Google Cloud Platform best practice rules
Trend Micro Cloud One™ – Conformity has over 750+ cloud infrastructure configuration best practices for your Amazon Web Services, Microsoft® Azure, and Google Cloud™ environments. Here is our growing list of GCP best practice rules with clear instructions on how to perform the updates – made either through the GCP console or via the Command Line Interface (CLI).
Conformity provides real-time monitoring and auto-remediation for the security, compliance and governance of your cloud infrastructure. Leaving you to grow and scale your business with confidence.
-
GCP BigQuery
- Check for Publicly Accessible BigQuery Datasets
Ensure that Google Cloud BigQuery datasets are not publicly accessible.
- Enable BigQuery Encryption with Customer-Managed Keys
Ensure that BigQuery dataset tables are encrypted using Customer-Managed Keys (CMKs).
- Check for Publicly Accessible BigQuery Datasets
-
GCP API
- Check for API Key API Restrictions
Ensure that API keys are restricted to only those APIs that your application needs access to.
- Check for API Key Application Restrictions
Ensure there are no unrestricted API keys available within your Google Cloud Platform (GCP) project.
- Rotate Google Cloud API Keys
Ensure that all the API keys created for your Google Cloud Platform (GCP) projects are regularly rotated.
- Check for API Key API Restrictions
-
GCP Domain Name System (DNS)
- Check for DNSSEC Key-Signing Algorithm in Use
Ensure that RSASHA1 signature algorithm is not used for DNSSEC key signing.
- Check for DNSSEC Zone-Signing Algorithm in Use
Ensure that DNSSEC key signing is not using RSASHA1 as a signature algorithm.
- Enable DNSSEC for Google Cloud DNS Zones
Ensure that DNSSEC is enabled for your Domain Name System (DNS) managed zones.
- Check for DNSSEC Key-Signing Algorithm in Use
-
GCP Identity and Access Management (IAM)
- Check for IAM Members with Service Roles at the Project Level
Ensure there are no IAM members with Service Account User and Service Account Token Creator roles at the project level.
- Configure Google Cloud Audit Logs to Track All Activities
Ensure that the Audit Logs feature is configured to record all service and user activities.
- Corporate Login Credentials In Use
Use corporate login credentials instead of personal accounts such as Gmail accounts.
- Delete Google Cloud API Keys
Ensure there are no API keys associated with your Google Cloud Platform (GCP) projects.
- Delete User-Managed Service Account Keys
Ensure there are no user-managed keys associated with your GCP service accounts.
- Enable Multi-Factor Authentication for User Accounts
Ensure that Multi-Factor Authentication (MFA) feature is enabled for all GCP user accounts.
- Enable Security Key Enforcement for Admin Accounts
Enforce the use of security keys to help prevent Google Cloud account hijacking.
- Enforce Separation of Duties for Service-Account Related Roles
Ensure that separation of duties is implemented for all Google Cloud service account roles.
- Minimize the Use of Primitive Roles
Ensure that the use of Cloud Identity and Access Management (IAM) primitive roles is limited within your Google Cloud projects.
- Restrict Administrator Access for Service Accounts
Ensure that user-managed service accounts are not using administrator-based roles.
- Rotate User-Managed Service Account Keys
Ensure that your user-managed service account keys are rotated periodically.
- Check for IAM Members with Service Roles at the Project Level
-
GCP Cloud Key Management Service (KMS)
- Check for Publicly Accessible Cloud KMS Keys
Ensure there are no publicly accessible KMS cryptographic keys available within your Google Cloud account.
- Rotate Google Cloud KMS Keys
Ensure that all KMS cryptographic keys available within your Google Cloud account are regularly rotated.
- Check for Publicly Accessible Cloud KMS Keys
-
GCP Cloud Load Balancing
- Check for Insecure SSL Cipher Suites
Ensure there are no HTTPS/SSL Proxy load balancers configured with insecure SSL policies.
- Enable HTTPS for Google Cloud Load Balancers
Ensure that Google Cloud load balancers enforce HTTPS to handle encrypted web traffic.
