Google Cloud Platform best practice rules
Trend Micro Cloud One™ – Conformity has over 750+ cloud infrastructure configuration best practices for your Amazon Web Services, Microsoft® Azure, and Google Cloud™ environments. Here is our growing list of GCP best practice rules with clear instructions on how to perform the updates – made either through the GCP console or via the Command Line Interface (CLI).
Conformity provides real-time monitoring and auto-remediation for the security, compliance and governance of your cloud infrastructure. Leaving you to grow and scale your business with confidence.
-
GCP BigQuery
- Check for Publicly Accessible BigQuery Datasets
Ensure that Google Cloud BigQuery datasets are not publicly accessible.
- Enable BigQuery Dataset Encryption with Customer-Managed Encryption Keys
Ensure that BigQuery datasets are encrypted using Customer-Managed Encryption Keys (CMEKs).
- Enable BigQuery Encryption with Customer-Managed Keys
Ensure that BigQuery dataset tables are encrypted using Customer-Managed Keys (CMKs).
- Check for Publicly Accessible BigQuery Datasets
-
GCP CertificateManager
- SSL certificates validity period
Ensure that SSL certificates are renewed within the appropriate validity period.
- SSL certificates validity period
-
GCP API
- API Keys Should Only Exist for Active Services
Ensure there are no API keys in use within your Google Cloud projects.
- Check for API Key API Restrictions
Ensure that API keys are restricted to only those APIs that your application needs access to.
- Check for API Key Application Restrictions
Ensure that your API key usage is restricted to trusted hosts and applications only.
- Enable Cloud Asset Inventory
Ensure that Google Cloud Asset Inventory is enabled for your GCP projects.
- Enable critical service APIs
Ensure that critical service APIs are enabled for your GCP projects.
- Latest Operating System Updates
Ensure that your Google Cloud virtual machine (VM) instances are using the latest operating system updates.
- Rotate Google Cloud API Keys
Ensure that all the API keys created for your Google Cloud Platform (GCP) projects are regularly rotated.
- API Keys Should Only Exist for Active Services
-
GCP CloudCDN
- CConfigure Cloud CDN origin backend bucket
Ensure that your Cloud CDN origin points to a backend bucket.
- Configure Cloud CDN origin authentication
Ensure that Cloud CDN origins are authenticating access to the cached content.
- Configure SSL/TLS certificates for Cloud CDN backend bucket origins
Ensure that Cloud CDN backend bucket origins are using SSL/TLS certificates.
- Configure SSL/TLS certificates for Cloud CDN backend service origins
Ensure that Cloud CDN backend service origins are using SSL/TLS certificates.
- CConfigure Cloud CDN origin backend bucket
-
GCP Domain Name System (DNS)
- Check for DNSSEC Key-Signing Algorithm in Use
Ensure that RSASHA1 signature algorithm is not used for DNSSEC key signing.
- Check for DNSSEC Zone-Signing Algorithm in Use
Ensure that DNSSEC key signing is not using RSASHA1 as a signature algorithm.
- Detect GCP Cloud DNS Configuration Changes
Cloud DNS configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Enable DNSSEC for Google Cloud DNS Zones
Ensure that DNSSEC is enabled for your Domain Name System (DNS) managed zones.
- Check for DNSSEC Key-Signing Algorithm in Use
-
GCP Cloud Functions
- Use Secrets Manager for Managing Secrets in Google Cloud Functions
Manage secrets using Secrets Manager service instead of Cloud Functions environment variables.
- Use Secrets Manager for Managing Secrets in Google Cloud Functions
-
GCP Identity and Access Management (IAM)
- Check for IAM Members with Service Roles at the Project Level
Ensure there are no IAM members with Service Account User and Service Account Token Creator roles at the project level.
- Configure Essential Contacts for Organizations
Ensure that Essential Contacts are defined for your Google Cloud organization.
- Configure Google Cloud Audit Logs to Track All Activities
Ensure that the Audit Logs feature is configured to record all service and user activities.
- Corporate Login Credentials In Use
Use corporate login credentials instead of personal accounts such as Gmail accounts.
- Delete Google Cloud API Keys
Ensure there are no API keys associated with your Google Cloud Platform (GCP) projects.
- Delete User-Managed Service Account Keys
Ensure there are no user-managed keys associated with your GCP service accounts.
- Detect GCP IAM Configuration Changes
IAM configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Enable Access Approval
Ensure that Access Approval is enabled for your Google Cloud account.
