Product logo
DocsBlogPricing

Policy types for @turbot/gcp-cisv1

GCP > CIS v1

Configures a default auditing level against the Google Cloud Platform Foundation Benchmark, Version 1.

URI
tmod:@turbot/gcp-cisv1#/policy/types/cis
Category
Parent
Targets
Valid Value
[
  "Skip",
  "Check: Level 1 (Scored)",
  "Check: Level 1 (Scored & Not Scored)",
  "Check: Level 1 & Level 2 (Scored)",
  "Check: Level 1 & Level 2 (Scored & Not Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "Check: Level 1 (Scored)",
    "Check: Level 1 (Scored & Not Scored)",
    "Check: Level 1 & Level 2 (Scored)",
    "Check: Level 1 & Level 2 (Scored & Not Scored)"
  ],
  "default": "Skip"
}

GCP > CIS v1 > 1 Identity and Access Management

Covers recommendations addressing Identity and Access Management.

URI
tmod:@turbot/gcp-cisv1#/policy/types/s01
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that corporate login credentials are used instead of Gmail accounts (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0101
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non-service accounts (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Setup multi-factor authentication for Google Cloud Platform accounts.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0102
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1 using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1 using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per GCP > CIS v1 using attestation"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.02 Ensure that multi-factor authentication is enabled for all non-service accounts (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

For each Google Cloud Platform project, Step 1: Identify the non-service accounts. Step 2: Manually verify that multi-factor authentication for each account is set.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0102Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are only GCP-managed service account keys for each service account (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

User managed service account should not have user managed keys.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0103
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1 using attestation",
  "Skip",
  "Check: Level 1 (Scored) using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1 using attestation",
    "Skip",
    "Check: Level 1 (Scored) using attestation"
  ],
  "default": "Per GCP > CIS v1 using attestation"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.03 Ensure that there are only GCP-managed service account keys for each service account (Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From CLI: List All the service accounts: gcloud iam service-accounts list Identify user managed service accounts as such account EMAIL ends with iam.gserviceaccount.com For each user managed Service Account, list the keys managed by the user: No keys should be listed.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0103Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that ServiceAccount has no Admin privileges (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Enrolling ServiceAccount with Admin rights gives full access to assigned application or a VM, ServiceAccount Access holder can perform critical actions like delete, update change settings etc. without the intervention of user, so It's recommended not to have Admin rights.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0104
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that IAM users are not assigned Service Account User role at project level (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0105
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.06 Ensure user-managed/external keys for service accounts are rotated every 90 days or less (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0106
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that Separation of duties is enforced while assigning service account related roles to users (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Built-in/Predefined IAM role Service Account admin allows user/identity to create, delete, manage service account(s). Built-in/Predefined IAM role Service Account User allows user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.

Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.

Any user(s) should not have Service Account Admin and Service Account User , both roles assigned at a time.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0107
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 2 (Not Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 2 (Not Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.08 Ensure Encryption keys are rotated within a period of 365 days (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. Access to resources.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0108
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that Separation of duties is enforced while assigning KMS related roles to users (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0109
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.10 Ensure API keys are not created for a project (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0110
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1 using attestation",
  "Skip",
  "Check: Level 2 (Not Scored) using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1 using attestation",
    "Skip",
    "Check: Level 2 (Not Scored) using attestation"
  ],
  "default": "Per GCP > CIS v1 using attestation"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.10 Ensure API keys are not created for a project (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Console:

  1. Go to APIs & Services\Credentials using https://console.cloud.google.com/apis/credentials
  2. In Section API Keys, No API key should be listed

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0110Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v1 > 1 Identity and Access Management > 1.11 Ensure API keys are restricted to use by only specified Hosts and Apps (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage only from trusted hosts, HTTP referrers and apps.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0111
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1 using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1 using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per GCP > CIS v1 using attestation"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.11 Ensure API keys are restricted to use by only specified Hosts and Apps (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Console:

  1. Go to APIs & Services\Credentials using https://console.cloud.google.com/apis/credentials
  2. In Section API Keys, Click on the API Key Name. it will display API Key properties on new page.
  3. For every API Key, ensure section Key restrictions parameter Application restrictions is not set to None Or ensure Application restrictions is set to HTTP referrers and referrer is not set to wild-cards ( or .[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s) Or ensure Application restrictions is set to IP addresses and referrer is not set to any host (0.0.0.0 or 0.0.0.0/0 or ::0)

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0111Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v1 > 1 Identity and Access Management > 1.12 Ensure API keys are restricted to only APIs that application needs access (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

API keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0112
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1 using attestation",
  "Skip",
  "Check: Level 1 (Not Scored) using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1 using attestation",
    "Skip",
    "Check: Level 1 (Not Scored) using attestation"
  ],
  "default": "Per GCP > CIS v1 using attestation"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.12 Ensure API keys are restricted to only APIs that application needs access (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Console:

  1. Go to APIs & Services\Credentials using https://console.cloud.google.com/apis/credentials
  2. In Section API Keys, Click on the API Key Name. it will display API Key properties on new page.
  3. For every API Key, ensure section Key restrictions parameter API restrictions is not set to None Or API restrictions is not set to Google Cloud APIs Note: Google Cloud APIs represents API collection of all cloud services/APIs offered by Google cloud.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0112Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v1 > 1 Identity and Access Management > 1.13 Ensure API keys are rotated every 90 days (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to rotate API keys every 90 days.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0113
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1 using attestation",
  "Skip",
  "Check: Level 1 (Scored) using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1 using attestation",
    "Skip",
    "Check: Level 1 (Scored) using attestation"
  ],
  "default": "Per GCP > CIS v1 using attestation"
}

GCP > CIS v1 > 1 Identity and Access Management > 1.13 Ensure API keys are rotated every 90 days (Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Console:

  1. Go to APIs & Services\Credentials using https://console.cloud.google.com/apis/credentials
  2. In Section API Keys, Click on the API Key Name. It will display API Key properties on new page
  3. Click REGENERATE KEY to rotate API key
  4. Click Save
  5. Repeat steps 2,3,4 for every API key that is has not been rotated in last 90 days Note: Do not set HTTP referrers to wild-cards ( or .[TLD] or .[TLD]/) allowing access to any/wide HTTP referrer(s) Do not set IP addresses and referrer to any host (0.0.0.0 or 0.0.0.0/0 or ::0)

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0113Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v1 > 2 Logging and Monitoring

Covers recommendations addressing Logging and Monitoring.

URI
tmod:@turbot/gcp-cisv1#/policy/types/s02
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

GCP > CIS v1 > 2 Logging and Monitoring > 2.01 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project (Scored)

Configures auditing against a CIS Benchmark item. Level: 1 (Scored) It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0201
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 2 Logging and Monitoring > 2.02 Ensure that sinks are configured for all Log entries (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to create sink which will export copies of all the log entries.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0202
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 2 Logging and Monitoring > 2.03 Ensure that object versioning is enabled on log-buckets (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to enable object versioning on log-buckets.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0203
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 2 Logging and Monitoring > 2.04 Ensure log metric filter and alerts exists for Project Ownership assignments/changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to create sink which will export copies of all the log entries.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0204
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 2 Logging and Monitoring > 2.10 Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0210
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 2 Logging and Monitoring > 2.11 Ensure log metric filter and alerts exists for SQL instance configuration changes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended that a metric filter and alarm be established for SQL Instance configuration changes.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0211
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 3 Networking

Covers recommendations addressing Networking.

URI
tmod:@turbot/gcp-cisv1#/policy/types/s03
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

GCP > CIS v1 > 3 Networking > 3.01 Ensure the default network does not exist in a project (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

The default network has automatically created firewall rules and has pre-fabricated network configuration. Based on your security and networking requirements, you should create your network and delete the default network.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0301
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 3 Networking > 3.02 Ensure legacy networks does not exists for a project (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

In order to prevent use of legacy networks, a project should not have a legacy network configured.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0302
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 3 Networking > 3.03 Ensure that DNSSEC is enabled for Cloud DNS (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

To protect their domains against DNS hijacking and man-in-the-middle and other attacks, DNSSEC in cloud DNS should be enabled.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0303
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Not Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Not Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 3 Networking > 3.04 Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be recommended one and it should not be weak.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0304
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Not Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Not Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 3 Networking > 3.05 Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be recommended one and it should not be weak.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0305
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Not Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Not Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 3 Networking > 3.06 Ensure that SSH access is restricted from the internet (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow you to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level, and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, you can only use an IPv4 address or IPv4 block in CIDR notation. Generic (0.0.0.0/0) incoming traffic from internet to VPC or VM instance using SSH on Port 22 can be avoided.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0306
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 3 Networking > 3.07 Ensure that RDP access is restricted from the internet (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow you to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level, and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, you can only use an IPv4 address or IPv4 block in CIDR notation. Generic (0.0.0.0/0) incoming traffic from internet to VPC or VM instance using RDP on Port 3389 can be avoided.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0307
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 3 Networking > 3.08 Ensure Private Google Access is enabled for all subnetwork in VPC Network (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Private Google Access enables virtual machine instances on a subnet to reach Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0308
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 3 Networking > 3.09 Ensure VPC Flow logs is enabled for every subnet in VPC Network (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. After you've created a flow log, you can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business critical VPC subnet.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0309
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 4 Virtual Machines

Covers recommendations addressing Virtual Machines.

