Best practice rules for GCP Compute Engine
- Approved Virtual Machine Image in Use
Ensure that all your virtual machine instances are launched from approved images only.
- Check for Desired Machine Type(s)
Ensure that your virtual machine (VM) instances are of a given type (e.g. c2-standard-4).
- Check for Instance-Associated Service Accounts with Full API Access
Ensure that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs.
- Check for Instances Associated with Default Service Accounts
Ensure that your VM instances are not associated with the default GCP service account.
- Check for Publicly Shared Disk Images
Ensure that your virtual machine disk images are not accessible to all GCP accounts.
- Check for Virtual Machine Instances with Public IP Addresses
Ensure that Google Cloud VM instances are not using public IP addresses.
- Compute Instances with Multiple Network Interfaces
Ensure that virtual machine (VM) instances are not using multiple network interfaces.
- Configure Maintenance Behavior for VM Instances
Ensure that "On Host Maintenance" configuration setting is set to "Migrate" for all VM instances.
- Configure load balancers for Managed Instance Groups
Ensure that Managed Instance Groups (MIGs) are associated with load balancers.
- Configure multiple zones for Managed Instance Groups
Ensure that Managed Instance Groups are configured to run instances across multiple zones.
- Detect GCP Compute Engine Configuration Changes
Compute Engine configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Disable Auto-Delete for VM Instance Persistent Disks
Ensure that the Auto-Delete feature is disabled for the disks attached to your VM instances.
- Disable IP Forwarding for Virtual Machine Instances
Ensure that IP Forwarding is not enabled for your Google Cloud virtual machine (VM) instances.
- Disable Interactive Serial Console Support
Ensure that interactive serial console support is not enabled for your Google Cloud instances.
- Disable Preemptibility for VM Instances
Ensure that your production Google Cloud virtual machine instances are not preemptible.
- Enable "Block Project-Wide SSH Keys" Security Feature
Ensure that project-wide SSH keys are not used to access your Google Cloud VM instances.
- Enable "Shielded VM" Security Feature
Ensure that Shielded VM feature is enabled for your virtual machine (VM) instances.
- Enable Automatic Restart for VM Instances
Ensure that automatic restart is enabled for your Google Cloud virtual machine (VM) instances.
- Enable Confidential Computing for Virtual Machine Instances
Ensure that Confidential Computing is enabled for virtual machine (VM) instances.
- Enable Deletion Protection for VM Instances
Ensure that deletion protection is enabled for your Google Cloud virtual machine (VM) instances.
- Enable Instance Group Autohealing
Ensure that your Google Cloud instance groups are using autohealing to proactively replace failing instances.
- Enable OS Login for GCP Projects
Ensure that the OS Login feature is enabled for your Google Cloud projects.
- Enable VM Disk Encryption with Customer-Supplied Encryption Keys
Ensure that your virtual machine (VM) instance disks are encrypted with CSEKs.
- Enable Virtual Machine Disk Encryption with Customer-Managed Keys
Ensure that your virtual machine (VM) instance disks are encrypted using Customer-Managed Keys (CMKs).
- Enforce HTTPS Connections for App Engine Applications
Ensure that Google App Engine applications enforce HTTPS connections.
- Persistent Disks Attached to Suspended Virtual Machines
Identify persistent disks attached to suspended VM instances (i.e. unused persistent disks).
- Remove Old Persistent Disk Snapshots
Remove old virtual machine disk snapshots in order to optimize Google Cloud monthly costs.
- Use OS Login with 2FA Authentication for VM Instances
Ensure that OS Login is configured with Two-Factor Authentication (2FA) for production VM instances.