- Enable Access Transparency
Ensure that Access Transparency is enabled within your Google Cloud organization.
- Enable Multi-Factor Authentication for User Accounts
Ensure that Multi-Factor Authentication (MFA) feature is enabled for all GCP user accounts.
- Enable Security Key Enforcement for Admin Accounts
Enforce the use of security keys to help prevent Google Cloud account hijacking.
- Enforce Separation of Duties for KMS-Related Roles
Ensure that separation of duties is implemented for all Google Cloud KMS-related roles.
- Enforce Separation of Duties for Service-Account Related Roles
Ensure that separation of duties is implemented for all Google Cloud service account roles.
- Minimize the Use of Primitive Roles
Ensure that the use of Cloud Identity and Access Management (IAM) primitive roles is limited within your Google Cloud projects.
- Restrict Administrator Access for Service Accounts
Ensure that user-managed service accounts are not using administrator-based roles.
- Rotate User-Managed Service Account Keys
Ensure that your user-managed service account keys are rotated periodically.
- Check for IAM Members with Service Roles at the Project Level
-
GCP Cloud Key Management Service (KMS)
- Check for Publicly Accessible Cloud KMS Keys
Ensure there are no publicly accessible KMS cryptographic keys available within your Google Cloud account.
- Detect Google Cloud KMS Configuration Changes
Cloud KMS configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Rotate Google Cloud KMS Keys
Ensure that all KMS cryptographic keys available within your Google Cloud account are regularly rotated.
- Check for Publicly Accessible Cloud KMS Keys
-
GCP Cloud Load Balancing
- Check for Insecure SSL Cipher Suites
Ensure there are no HTTPS/SSL Proxy load balancers configured with insecure SSL policies.
- Configure edge security policies for load balancer backend services
Ensure that load balancer backend services are protected with edge security policies.
- Detect GCP Load Balancer Configuration Changes
Load Balancing configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Enable HTTPS for Google Cloud Load Balancers
Ensure that Google Cloud load balancers enforce HTTPS to handle encrypted web traffic.
- Enable Logging for HTTP(S) Load Balancers
Ensure that logging is enabled for your Google Cloud HTTP(S) load balancers.
- Check for Insecure SSL Cipher Suites
-
GCP Cloud Logging
- Configure Retention Policies with Bucket Lock
Ensure that the log bucket retention policies are using the Bucket Lock feature.
- Enable Logs Router Encryption with Customer-Managed Keys
Ensure that Google Cloud Logs Router data is encrypted using Customer-Managed Keys (CMKs).
- Enable Monitoring for Audit Configuration Changes
Ensure that GCP project audit configuration changes are being monitored using alerting policies.
- Enable Monitoring for Bucket Permission Changes
Ensure that Cloud Storage bucket permission changes are being monitored using alerting policies.
- Enable Monitoring for Custom Role Changes
Ensure that custom IAM role changes are being monitored using alerting policies.
- Enable Monitoring for Firewall Rule Changes
Ensure that VPC network firewall rule changes are being monitored using alerting policies.
- Enable Monitoring for SQL Instance Configuration Changes
Ensure that SQL instance configuration changes are being monitored using alerting policies.
- Enable Project Ownership Assignments Monitoring
Ensure that GCP project ownership changes are being monitored using alerting policies.
- Enable VPC Network Changes Monitoring
Ensure that Google Cloud VPC network changes are being monitored using log metrics and alerting policies.
- Enable VPC Network Route Changes Monitoring
Ensure that VPC network route changes are being monitored using alerting policies.
- Enable data access audit logging for all critical service APIs
Ensure that data access audit logs are enabled for all critical service APIs within your GCP project.
- Export All Log Entries Using Sinks
Ensure that all the log entries generated for your Google Cloud projects are exported using sinks.
- Configure Retention Policies with Bucket Lock
-
GCP Cloud Pub/Sub Service
- Detect Google Cloud Pub/Sub Configuration Changes
Pub/Sub configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Enable Dead Lettering for Google Pub/Sub Subscriptions
Ensure there is a dead-letter topic configured for each Pub/Sub subscription.
- Enable Pub/Sub Topic Encryption with Customer-Managed Keys
Ensure that Pub/Sub topics are encrypted using Customer-Managed Keys (CMKs).
- Detect Google Cloud Pub/Sub Configuration Changes
-
GCP Cloud Run
- Check for Publicly Accessible Cloud Run Services
Ensure that Google Cloud Run services are not publicly accessible.
- Cloud Run Request Concurrency
Configure maximum concurrent requests per instance for Google Cloud Run services.