URI
tmod:@turbot/gcp-cisv1#/policy/types/s04
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

GCP > CIS v1 > 4 Virtual Machines > 4.01 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0401
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 4 Virtual Machines > 4.02 Ensure "Block Project-wide SSH keys" enabled for VM instances (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to user Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0402
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 4 Virtual Machines > 4.03 Ensure oslogin is enabled for a Project (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0403
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 4 Virtual Machines > 4.04 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0404
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 4 Virtual Machines > 4.05 Ensure that IP forwarding is not enabled on Instances (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0405
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Not Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Not Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 4 Virtual Machines > 4.06 Ensure VM disks for critical VMs are encrypted with Customer- Supplied Encryption Keys (CSEK) (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0406
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 5 Storage

Covers recommendations addressing Storage.

URI
tmod:@turbot/gcp-cisv1#/policy/types/s05
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

GCP > CIS v1 > 5 Storage > 5.01 Ensure that Cloud Storage bucket is not anonymously or publicly accessible (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous and/or public access.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0501
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 5 Storage > 5.02 Ensure that there are no publicly accessible objects in storage buckets (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

It is recommended that storage object ACL should not grant access to "allUsers".

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0502
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Not Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Not Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 5 Storage > 5.03 Ensure that logging is enabled for Cloud storage buckets (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Storage Access Logging generates a log that contains access records for each request made to the Storage bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Cloud Storage offers access logs and storage logs in the form of CSV files that can be downloaded and used for analysis/incident response. Access logs provide information for all of the requests made on a specified bucket and are created hourly, while the daily storage logs provide information about the storage consumption of that bucket for the last day. The access logs and storage logs are automatically created as new objects in a bucket that you specify. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. While storage Logs helps to keep track the amount of data stored in the bucket. It is recommended that storage Access Logs and Storage logs are enabled for every Storage Bucket.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0503
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 6 Cloud SQL Database Services

Covers recommendations addressing Cloud SQL Database Services.

URI
tmod:@turbot/gcp-cisv1#/policy/types/s06
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

GCP > CIS v1 > 6 Cloud SQL Database Services > 6.01 Ensure that Cloud SQL database instance requires all incoming connections to use SSL (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to enforce all incoming connections to SQL database instance to use SSL.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0601
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 6 Cloud SQL Database Services > 6.02 Ensure that Cloud SQL database Instances are not open to the world (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0602
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 6 Cloud SQL Database Services > 6.03 Ensure that MySql database instance does not allow anyone to connect with administrative privileges. (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database Instances. This recommendation is applicable only for MySql Instances. PostgreSQL does not offer any setting for No Password from cloud console.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0603
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1 using attestation",
  "Skip",
  "Check: Level 1 (Scored) using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1 using attestation",
    "Skip",
    "Check: Level 1 (Scored) using attestation"
  ],
  "default": "Per GCP > CIS v1 using attestation"
}

GCP > CIS v1 > 6 Cloud SQL Database Services > 6.03 Ensure that MySql database instance does not allow anyone to connect with administrative privileges. (Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Using Command Line:

  1. List All SQL database instances of type MySql gcloud sql instances list --filter='DATABASE_VERSION:MYSQL*'
  2. For every MySql instance try to connect from authorized network: mysql -u root -h <Instance_IP> Command should return Either Error message or password prompt. Sample Error message: ERROR 1045 (28000): Access denied for user 'root'@'[Inatance_IP]' (using password: NO) If command produces mysql prompt, SQL Instance allows anyone to connect with administrative privileges without needing password. Note: No Password setting is exposed only at the time of MySql Instance Creation. Once Instance is created, Google cloud UI does not exposes setting to confirm whether password for administrative user is set to a mysql instance.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0603Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v1 > 6 Cloud SQL Database Services > 6.04 Ensure that MySQL Database Instance does not allows root login from any Host (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

It is recommended that root access to a MySql Database Instance should be allowed only through specific white-listed trusted IPs.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0604
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine

Covers recommendations addressing Google Kubernetes Engine.

