Best practice rules for GCP Cloud Functions
Trend Cloud One™ – Conformity monitors GCP Cloud Functions with the following rules:
- Check for Unrestricted Outbound Network Access
Ensure no Google Cloud functions allow unrestricted outbound network access.
- Cloud Logging Permissions for Google Cloud Functions
Ensure that Cloud Logging API has appropriate permissions to write function logs.
- Configure Dead Lettering for Pub/Sub-Triggered Functions
Ensure that Dead-Letter Topics (DLTs) are configured for Pub/Sub-triggered functions.
- Configure Maximum Instances for Cloud Functions
Configuring a maximum number of instances for your Google Cloud functions helps control costs by preventing uncontrolled scaling.
- Configure Minimum Instances for Cloud Functions
To improve performance, ensure that the minimum number of function instances is greater than 0 (zero).
- Enable Automatic Runtime Security Updates
Ensure that automatic runtime security updates are enabled for your Google Cloud functions.
- Enable Serverless VPC Access for Google Cloud Functions
Ensure that Serverless VPC Access is enabled for your Google Cloud functions.
- Functions with Inactive Service Accounts
Ensure that your Google Cloud functions are using active service accounts.
- GCP Execution Runtime Environment Version
Ensure that your Google Cloud functions are second generation (or newer generation) functions.
- GCP Function Runtime Version
Ensure that your GCP functions are using the latest language runtime version available.
- GCP Function using Default Service Account
Ensure that your Google Cloud functions are not using the default service account.
- GCP Function using Service Account with Basic Roles
Ensure that your Google Cloud functions are not using basic roles for permissions.
- GCP Functions with Admin Privileges
Ensure that your Google Cloud functions are not configured with admin privileges.
- Publicly Accessible Functions
Ensure there are no publicly accessible Google Cloud functions available within your GCP account.
- Use Customer-Managed Encryption Keys for Functions Encryption
Use Customer-Managed Encryption Keys (CMEKs) to protect Google Cloud functions and related data at rest.
- Use Labels for Resource Management
Ensure that all Google Cloud functions are labeled for better resource management.