- Enable Binary Authorization
Ensure that Binary Authorization is enabled for Google Cloud Run services.
- Check for Publicly Accessible Cloud Run Services
-
GCP Cloud SQL
- Check for Cloud SQL Database Instances with Public IPs
Ensure that Cloud SQL database instances don't have public IP addresses assigned.
- Check for MySQL Major Version
Ensure that MySQL database servers are using the latest major version of MySQL database.
- Check for PostgreSQL Major Version
Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database.
- Check for Publicly Accessible Cloud SQL Database Instances
Ensure that Cloud SQL database instances are not wide open to the Internet.
- Configure "log_error_verbosity" Flag for PostgreSQL Instances
Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_error_verbosity" flag.
- Configure "log_min_error_statement" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_min_error_statement" flag.
- Configure "log_min_messages" Flag for PostgreSQL Instances
Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_min_messages" flag.
- Configure "max_connections" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the appropriate configuration set for the "max_connections" flag.
- Configure 'user connections' Flag for SQL Server Database Instances
Ensure that SQL Server database instances have the appropriate configuration set for the "user connections" flag.
- Configure Automatic Storage Increase Limit
Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances.
- Configure Root Password for MySQL Database Access
Ensure that MySQL databases can't be accessed with administrative privileges only (i.e. without using passwords).
- Detect GCP Cloud SQL Configuration Changes
Cloud SQL configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Disable "Contained Database Authentication" Flag for SQL Server Database Instances
Ensure that SQL Server database instances have "contained database authentication" flag set to Off.
- Disable "Cross DB Ownership Chaining" Flag for SQL Server Database Instances
Ensure that SQL Server database instances have "cross db ownership chaining" flag set to Off.
- Disable "local_infile" Flag for MySQL Database Instances
Ensure that MySQL database instances have the "local_infile" flag set to Off (disabled).
- Disable "log_min_duration_statement" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have "log_min_duration_statement" flag set to -1 (Off).
- Disable "log_planner_stats" Flag for PostgreSQL Database Instances
Ensure that the "log_planner_stats" PostgreSQL database flag is set to "off".
- Disable '3625' Trace Flag for SQL Server Database Instances
Ensure that the "3625" trace flag for SQL database servers is set to "off".
- Disable 'external scripts enabled' Flag for SQL Server Database Instances
Ensure that the "external scripts enabled" SQL Server flag is set to "off".
- Disable 'log_executor_stats' Flag for PostgreSQL Database Instances
Ensure that the "log_executor_stats" PostgreSQL database flag is set to "off".
- Disable 'log_parser_stats' Flag for PostgreSQL Database Instances
Ensure that the "log_parser_stats" PostgreSQL database flag is set to "off".
- Disable 'log_statement_stats' Flag for PostgreSQL Database Instances
Ensure that the "log_statement_stats" PostgreSQL database flag is set to "off".
- Disable 'remote access' Flag for SQL Server Database Instances
Ensure that the "remote access" SQL Server flag is set to "off".
- Disable 'user options' Flag for SQL Server Instances
Ensure that the "user options" SQL Server flag is not configured.
- Enable "log_checkpoints" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have "log_checkpoints" flag set to On.
- Enable "log_checkpoints" Flag for PostgreSQL Database Server Configuration
Ensure that "log_checkpoints" flag is enabled within your PostgreSQL database servers configuration.
- Enable "log_connections" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_connections" configuration flag set to On.
- Enable "log_disconnections" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_disconnections" flag set to On (enabled).
- Enable "log_lock_waits" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_lock_waits" flag set to On.
- Enable "log_temp_files" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_temp_files" flag set to 0 (On).
- Enable "skip_show_database" Flag for MySQL Database Instances
Ensure that the "skip_show_database" MySQL database flag is set to "on".
- Enable "slow_query_log" Flag for MySQL Database Servers
Ensure that MySQL database instances have the "slow_query_log" flag set to On (enabled).
- Enable 'cloudsql.enable_pgaudit' and 'pgaudit.log' Flags for PostgreSQL Database Instances
Ensure that the "cloudsql.enable_pgaudit" PostgreSQL database flag is set to "on" and that "pgaudit.log" is configured appropriately.
- Enable 'log_hostname' Flag for PostgreSQL Database Instances
Ensure that the "log_hostname" PostgreSQL database flag is set to "on".
- Enable Automated Backups for Cloud SQL Database Instances
Ensure that Cloud SQL database instances are configured with automated backups.
