Best practice rules for Google Cloud Platform

Ensure that Google Cloud BigQuery datasets are not publicly accessible.

Ensure that BigQuery dataset tables are encrypted using Customer-Managed Keys (CMKs).

Ensure that API keys are restricted to only those APIs that your application needs access to.

Ensure there are no unrestricted API keys available within your Google Cloud Platform (GCP) project.

Ensure that all the API keys created for your Google Cloud Platform (GCP) projects are regularly rotated.

Ensure that RSASHA1 signature algorithm is not used for DNSSEC key signing.

Ensure that DNSSEC key signing is not using RSASHA1 as a signature algorithm.

Ensure that DNSSEC is enabled for your Domain Name System (DNS) managed zones.

Ensure there are no IAM members with Service Account User and Service Account Token Creator roles at the project level.

Ensure that the Audit Logs feature is configured to record all service and user activities.

Use corporate login credentials instead of personal accounts such as Gmail accounts.

Ensure there are no API keys associated with your Google Cloud Platform (GCP) projects.

Ensure there are no user-managed keys associated with your GCP service accounts.

Ensure that Multi-Factor Authentication (MFA) feature is enabled for all GCP user accounts.

Enforce the use of security keys to help prevent Google Cloud account hijacking.

Ensure that separation of duties is implemented for all Google Cloud service account roles.

Ensure that the use of Cloud Identity and Access Management (IAM) primitive roles is limited within your Google Cloud projects.

Ensure that user-managed service accounts are not using administrator-based roles.

Ensure that your user-managed service account keys are rotated periodically.

Ensure there are no publicly accessible KMS cryptographic keys available within your Google Cloud account.

Ensure that all KMS cryptographic keys available within your Google Cloud account are regularly rotated.

Ensure there are no HTTPS/SSL Proxy load balancers configured with insecure SSL policies.

Ensure that Google Cloud load balancers enforce HTTPS to handle encrypted web traffic.

Ensure that logging is enabled for Google Cloud load balancing backend services.

Ensure that Google Cloud Logs Router data is encrypted using Customer-Managed Keys (CMKs).

Ensure that GCP project audit configuration changes are being monitored using alerting policies.

Ensure that Cloud Storage bucket permission changes are being monitored using alerting policies.

Ensure that custom IAM role changes are being monitored using alerting policies.

Ensure that VPC network firewall rule changes are being monitored using alerting policies.

Ensure that SQL instance configuration changes are being monitored using alerting policies.

Ensure that GCP project ownership changes are being monitored using alerting policies.

Ensure that Google Cloud VPC network changes are being monitored using log metrics and alerting policies.

Ensure that VPC network route changes are being monitored using alerting policies.

Ensure that all the log entries generated for your Google Cloud projects are exported using sinks.

Ensure there is a dead-letter topic configured for each Pub/Sub subscription.

Ensure that Pub/Sub topics are encrypted using Customer-Managed Keys (CMKs).

Ensure that Cloud SQL database instances don't have public IP addresses assigned.

Ensure that MySQL database servers are using the latest major version of MySQL database.

Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database.

Ensure that Cloud SQL database instances are not wide open to the Internet.

Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_min_error_statement" flag.

Ensure that PostgreSQL database instances have the appropriate configuration set for the "max_connections" flag.

Ensure that SQL Server database instances have the appropriate configuration set for the "user connections" flag.

Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances.

Ensure that MySQL databases can't be accessed with administrative privileges only (i.e. without using passwords).

Ensure that SQL Server database instances have "contained database authentication" flag set to Off.

Ensure that SQL Server database instances have "cross db ownership chaining" flag set to Off.

Ensure that MySQL database instances have the "local_infile" flag set to Off (disabled).

Ensure that PostgreSQL database instances have "log_min_duration_statement" flag set to -1 (Off).

Ensure that the "external scripts enabled" SQL Server flag is set to "off".

Ensure that the "log_statement_stats" PostgreSQL database flag is set to "off".

Ensure that the "remote access" SQL Server flag is set to "off".

Ensure that PostgreSQL database instances have "log_checkpoints" flag set to On.

Ensure that "log_checkpoints" flag is enabled within your PostgreSQL database servers configuration.

Ensure that PostgreSQL database instances have the "log_connections" configuration flag set to On.

Ensure that PostgreSQL database instances have the "log_disconnections" flag set to On (enabled).

Ensure that PostgreSQL database instances have the "log_lock_waits" flag set to On.

Ensure that PostgreSQL database instances have the "log_temp_files" flag set to 0 (On).

Ensure that MySQL database instances have the "slow_query_log" flag set to On (enabled).

Ensure that Cloud SQL database instances are configured with automated backups.

Ensure that automatic storage increase is enabled for your Cloud SQL database instances.

Ensure that Cloud SQL instances are encrypted with Customer-Managed Keys (CMKs).

Ensure that production SQL database instances are configured to automatically fail over to another zone within the selected cloud region.

Ensure that your MySQL database instances have Point-in-Time Recovery feature enabled.

Ensure that Cloud SQL database instances require all incoming connections to use SSL/TLS.

Ensure that Cloud SQL server certificates are rotated (renewed) before their expiration.

Ensure there are no publicly accessible Cloud Storage buckets available within your Google Cloud Platform (GCP) account.

Ensure there is a sufficient retention period configured for Google Cloud Storage objects.

Ensure that the log bucket retention policies are using the Bucket Lock feature.

Ensure that Google Cloud Storage objects are using a lifecycle configuration for cost management.

Ensure that your Cloud Storage objects are encrypted using Customer-Managed Keys (CMKs).