- Enable Logging for HTTP(S) Load Balancing Backend Services
Ensure that logging is enabled for Google Cloud load balancing backend services.
- Check for Insecure SSL Cipher Suites
-
GCP Cloud Logging
- Enable Logs Router Encryption with Customer-Managed Keys
Ensure that Google Cloud Logs Router data is encrypted using Customer-Managed Keys (CMKs).
- Enable Monitoring for Audit Configuration Changes
Ensure that GCP project audit configuration changes are being monitored using alerting policies.
- Enable Monitoring for Bucket Permission Changes
Ensure that Cloud Storage bucket permission changes are being monitored using alerting policies.
- Enable Monitoring for Custom Role Changes
Ensure that custom IAM role changes are being monitored using alerting policies.
- Enable Monitoring for Firewall Rule Changes
Ensure that VPC network firewall rule changes are being monitored using alerting policies.
- Enable Monitoring for SQL Instance Configuration Changes
Ensure that SQL instance configuration changes are being monitored using alerting policies.
- Enable Project Ownership Assignments Monitoring
Ensure that GCP project ownership changes are being monitored using alerting policies.
- Enable VPC Network Changes Monitoring
Ensure that Google Cloud VPC network changes are being monitored using log metrics and alerting policies.
- Enable VPC Network Route Changes Monitoring
Ensure that VPC network route changes are being monitored using alerting policies.
- Export All Log Entries Using Sinks
Ensure that all the log entries generated for your Google Cloud projects are exported using sinks.
- Enable Logs Router Encryption with Customer-Managed Keys
-
GCP Cloud Pub/Sub Service
- Enable Dead Lettering for Google Pub/Sub Subscriptions
Ensure there is a dead-letter topic configured for each Pub/Sub subscription.
- Enable Pub/Sub Topic Encryption with Customer-Managed Keys
Ensure that Pub/Sub topics are encrypted using Customer-Managed Keys (CMKs).
- Enable Dead Lettering for Google Pub/Sub Subscriptions
-
GCP Cloud SQL
- Check for Cloud SQL Database Instances with Public IPs
Ensure that Cloud SQL database instances don't have public IP addresses assigned.
- Check for MySQL Major Version
Ensure that MySQL database servers are using the latest major version of MySQL database.
- Check for PostgreSQL Major Version
Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database.
- Check for Publicly Accessible Cloud SQL Database Instances
Ensure that Cloud SQL database instances are not wide open to the Internet.
- Configure "log_min_error_statement" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_min_error_statement" flag.
- Configure "max_connections" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the appropriate configuration set for the "max_connections" flag.
- Configure 'user connections' Flag for SQL Server Database Instances
Ensure that SQL Server database instances have the appropriate configuration set for the "user connections" flag.
- Configure Automatic Storage Increase Limit
Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances.
- Configure Root Password for MySQL Database Access
Ensure that MySQL databases can't be accessed with administrative privileges only (i.e. without using passwords).
- Disable "Contained Database Authentication" Flag for SQL Server Database Instances
Ensure that SQL Server database instances have "contained database authentication" flag set to Off.
- Disable "Cross DB Ownership Chaining" Flag for SQL Server Database Instances
Ensure that SQL Server database instances have "cross db ownership chaining" flag set to Off.
- Disable "local_infile" Flag for MySQL Database Instances
Ensure that MySQL database instances have the "local_infile" flag set to Off (disabled).
- Disable "log_min_duration_statement" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have "log_min_duration_statement" flag set to -1 (Off).
- Disable 'external scripts enabled' Flag for SQL Server Database Instances
Ensure that the "external scripts enabled" SQL Server flag is set to "off".
- Disable 'log_statement_stats' Flag for PostgreSQL Database Instances
Ensure that the "log_statement_stats" PostgreSQL database flag is set to "off".
- Disable 'remote access' Flag for SQL Server Database Instances
Ensure that the "remote access" SQL Server flag is set to "off".
- Enable "log_checkpoints" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have "log_checkpoints" flag set to On.
- Enable "log_checkpoints" Flag for PostgreSQL Database Server Configuration
Ensure that "log_checkpoints" flag is enabled within your PostgreSQL database servers configuration.
