GCP Policy
View the new home for Paladin Cloud Documentation
View the new home for Operations
-
Enable VPC Flow Logs and Intranode Visibility for GKE Cluster
-
Enable cloudsql.enable_pgaudit Database Flag for PostgreSQL Instance
-
Enforce Separation of Duties while Assigning KMS Related Roles to Users
-
Enforce User Connections Database Flag for SQL Server Instance is Set to Non-limiting Value
-
Set log_min_error_statement Database Flag for Postgres Instance to Error or Stricter
-
Enable DNSSEC Security Feature for Google Cloud DNS-Managed Zones
-
Configure Production Cloud SQL Database Instances for High Availability
Security
-
Avoid Assigning Service Roles to IAM Users on a Project Level
-
Encrypt Cloud Storage Using Customer-Managed Encryption Keys
-
Deny Usage of Public IP Addresses for Cloud SQL Database Instances
-
Disable 3625 (trace flag) Database Flag for Cloud SQL Server Instance
-
Disable Basic Authentication with Static Passwords on GKE Cluster
-
Disable Contained Database Authentication Flag for SQL Server Database Instances
-
Disable External Scripts Enabled Flag for SQL Server Database Instances
-
Disable Log_min_duration_statement Database Flag for PostgreSQL Instance
-
Disable Database Remote Access Flag for SQL Server Database Instances
-
Encrypt Dataproc Clusters Using Customer-Managed Encryption Keys
-
Deny Usage of Service Accounts with Full Cloud API Access for VM Instances
-
Remove User Options Database Flag for Cloud SQL SERVER Instance
Tagging
Risk: High
Target: VM Instance
Compliance
Description Use Customer-Managed Keys (CMKs) to encrypt persistent disks on Google Compute Engine instances to gain greater control over sensitive data encryption and decryption. Create and manage CMKs with Cloud KMS, which provides secure key management. Although Compute Engine encrypts data at rest by default, using your own CMKs allows independent control of disk encryption, especially in environments with strict compliance and security requirements.
Resolution:
Encrypt Virtual Machine Disks
Risk: High
Target: VM Instance
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
To completely control data-at-rest encryption and decryption and meet strict compliance requirements, use Customer-Supplied Encryption Keys (CSEKs) for disks attached to Google Compute Engine instances. While Compute Engine automatically encrypts data at rest, providing your own encryption keys allows for independent control and management of instance disk encryption.
Resolution:
Encrypt Virtual Machine Disks
Risk: Medium
Target: VM Instance
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
Enabling a Shielded VM for compute instances can improve security by protecting against malicious software, enhance compliance by providing advanced security measures, increase trustworthiness by ensuring the integrity of the boot process, and provide flexibility in deployment options.
Resolution:
Modifying Shielded VM options on a VM instance
Risk: Critical
Target: VPC Firewall
Description: To secure your Google Cloud Virtual Private Cloud (VPC) and reduce the attack surface, it is important to set firewall rules that restrict access to the Remote Desktop Protocol (RDP) on TCP port 3389 to trusted IP addresses or ranges only. Ensure only authorized traffic is allowed by blocking unrestricted access to this port (i.e., 0.0.0.0/0).
Resolution:
Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: To implement the principle of least privilege and reduce the attack surface, review the inbound rules of your Google Cloud Virtual Private Cloud (VPC) firewall for any rules that allow unrestricted access (i.e., 0.0.0.0/0) on TCP port 22. If such rules are found, restrict them to only trusted IP addresses or IP ranges to ensure that only authorized traffic is allowed access.
Resolution:
Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description: Allowing unrestricted DNS access to Google Cloud virtual machines (VMs) via VPC network firewall rules can increase the risk of malicious activities such as DoS and DDoS attacks. Instead, VPC firewall rules should be configured to restrict access to specific resources based on legitimate business requirements. To protect VM instances associated with these rules, Google Cloud VPC network firewall rules should not allow unrestricted access on TCP and UDP port 53, which the Domain Name System uses during DNS resolution.
Resolution:
Update Firewall
Risk: Critical
Target: Big Query Data
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: To ensure the security and privacy of sensitive data in Google Cloud Platform (GCP) BigQuery datasets, it is crucial to restrict access to authorized users or groups. Allowing public access may lead to data breaches, security threats, and compliance violations. To mitigate these risks, custom IAM roles should be created and granted to users or groups based on their roles and responsibilities, designed to provide the least privilege necessary for each user. Additionally, monitoring and auditing dataset access can detect unauthorized or suspicious activity, by enabling BigQuery audit logs and setting up alerting and monitoring systems. Following these security measures reduces the risk of unauthorized access or data breaches and maintains the security and privacy of BigQuery datasets.