- Enable Automatic Storage Increase
Ensure that automatic storage increase is enabled for your Cloud SQL database instances.
- Enable Cloud SQL Instance Encryption with Customer-Managed Keys
Ensure that Cloud SQL instances are encrypted with Customer-Managed Keys (CMKs).
- Enable High Availability for Cloud SQL Database Instances
Ensure that production SQL database instances are configured to automatically fail over to another zone within the selected cloud region.
- Enable Point-in-Time Recovery for MySQL Database Instances
Ensure that your MySQL database instances have Point-in-Time Recovery feature enabled.
- Enable SSL/TLS for Cloud SQL Incoming Connections
Ensure that Cloud SQL database instances require all incoming connections to use SSL/TLS.
- Rotate Server Certificates for Cloud SQL Database Instances
Ensure that Cloud SQL server certificates are rotated (renewed) before their expiration.
- Check for Cloud SQL Database Instances with Public IPs
-
GCP Cloud Storage
- Check for Publicly Accessible Cloud Storage Buckets
Ensure there are no publicly accessible Cloud Storage buckets available within your Google Cloud Platform (GCP) account.
- Check for Sufficient Data Retention Period
Ensure there is a sufficient retention period configured for Google Cloud Storage objects.
- Configure Retention Policies with Bucket Lock
Ensure that the log bucket retention policies are using the Bucket Lock feature.
- Define index page suffix and error page for the bucket website configuration
Ensure that bucket website configuration includes main page suffix and error page.
- Detect GCP Cloud Storage Configuration Changes
Cloud Storage configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Enable Lifecycle Management for Cloud Storage Objects
Ensure that Google Cloud Storage objects are using a lifecycle configuration for cost management.
- Enable Object Encryption with Customer-Managed Keys
Ensure that your Cloud Storage objects are encrypted using Customer-Managed Keys (CMKs).
- Enable Object Versioning for Cloud Storage Buckets
Ensure that object versioning is enabled for your Google Cloud Storage buckets.
- Enable Uniform Bucket-Level Access for Cloud Storage Buckets
Ensure that Google Cloud Storage buckets have uniform bucket-level access enabled.
- Instance templates should not assign a public IP address
Ensure that instance templates don't assign a public IP address to VM instances.
- Check for Publicly Accessible Cloud Storage Buckets
-
GCP VPC
- Check for Legacy Networks
Ensure that legacy networks are not being used anymore within your GCP projects.
- Check for Unrestricted DNS Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP and UDP port 53 (DNS).
- Check for Unrestricted FTP Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP).
- Check for Unrestricted ICMP Access
Ensure that no VPC firewall rules allow unrestricted inbound access using Internet Control Message Protocol (ICMP).
- Check for Unrestricted Inbound Access on Uncommon Ports
Ensure that no VPC firewall rules allow unrestricted ingress access to uncommon TCP/UDP ports.
- Check for Unrestricted MySQL Database Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database).
- Check for Unrestricted Oracle Database Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database).
- Check for Unrestricted Outbound Access on All Ports
Ensure that VPC network firewall rules do not allow unrestricted outbound/egress access.
- Check for Unrestricted PostgreSQL Database Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server).
- Check for Unrestricted RDP Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP).
- Check for Unrestricted RPC Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC).
- Check for Unrestricted SMTP Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP).
- Check for Unrestricted SQL Server Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server).
- Check for Unrestricted SSH Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH).
- Check for VPC Firewall Rules with Port Ranges
Ensure there are no VPC network firewall rules with range of ports opened to allow incoming traffic.
- Default VPC Network In Use
Ensure that the default VPC network is not being used within your GCP projects.
- Enable Cloud DNS Logging for VPC Networks
Ensure that Cloud DNS logging is enabled for all VPC networks.
- Enable Logging for VPC Firewall Rules
Ensure that logging is enabled for your Virtual Private Cloud (VPC) firewall rules.
- Enable VPC Flow Logs for VPC Subnets
Ensure that VPC Flow Logs feature is enabled for all VPC network subnets.
- Exclude Metadata from Firewall Logging
Ensure that logging metadata is not included within your VPC firewall log files.
- Check for Legacy Networks
-
GCP Compute Engine
- Approved Virtual Machine Image in Use
Ensure that all your virtual machine instances are launched from approved images only.
- Check for Desired Machine Type(s)
Ensure that your virtual machine (VM) instances are of a given type (e.g. c2-standard-4).
- Check for Instance-Associated Service Accounts with Full API Access
Ensure that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs.