- Enable "log_connections" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_connections" configuration flag set to On.
- Enable "log_disconnections" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_disconnections" flag set to On (enabled).
- Enable "log_lock_waits" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_lock_waits" flag set to On.
- Enable "log_temp_files" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_temp_files" flag set to 0 (On).
- Enable "slow_query_log" Flag for MySQL Database Servers
Ensure that MySQL database instances have the "slow_query_log" flag set to On (enabled).
- Enable Automated Backups for Cloud SQL Database Instances
Ensure that Cloud SQL database instances are configured with automated backups.
- Enable Automatic Storage Increase
Ensure that automatic storage increase is enabled for your Cloud SQL database instances.
- Enable Cloud SQL Instance Encryption with Customer-Managed Keys
Ensure that Cloud SQL instances are encrypted with Customer-Managed Keys (CMKs).
- Enable High Availability for Cloud SQL Database Instances
Ensure that production SQL database instances are configured to automatically fail over to another zone within the selected cloud region.
- Enable Point-in-Time Recovery for MySQL Database Instances
Ensure that your MySQL database instances have Point-in-Time Recovery feature enabled.
- Enable SSL/TLS for Cloud SQL Incoming Connections
Ensure that Cloud SQL database instances require all incoming connections to use SSL/TLS.
- Rotate Server Certificates for Cloud SQL Database Instances
Ensure that Cloud SQL server certificates are rotated (renewed) before their expiration.
- Check for Cloud SQL Database Instances with Public IPs
-
GCP Cloud Storage
- Check for Publicly Accessible Cloud Storage Buckets
Ensure there are no publicly accessible Cloud Storage buckets available within your Google Cloud Platform (GCP) account.
- Check for Sufficient Data Retention Period
Ensure there is a sufficient retention period configured for Google Cloud Storage objects.
- Configure Retention Policies with Bucket Lock
Ensure that the log bucket retention policies are using the Bucket Lock feature.
- Enable Lifecycle Management for Cloud Storage Objects
Ensure that Google Cloud Storage objects are using a lifecycle configuration for cost management.
- Enable Object Encryption with Customer-Managed Keys
Ensure that your Cloud Storage objects are encrypted using Customer-Managed Keys (CMKs).
- Enable Object Versioning for Cloud Storage Buckets
Ensure that object versioning is enabled for your Google Cloud Storage buckets.
- Enable Uniform Bucket-Level Access for Cloud Storage Buckets
Ensure that Google Cloud Storage buckets have uniform bucket-level access enabled.
- Check for Publicly Accessible Cloud Storage Buckets
-
GCP VPC
- Check for Legacy Networks
Ensure that legacy networks are not being used anymore within your GCP projects.
- Check for Unrestricted DNS Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP and UDP port 53 (DNS).
- Check for Unrestricted FTP Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP).
- Check for Unrestricted ICMP Access
Ensure that no VPC firewall rules allow unrestricted inbound access using Internet Control Message Protocol (ICMP).
- Check for Unrestricted Inbound Access on Uncommon Ports
Ensure that no VPC firewall rules allow unrestricted ingress access to uncommon TCP/UDP ports.
- Check for Unrestricted MySQL Database Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database).
- Check for Unrestricted Oracle Database Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database).
- Check for Unrestricted Outbound Access on All Ports
Ensure that VPC network firewall rules do not allow unrestricted outbound/egress access.
- Check for Unrestricted PostgreSQL Database Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server).
- Check for Unrestricted RDP Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP).
- Check for Unrestricted RPC Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC).
- Check for Unrestricted SMTP Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP).
- Check for Unrestricted SQL Server Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server).
- Check for Unrestricted SSH Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH).
- Check for VPC Firewall Rules with Port Ranges
Ensure there are no VPC network firewall rules with range of ports opened to allow incoming traffic.
- Default VPC Network In Use
Ensure that the default VPC network is not being used within your GCP projects.
- Enable Logging for VPC Firewall Rules
Ensure that logging is enabled for your Virtual Private Cloud (VPC) firewall rules.