Ensure that object versioning is enabled for your Google Cloud Storage buckets.

Ensure that Google Cloud Storage buckets have uniform bucket-level access enabled.

Ensure that legacy networks are not being used anymore within your GCP projects.

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP and UDP port 53 (DNS).

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP).

Ensure that no VPC firewall rules allow unrestricted inbound access using Internet Control Message Protocol (ICMP).

Ensure that no VPC firewall rules allow unrestricted ingress access to uncommon TCP/UDP ports.

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database).

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database).

Ensure that VPC network firewall rules do not allow unrestricted outbound/egress access.

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server).

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP).

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC).

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP).

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server).

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH).

Ensure there are no VPC network firewall rules with range of ports opened to allow incoming traffic.

Ensure that the default VPC network is not being used within your GCP projects.

Ensure that logging is enabled for your Virtual Private Cloud (VPC) firewall rules.

Ensure that VPC Flow Logs feature is enabled for all VPC network subnets.

Ensure that logging metadata is not included within your VPC firewall log files.

Ensure that all your virtual machine instances are launched from approved images only.

Ensure that your virtual machine (VM) instances are of a given type (e.g. c2-standard-4).

Ensure that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs.

Ensure that your VM instances are not associated with the default GCP service account.

Ensure that your virtual machine disk images are not accessible to all GCP accounts.

Ensure that Google Cloud VM instances are not using public IP addresses.

Ensure that "On Host Maintenance" configuration setting is set to "Migrate" for all VM instances.

Ensure that the Auto-Delete feature is disabled for the disks attached to your VM instances.

Ensure that IP Forwarding is not enabled for your Google Cloud virtual machine (VM) instances.

Ensure that interactive serial console support is not enabled for your Google Cloud instances.

Ensure that your production Google Cloud virtual machine instances are not preemptible.

Ensure that project-wide SSH keys are not used to access your Google Cloud VM instances.

Ensure that Shielded VM feature is enabled for your virtual machine (VM) instances.

Ensure that automatic restart is enabled for your Google Cloud virtual machine (VM) instances.

Ensure that deletion protection is enabled for your Google Cloud virtual machine (VM) instances.

Ensure that your Google Cloud instance groups are using autohealing to proactively replace failing instances.

Ensure that the OS Login feature is enabled for your Google Cloud projects.

Ensure that your virtual machine (VM) instance disks are encrypted with CSEKs.

Ensure that your virtual machine (VM) instance disks are encrypted using Customer-Managed Keys (CMKs).

Ensure that Google App Engine applications enforce HTTPS connections.

Remove old virtual machine disk snapshots in order to optimize Google Cloud monthly costs.

Ensure that OS Login is configured with Two-Factor Authentication (2FA) for production VM instances.

Ensure that your Dataproc clusters are encrypted using Customer-Managed Keys (CMKs).

Ensure that encryption of Kubernetes secrets using Cloud KMS is enabled for GKE clusters.

Ensure that your Google Kubernetes Engine (GKE) clusters are using auto-repairing nodes.

Ensure that your Google Kubernetes Engine (GKE) clusters are using automatic upgrades for their nodes.

Ensure that data at rest available on your GKE clusters is encrypted with Customer-Managed Keys.

Ensure that Integrity Monitoring is enabled for your Google Kubernetes Engine (GKE) cluster nodes.

Ensure that Secure Boot feature is enabled for your Google Kubernetes Engine (GKE) cluster nodes.

Ensure that your Google Kubernetes Engine (GKE) clusters are not exposed to the Internet.

Ensure that your GKE clusters nodes are shielded to protect against impersonation attacks.

Ensure that "Define Allowed External IPs for VM Instances" policy is enforced at the GCP organization level.

Ensure that "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced.

Ensure that "Disable Guest Attributes of Compute Engine Metadata" policy is enabled at the GCP organization level.

Ensure that "Disable VM serial port access" policy is enforced at the GCP organization level.

Ensure that the key upload feature for Cloud IAM service accounts is disabled.

Ensure that the user-managed key creation for Cloud IAM service accounts is disabled.

Ensure that "Disable Workload Identity Cluster Creation" policy is enabled for your GCP organizations.

Ensure that "Google Cloud Platform - Detailed Audit Logging Mode" policy is enabled for your GCP organizations.

Ensure that "Enforce uniform bucket-level access" policy is enabled at the Google Cloud Platform (GCP) organization level.

Ensure that Cloud IAM service account creation is disabled at the organization level.

Ensure that "Require OS Login" policy is enabled for your GCP organizations.

Ensure that "Restrict allowed Google Cloud APIs and services" organization policy is enforced for your GCP organizations.

Ensure that "Restrict Authorized Networks on Cloud SQL instances" policy is enforced at GCP organization level.

Ensure that "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy is enforced at the GCP organization level.

Ensure that "Restrict Load Balancer Creation Based on Load Balancer Types" policy is enforced at the GCP organization level.

Ensure that "Restrict Public IP access on Cloud SQL instances" policy is enabled at the GCP organization level.

Ensure that "Restrict Shared VPC Subnetworks" policy is enforced for your GCP organizations.

Ensure that "Restrict VPC Peering Usage" policy is enforced for your GCP organizations.

Ensure that "Restrict VPN Peer IPs" constraint policy is enabled for your GCP organizations.

Ensure that "Restrict VM IP Forwarding" policy is enforced at the GCP organization level.

Ensure that "Google Cloud Platform - Resource Location Restriction" constraint policy is enforced for your GCP organizations.

Ensure that "Define Trusted Image Projects" policy is enforced for your GCP organizations.

Ensure that the creation of the default VPC network is disabled at the GCP organization level.