- Check for Instances Associated with Default Service Accounts
Ensure that your VM instances are not associated with the default GCP service account.
- Check for Publicly Shared Disk Images
Ensure that your virtual machine disk images are not accessible to all GCP accounts.
- Check for Virtual Machine Instances with Public IP Addresses
Ensure that Google Cloud VM instances are not using public IP addresses.
- Configure Maintenance Behavior for VM Instances
Ensure that "On Host Maintenance" configuration setting is set to "Migrate" for all VM instances.
- Configure load balancers for Managed Instance Groups
Ensure that Managed Instance Groups (MIGs) are associated with load balancers.
- Configure multiple zones for Managed Instance Groups
Ensure that Managed Instance Groups are configured to run instances across multiple zones.
- Detect GCP Compute Engine Configuration Changes
Compute Engine configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Disable Auto-Delete for VM Instance Persistent Disks
Ensure that the Auto-Delete feature is disabled for the disks attached to your VM instances.
- Disable IP Forwarding for Virtual Machine Instances
Ensure that IP Forwarding is not enabled for your Google Cloud virtual machine (VM) instances.
- Disable Interactive Serial Console Support
Ensure that interactive serial console support is not enabled for your Google Cloud instances.
- Disable Preemptibility for VM Instances
Ensure that your production Google Cloud virtual machine instances are not preemptible.
- Enable "Block Project-Wide SSH Keys" Security Feature
Ensure that project-wide SSH keys are not used to access your Google Cloud VM instances.
- Enable "Shielded VM" Security Feature
Ensure that Shielded VM feature is enabled for your virtual machine (VM) instances.
- Enable Automatic Restart for VM Instances
Ensure that automatic restart is enabled for your Google Cloud virtual machine (VM) instances.
- Enable Confidential Computing for Virtual Machine Instances
Ensure that Confidential Computing is enabled for virtual machine (VM) instances.
- Enable Deletion Protection for VM Instances
Ensure that deletion protection is enabled for your Google Cloud virtual machine (VM) instances.
- Enable Instance Group Autohealing
Ensure that your Google Cloud instance groups are using autohealing to proactively replace failing instances.
- Enable OS Login for GCP Projects
Ensure that the OS Login feature is enabled for your Google Cloud projects.
- Enable VM Disk Encryption with Customer-Supplied Encryption Keys
Ensure that your virtual machine (VM) instance disks are encrypted with CSEKs.
- Enable Virtual Machine Disk Encryption with Customer-Managed Keys
Ensure that your virtual machine (VM) instance disks are encrypted using Customer-Managed Keys (CMKs).
- Enforce HTTPS Connections for App Engine Applications
Ensure that Google App Engine applications enforce HTTPS connections.
- Remove Old Persistent Disk Snapshots
Remove old virtual machine disk snapshots in order to optimize Google Cloud monthly costs.
- Use OS Login with 2FA Authentication for VM Instances
Ensure that OS Login is configured with Two-Factor Authentication (2FA) for production VM instances.
- Approved Virtual Machine Image in Use
-
GCP Dataproc Service
- Enable Dataproc Cluster Encryption with Customer-Managed Keys
Ensure that your Dataproc clusters on Compute Engine are encrypted using Customer-Managed Keys (CMKs).
- Enable Dataproc Cluster Encryption with Customer-Managed Keys
-
GCP Cloud Functions
- Cloud Logging Permissions for Google Cloud Functions
Ensure that Cloud Logging API has appropriate permissions to write function logs.
- Enable Serverless VPC Access for Google Cloud Functions
Ensure that Serverless VPC Access is enabled for your Google Cloud functions.
- GCP Execution Runtime Environment Version
Ensure that your Google Cloud functions are second generation (or newer generation) functions.
- GCP Function Runtime Version
Ensure that your GCP functions are using the latest language runtime version available.
- GCP Function using Default Service Account
Ensure that your Google Cloud functions are not using the default service account.
- GCP Function using Service Account with Basic Roles
Ensure that your Google Cloud functions are not using basic roles for permissions.
- GCP Functions with Admin Privileges
Ensure that your Google Cloud functions are not configured with admin privileges.
- Cloud Logging Permissions for Google Cloud Functions
-
GCP Google Kubernetes Engine Service
- Detect GCP GKE Configuration Changes
GKE configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Enable Auto-Repair for GKE Cluster Nodes
Ensure that your Google Kubernetes Engine (GKE) clusters are using auto-repairing nodes.
- Enable Auto-Upgrade for GKE Cluster Nodes
Ensure that your Google Kubernetes Engine (GKE) cluster nodes are using automatic upgrades.