- Enable VPC Flow Logs for VPC Subnets
Ensure that VPC Flow Logs feature is enabled for all VPC network subnets.
- Exclude Metadata from Firewall Logging
Ensure that logging metadata is not included within your VPC firewall log files.
- Check for Legacy Networks
-
GCP Compute Engine
- Approved Virtual Machine Image in Use
Ensure that all your virtual machine instances are launched from approved images only.
- Check for Desired Machine Type(s)
Ensure that your virtual machine (VM) instances are of a given type (e.g. c2-standard-4).
- Check for Instance-Associated Service Accounts with Full API Access
Ensure that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs.
- Check for Instances Associated with Default Service Accounts
Ensure that your VM instances are not associated with the default GCP service account.
- Check for Publicly Shared Disk Images
Ensure that your virtual machine disk images are not accessible to all GCP accounts.
- Check for Virtual Machine Instances with Public IP Addresses
Ensure that Google Cloud VM instances are not using public IP addresses.
- Configure Maintenance Behavior for VM Instances
Ensure that "On Host Maintenance" configuration setting is set to "Migrate" for all VM instances.
- Disable Auto-Delete for VM Instance Persistent Disks
Ensure that the Auto-Delete feature is disabled for the disks attached to your VM instances.
- Disable IP Forwarding for Virtual Machine Instances
Ensure that IP Forwarding is not enabled for your Google Cloud virtual machine (VM) instances.
- Disable Interactive Serial Console Support
Ensure that interactive serial console support is not enabled for your Google Cloud instances.
- Disable Preemptibility for VM Instances
Ensure that your production Google Cloud virtual machine instances are not preemptible.
- Enable "Block Project-Wide SSH Keys" Security Feature
Ensure that project-wide SSH keys are not used to access your Google Cloud VM instances.
- Enable "Shielded VM" Security Feature
Ensure that Shielded VM feature is enabled for your virtual machine (VM) instances.
- Enable Automatic Restart for VM Instances
Ensure that automatic restart is enabled for your Google Cloud virtual machine (VM) instances.
- Enable Deletion Protection for VM Instances
Ensure that deletion protection is enabled for your Google Cloud virtual machine (VM) instances.
- Enable Instance Group Autohealing
Ensure that your Google Cloud instance groups are using autohealing to proactively replace failing instances.
- Enable OS Login for GCP Projects
Ensure that the OS Login feature is enabled for your Google Cloud projects.
- Enable VM Disk Encryption with Customer-Supplied Encryption Keys
Ensure that your virtual machine (VM) instance disks are encrypted with CSEKs.
- Enable Virtual Machine Disk Encryption with Customer-Managed Keys
Ensure that your virtual machine (VM) instance disks are encrypted using Customer-Managed Keys (CMKs).
- Enforce HTTPS Connections for App Engine Applications
Ensure that Google App Engine applications enforce HTTPS connections.
- Remove Old Persistent Disk Snapshots
Remove old virtual machine disk snapshots in order to optimize Google Cloud monthly costs.
- Use OS Login with 2FA Authentication for VM Instances
Ensure that OS Login is configured with Two-Factor Authentication (2FA) for production VM instances.
- Approved Virtual Machine Image in Use
-
GCP Dataproc Service
- Enable Dataproc Cluster Encryption with Customer-Managed Keys
Ensure that your Dataproc clusters are encrypted using Customer-Managed Keys (CMKs).
- Enable Dataproc Cluster Encryption with Customer-Managed Keys
-
GCP Google Kubernetes Engine Service
- Enable Application-Layer Secrets Encryption for GKE Clusters
Ensure that encryption of Kubernetes secrets using Cloud KMS is enabled for GKE clusters.
- Enable Auto-Repair for GKE Cluster Nodes
Ensure that your Google Kubernetes Engine (GKE) clusters are using auto-repairing nodes.
- Enable Auto-Upgrade for GKE Cluster Nodes
Ensure that your Google Kubernetes Engine (GKE) clusters are using automatic upgrades for their nodes.
- Enable GKE Cluster Node Encryption with Customer-Managed Keys
Ensure that data at rest available on your GKE clusters is encrypted with Customer-Managed Keys.
