet (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow you to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level, and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, you can only use an IPv4 address or IPv4 block in CIDR notation. Generic (0.0.0.0/0) incoming traffic from internet to VPC or VM instance using SSH on Port 22 can be avoided.

GCP > CIS v1 > 3 Networking > 3.07 Ensure that RDP access is restricted from the internet (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow you to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level, and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, you can only use an IPv4 address or IPv4 block in CIDR notation. Generic (0.0.0.0/0) incoming traffic from internet to VPC or VM instance using RDP on Port 3389 can be avoided.

GCP > CIS v1 > 3 Networking > 3.08 Ensure Private Google Access is enabled for all subnetwork in VPC Network (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Private Google Access enables virtual machine instances on a subnet to reach Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS.

GCP > CIS v1 > 3 Networking > 3.09 Ensure VPC Flow logs is enabled for every subnet in VPC Network (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. After you've created a flow log, you can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business critical VPC subnet.

GCP > CIS v1 > 4 Virtual Machines

Covers recommendations addressing Virtual Machines.

GCP > CIS v1 > 4 Virtual Machines > 4.01 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.

GCP > CIS v1 > 4 Virtual Machines > 4.02 Ensure "Block Project-wide SSH keys" enabled for VM instances (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to user Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.

GCP > CIS v1 > 4 Virtual Machines > 4.03 Ensure oslogin is enabled for a Project (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.

GCP > CIS v1 > 4 Virtual Machines > 4.04 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.

GCP > CIS v1 > 4 Virtual Machines > 4.05 Ensure that IP forwarding is not enabled on Instances (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure.

GCP > CIS v1 > 4 Virtual Machines > 4.06 Ensure VM disks for critical VMs are encrypted with Customer- Supplied Encryption Keys (CSEK) (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.

GCP > CIS v1 > 5 Storage

Covers recommendations addressing Storage.

GCP > CIS v1 > 5 Storage > 5.01 Ensure that Cloud Storage bucket is not anonymously or publicly accessible (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous and/or public access.

GCP > CIS v1 > 5 Storage > 5.02 Ensure that there are no publicly accessible objects in storage buckets (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

It is recommended that storage object ACL should not grant access to "allUsers".

GCP > CIS v1 > 5 Storage > 5.03 Ensure that logging is enabled for Cloud storage buckets (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Storage Access Logging generates a log that contains access records for each request made to the Storage bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Cloud Storage offers access logs and storage logs in the form of CSV files that can be downloaded and used for analysis/incident response. Access logs provide information for all of the requests made on a specified bucket and are created hourly, while the daily storage logs provide information about the storage consumption of that bucket for the last day. The access logs and storage logs are automatically created as new objects in a bucket that you specify. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. While storage Logs helps to keep track the amount of data stored in the bucket. It is recommended that storage Access Logs and Storage logs are enabled for every Storage Bucket.

GCP > CIS v1 > 6 Cloud SQL Database Services

Covers recommendations addressing Cloud SQL Database Services.

GCP > CIS v1 > 6 Cloud SQL Database Services > 6.01 Ensure that Cloud SQL database instance requires all incoming connections to use SSL (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to enforce all incoming connections to SQL database instance to use SSL.

GCP > CIS v1 > 6 Cloud SQL Database Services > 6.02 Ensure that Cloud SQL database Instances are not open to the world (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.

GCP > CIS v1 > 6 Cloud SQL Database Services > 6.03 Ensure that MySql database instance does not allow anyone to connect with administrative privileges. (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database Instances. This recommendation is applicable only for MySql Instances. PostgreSQL does not offer any setting for No Password from cloud console.

GCP > CIS v1 > 6 Cloud SQL Database Services > 6.04 Ensure that MySQL Database Instance does not allows root login from any Host (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended that root access to a MySql Database Instance should be allowed only through specific white-listed trusted IPs.

GCP > CIS v1 > 7 Kubernetes Engine

Covers recommendations addressing Google Kubernetes Engine.

GCP > CIS v1 > 7 Kubernetes Engine > 7.01 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Stackdriver Logging is part of the Stackdriver suite of products in Google Cloud Platform. It includes storage for logs, a user interface called the Logs Viewer, and an API to manage logs programmatically. Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. Container logs are collected from your containers. System logs are collected from the cluster's components, such as docker and kubelet. Events are logs about activity in the cluster, such as the scheduling of Pods.

GCP > CIS v1 > 7 Kubernetes Engine > 7.02 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Stackdriver Monitoring to monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances.

GCP > CIS v1 > 7 Kubernetes Engine > 7.03 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes.

GCP > CIS v1 > 7 Kubernetes Engine > 7.04 Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your container cluster's Kubernetes master endpoint. Kubernetes Engine uses both Transport Layer Security (TLS) and authentication to provide secure access to your container cluster's Kubernetes master endpoint from the public internet. This provides you the flexibility to administer your cluster from anywhere; however, you might want to further restrict access to a set of IP addresses that you control. You can set this restriction by specifying an authorized network.

GCP > CIS v1 > 7 Kubernetes Engine > 7.05 Ensure Kubernetes Clusters are configured with Labels (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

A cluster label is a key-value pair that helps you organize your Google Cloud Platform resources, such as clusters. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system, so you can break down your billing charges by the label.

GCP > CIS v1 > 7 Kubernetes Engine > 7.06 Ensure Kubernetes web UI / Dashboard is disabled (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster itself along with its attendant resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard.

GCP > CIS v1 > 7 Kubernetes Engine > 7.07 Ensure Automatic node repair is enabled for Kubernetes Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair.

GCP > CIS v1 > 7 Kubernetes Engine > 7.08 Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades.

GCP > CIS v1 > 7 Kubernetes Engine > 7.09 Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely.

GCP > CIS v1 > 7 Kubernetes Engine > 7.10 Ensure Basic Authentication is disabled on Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication.

GCP > CIS v1 > 7 Kubernetes Engine > 7.11 Ensure Network policy is enabled on Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other.

GCP > CIS v1 > 7 Kubernetes Engine > 7.12 Ensure Kubernetes Cluster is created with Client Certificate enabled (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

A client certificate is a base64-encoded public certificate used by clients to authenticate to the cluster endpoint.

GCP > CIS v1 > 7 Kubernetes Engine > 7.13 Ensure Kubernetes Cluster is created with Alias IP ranges enabled (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Google Cloud Platform Alias IP Ranges lets you assign ranges of internal IP addresses as aliases to a virtual machine's network interfaces. This is useful if you have multiple services running on a VM and you want to assign each service a different IP address.

GCP > CIS v1 > 7 Kubernetes Engine > 7.14 Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

GCP > CIS v1 > 7 Kubernetes Engine > 7.15 Ensure Kubernetes Cluster is created with Private cluster enabled (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

A private cluster is a cluster that makes your master inaccessible from the public internet. In a private cluster, nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. Nodes have addressed only in the private RFC 1918 address space. Nodes and masters communicate with each other privately using VPC peering.

GCP > CIS v1 > 7 Kubernetes Engine > 7.17 Ensure default Service account is not used for Project access in Kubernetes Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster.

GCP > CIS v1 > 7 Kubernetes Engine > 7.18 Ensure Kubernetes Clusters created with limited service account Access scopes for Project access (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Access scopes are the legacy method of specifying permissions for your instance. Before the existence of IAM roles, access scopes were the only mechanism for granting permissions to service accounts. By default, your node service account has access scopes.