URI
tmod:@turbot/gcp-cisv1#/policy/types/s07
Category
Parent
Targets
Valid Value
[
  "Skip"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip"
  ],
  "example": [
    "Skip"
  ],
  "default": "Skip"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.01 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Stackdriver Logging is part of the Stackdriver suite of products in Google Cloud Platform. It includes storage for logs, a user interface called the Logs Viewer, and an API to manage logs programmatically. Stackdriver Logging lets you have Kubernetes Engine automatically collect, process, and store your container and system logs in a dedicated, persistent datastore. Container logs are collected from your containers. System logs are collected from the cluster's components, such as docker and kubelet. Events are logs about activity in the cluster, such as the scheduling of Pods.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0701
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.02 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Stackdriver Monitoring to monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0702
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.03 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0703
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.04 Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your container cluster's Kubernetes master endpoint. Kubernetes Engine uses both Transport Layer Security (TLS) and authentication to provide secure access to your container cluster's Kubernetes master endpoint from the public internet. This provides you the flexibility to administer your cluster from anywhere; however, you might want to further restrict access to a set of IP addresses that you control. You can set this restriction by specifying an authorized network.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0704
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Not Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Not Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.05 Ensure Kubernetes Clusters are configured with Labels (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Not Scored)

A cluster label is a key-value pair that helps you organize your Google Cloud Platform resources, such as clusters. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system, so you can break down your billing charges by the label.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0705
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Not Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Not Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.06 Ensure Kubernetes web UI / Dashboard is disabled (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster itself along with its attendant resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0706
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.07 Ensure Automatic node repair is enabled for Kubernetes Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0707
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.08 Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0708
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.09 Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image (Not Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Not Scored)

Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0709
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 2 (Not Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 2 (Not Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.10 Ensure Basic Authentication is disabled on Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0710
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.11 Ensure Network policy is enabled on Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0711
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.12 Ensure Kubernetes Cluster is created with Client Certificate enabled (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

A client certificate is a base64-encoded public certificate used by clients to authenticate to the cluster endpoint.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0712
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.13 Ensure Kubernetes Cluster is created with Alias IP ranges enabled (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Google Cloud Platform Alias IP Ranges lets you assign ranges of internal IP addresses as aliases to a virtual machine's network interfaces. This is useful if you have multiple services running on a VM and you want to assign each service a different IP address.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0713
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.14 Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0714
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.15 Ensure Kubernetes Cluster is created with Private cluster enabled (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

A private cluster is a cluster that makes your master inaccessible from the public internet. In a private cluster, nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. Nodes have addressed only in the private RFC 1918 address space. Nodes and masters communicate with each other privately using VPC peering.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0715
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 1 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 1 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.17 Ensure default Service account is not used for Project access in Kubernetes Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 2 (Scored)

A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0717
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1",
  "Skip",
  "Check: Level 2 (Scored)"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1",
    "Skip",
    "Check: Level 2 (Scored)"
  ],
  "default": "Per GCP > CIS v1"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.18 Ensure Kubernetes Clusters created with limited service account Access scopes for Project access (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

Access scopes are the legacy method of specifying permissions for your instance. Before the existence of IAM roles, access scopes were the only mechanism for granting permissions to service accounts. By default, your node service account has access scopes.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0718
Category
Parent
Targets
Valid Value
[
  "Per GCP > CIS v1 using attestation",
  "Skip",
  "Check: Level 1 (Scored) using attestation"
]
Schema
{
  "type": "string",
  "enum": [
    "Per GCP > CIS v1 using attestation",
    "Skip",
    "Check: Level 1 (Scored) using attestation"
  ],
  "default": "Per GCP > CIS v1 using attestation"
}

GCP > CIS v1 > 7 Kubernetes Engine > 7.18 Ensure Kubernetes Clusters created with limited service account Access scopes for Project access (Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Using Command line: To check Access scopes set for an existing cluster, run the following command: gcloud container node-pools describe [NODE_NAME] --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] --format json | jq '.config.oauthScopes' The output of the above command will return array set access scopes. Make sure you have provided limited required scopes for each node clusters. If you are accessing private images in Google Container Registry, the minimally required scopes are only logging.write, monitoring, and devstorage.read_only.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in GCP > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.

URI
tmod:@turbot/gcp-cisv1#/policy/types/r0718Attestation
Category
Parent
Targets
Schema
{
  "type": "string",
  "format": "date-time",
  "default": ""
}

GCP > CIS v1 > Maximum Attestation Duration

The maximum duration for CIS Attestations. Attestation policies can not be set further in the future than is specified here

URI
tmod:@turbot/gcp-cisv1#/policy/types/attestation
Category
Parent
Targets
Valid Value
[
  "Skip",
  "30 days",
  "60 days",
  "90 days",
  "1 year",
  "2 years",
  "3 years"
]
Schema
{
  "type": "string",
  "enum": [
    "Skip",
    "30 days",
    "60 days",
    "90 days",
    "1 year",
    "2 years",
    "3 years"
  ],
  "default": "Skip"
}