- Enable Integrity Monitoring for GKE Cluster Nodes
Ensure that Integrity Monitoring is enabled for your Google Kubernetes Engine (GKE) cluster nodes.
- Enable Secure Boot for GKE Cluster Nodes
Ensure that Secure Boot feature is enabled for your Google Kubernetes Engine (GKE) cluster nodes.
- Restrict Network Access to GKE Clusters
Ensure that your Google Kubernetes Engine (GKE) clusters are not exposed to the Internet.
- Use Shielded GKE Cluster Nodes
Ensure that your GKE clusters nodes are shielded to protect against impersonation attacks.
- Enable Application-Layer Secrets Encryption for GKE Clusters
-
GCP Resource Manager
- Define Allowed External IPs for VM Instances
Ensure that "Define Allowed External IPs for VM Instances" policy is enforced at the GCP organization level.
- Disable Automatic IAM Role Grants for Default Service Accounts
Ensure that "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced.
- Disable Guest Attributes of Compute Engine Metadata
Ensure that "Disable Guest Attributes of Compute Engine Metadata" policy is enabled at the GCP organization level.
- Disable Serial Port Access Support at Organization Level
Ensure that "Disable VM serial port access" policy is enforced at the GCP organization level.
- Disable Service Account Key Upload
Ensure that the key upload feature for Cloud IAM service accounts is disabled.
- Disable User-Managed Key Creation for Service Accounts
Ensure that the user-managed key creation for Cloud IAM service accounts is disabled.
- Disable Workload Identity at Cluster Creation
Ensure that "Disable Workload Identity Cluster Creation" policy is enabled for your GCP organizations.
- Enforce Detailed Audit Logging Mode
Ensure that "Google Cloud Platform - Detailed Audit Logging Mode" policy is enabled for your GCP organizations.
- Enforce Uniform Bucket-Level Access at Organization Level
Ensure that "Enforce uniform bucket-level access" policy is enabled at the Google Cloud Platform (GCP) organization level.
- Prevent Service Account Creation for Google Cloud Organizations
Ensure that Cloud IAM service account creation is disabled at the organization level.
- Require OS Login
Ensure that "Require OS Login" policy is enabled for your GCP organizations.
- Restrict Allowed Google Cloud APIs and Services
Ensure that "Restrict allowed Google Cloud APIs and services" organization policy is enforced for your GCP organizations.
- Restrict Authorized Networks on Cloud SQL instances
Ensure that "Restrict Authorized Networks on Cloud SQL instances" policy is enforced at GCP organization level.
- Restrict Default Google-Managed Encryption for Cloud SQL Instances
Ensure that "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy is enforced at the GCP organization level.
- Restrict Load Balancer Creation Based on Load Balancer Types
Ensure that "Restrict Load Balancer Creation Based on Load Balancer Types" policy is enforced at the GCP organization level.
- Restrict Public IP Access for Cloud SQL Instances at Organization Level
Ensure that "Restrict Public IP access on Cloud SQL instances" policy is enabled at the GCP organization level.
- Restrict Shared VPC Subnetworks
Ensure that "Restrict Shared VPC Subnetworks" policy is enforced for your GCP organizations.
- Restrict VPC Peering Usage
Ensure that "Restrict VPC Peering Usage" policy is enforced for your GCP organizations.
- Restrict VPN Peer IPs
Ensure that "Restrict VPN Peer IPs" constraint policy is enabled for your GCP organizations.
- Restrict Virtual Machine IP Forwarding
Ensure that "Restrict VM IP Forwarding" policy is enforced at the GCP organization level.
- Restrict the Creation of Cloud Resources to Specific Locations
Ensure that "Google Cloud Platform - Resource Location Restriction" constraint policy is enforced for your GCP organizations.
- Restricting the Use of Images
Ensure that "Define Trusted Image Projects" policy is enforced for your GCP organizations.
- Skip Default VPC Network Creation
Ensure that the creation of the default VPC network is disabled at the GCP organization level.
- Define Allowed External IPs for VM Instances