- Enable Encryption for Application-Layer Secrets for GKE Clusters
Ensure that encryption of Kubernetes secrets using Customer-Managed Keys is enabled for GKE clusters.
- Enable GKE Cluster Node Encryption with Customer-Managed Keys
Ensure that boot disk encryption with Customer-Managed Keys is enabled for GKE cluster nodes.
- Enable Integrity Monitoring for Cluster Nodes
Ensure that Integrity Monitoring is enabled for your Google Kubernetes Engine (GKE) cluster nodes.
- Enable Secure Boot for Cluster Nodes
Ensure that Secure Boot is enabled for your Google Kubernetes Engine (GKE) cluster nodes.
- Restrict Network Access to GKE Clusters
Ensure that your Google Kubernetes Engine (GKE) clusters are not exposed to the Internet.
- Use Shielded GKE Cluster Nodes
Ensure that your GKE clusters nodes are shielded to protect against impersonation attacks.
- Detect GCP GKE Configuration Changes
-
GCP Resource Manager
- Define Allowed External IPs for VM Instances
Ensure that "Define Allowed External IPs for VM Instances" policy is enforced at the GCP organization level.
- Detect GCP Resource Manager Configuration Changes
Resource Manager configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Disable Automatic IAM Role Grants for Default Service Accounts
Ensure that "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced.
- Disable Guest Attributes of Compute Engine Metadata
Ensure that "Disable Guest Attributes of Compute Engine Metadata" policy is enabled at the GCP organization level.
- Disable Serial Port Access Support at Organization Level
Ensure that "Disable VM serial port access" policy is enforced at the GCP organization level.
- Disable Service Account Key Upload
Ensure that the key upload feature for Cloud IAM service accounts is disabled.
- Disable User-Managed Key Creation for Service Accounts
Ensure that the user-managed key creation for Cloud IAM service accounts is disabled.
- Disable Workload Identity at Cluster Creation
Ensure that "Disable Workload Identity Cluster Creation" policy is enabled for your GCP organizations.
- Enforce Detailed Audit Logging Mode
Ensure that "Google Cloud Platform - Detailed Audit Logging Mode" policy is enabled for your GCP organizations.
- Enforce Uniform Bucket-Level Access
Ensure that "Enforce uniform bucket-level access" organization policy is enabled at the Google Cloud Platform (GCP) organization level, and that the project inherits the parent's policy.
- Prevent Service Account Creation for Google Cloud Organizations
Ensure that Cloud IAM service account creation is disabled at the organization level.
- Require OS Login
Ensure that "Require OS Login" policy is enabled for your GCP organizations.
- Restrict Allowed Google Cloud APIs and Services
Ensure that "Restrict allowed Google Cloud APIs and services" organization policy is enforced for your GCP organizations.
- Restrict Authorized Networks on Cloud SQL instances
Ensure that "Restrict Authorized Networks on Cloud SQL instances" policy is enforced at GCP organization level.
- Restrict Default Google-Managed Encryption for Cloud SQL Instances (Deprecated)
Ensure that "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy is enforced at the GCP organization level.
- Restrict Load Balancer Creation Based on Load Balancer Types
Ensure that "Restrict Load Balancer Creation Based on Load Balancer Types" policy is enforced at the GCP organization level.
- Restrict Public IP Access for Cloud SQL Instances at Organization Level
Ensure that "Restrict Public IP access on Cloud SQL instances" policy is enabled at the GCP organization level.
- Restrict Shared VPC Subnetworks
Ensure that "Restrict Shared VPC Subnetworks" policy is enforced for your GCP organizations.
- Restrict VPC Peering Usage
Ensure that "Restrict VPC Peering Usage" policy is enforced for your GCP organizations.
- Restrict VPN Peer IPs
Ensure that "Restrict VPN Peer IPs" constraint policy is enabled for your GCP organizations.
- Restrict Virtual Machine IP Forwarding
Ensure that "Restrict VM IP Forwarding" policy is enforced at the GCP organization level.
- Restrict the Creation of Cloud Resources to Specific Locations
Ensure that "Google Cloud Platform - Resource Location Restriction" constraint policy is enforced for your GCP organizations.
- Restricting the Use of Images
Ensure that "Define Trusted Image Projects" policy is enforced for your GCP organizations.
- Skip Default VPC Network Creation
Ensure that the creation of the default VPC network is disabled at the GCP organization level.
- Define Allowed External IPs for VM Instances