Resolution:
Control Access to Data Set
Risk: High
Target: Big Query Table
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
For more granular control over data encryption and decryption, encrypt Google Cloud BigQuery dataset tables with Customer-Managed Keys (CMKs). Although BigQuery automatically encrypts content at rest, using CMKs allows you to independently manage encryption for sensitive or confidential data with Google Cloud Key Management Service (Cloud KMS).
Resolution:
Encrypt Data Set
Risk: Critical
Target: VPC Firewall
Description: To prevent malicious activities, such as brute-force attacks, FTP bounce attacks, spoofing, and packet capture attacks on virtual machines (VMs) hosted on Google Cloud, it's crucial to prevent unrestricted FTP access through VPC network firewall rules. Specifically, the firewall rules must not allow unrestricted access to TCP ports 20 and 21, which File Transfer Protocol (FTP) client-server applications use for data transfer and communication. By implementing this measure, potential attackers can be prevented from using brute-force methods to gain unauthorized access to VMs associated with the firewall rules.
Resolution:
Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description: A TCP/UDP port that is not included in the common service ports category is considered uncommon. A VPC network firewall rule that allows unrestricted access (0.0.0.0/0) to uncommon ports can increase the risk of hacking, data capture, and all kinds of attacks (brute-force attacks, man-in-the-middle attacks, and DDoS attacks). Configure your VPC network firewall rules to allow only trusted, authorized IP addresses or IP ranges to access uncommon TCP/UDP ports.
Resolution:
Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description: Enabling unrestricted access on TCP port 3306 can heighten the probability of malicious actions like brute-force, bypass authentication attacks, and SQL injection attacks. To prevent this, VPC firewall rules should be set up to limit access to specific resources solely for those hosts or networks with legitimate access needs. Google Cloud VPC network firewall rules should be set up to disallow unrestricted access on TCP port 3306 to minimize security threats and safeguard the virtual machine (VM) instances targeted by the firewall rules.
Resolution: Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description: TCP port 1521 is utilized by the Oracle Database (Oracle RDBMS) for communication. Allowing unrestricted ingress access on TCP port 1521 through VPC network firewall rules can open up opportunities for malicious activities like denial-of-service attacks, brute-force, and man-in-the-middle (MITM) attacks, which can ultimately lead to data loss. To prevent this, it is recommended to configure VPC firewall rules that restrict access to specific resources only for those hosts or networks with a legitimate business need for access. To reduce the attack surface and protect the virtual machine (VM) instances that are targeted by the firewall rules, it is advised that Google Cloud VPC network firewall rules should not allow unrestricted access on TCP port 1521.
Resolution: Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description: To secure your Google Cloud Virtual Private Cloud (VPC) and reduce the attack surface, it is important to set firewall rules that restrict access to the PostgreSQL Server Port 5432 to trusted IP addresses or ranges only. Ensure only authorized traffic is allowed by blocking unrestricted access to this port (i.e., 0.0.0.0/0)
Resolution: Update Firewall
Risk: Critical
Target: Firewall
Compliance:
Description: To reduce the attack surface and implement the principle of least privilege, ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access to TCP port 135 (i.e., 0.0.0.0/0). MSMQ (Message Queuing Message Queue) and other Microsoft Windows/Windows Server software use RPC TCP port 135 for client-server communications.
Resolution: Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description TCP port 25 is typically utilized by Simple Mail Transfer Protocol (SMTP) servers for email transmission. Enabling unrestricted inbound/ingress access on TCP port 25 (SMTP) through VPC network firewall rules can create opportunities for various malicious activities, including hacking, spamming, Shellshock, and Distributed Denial-of-Service (DDoS) attacks.
To reduce the risk of common security threats for the SMTP server instances associated with these firewall rules, Google Cloud VPC network firewall rules should not allow unrestricted access (i.e., 0.0.0.0/0) on TCP port 25.
Resolution:
Update Firewall
Risk: Critical
Target: VPC Firewall
Description Enabling unrestricted inbound access on TCP port 1433 through VPC network firewall rules for Microsoft SQL Server can increase the risk of hacking, brute-force attacks, and SQL injection attacks. To reduce the attack surface for the virtual machine instances associated with these firewall rules, Google Cloud VPC network firewall rules should not permit unrestricted access (i.e., 0.0.0.0/0) on TCP port 1433.
Resolution:
Update Firewall
Risk: High
Target: Cloud SQL
Compliance:
Description:
For greater control over data encryption and decryption in Google Cloud SQL database instances, use Customer-Managed Keys (CMKs). Create and manage CMKs with Cloud Key Management Service (Cloud KMS). Although Google Cloud SQL encrypts data at rest by default, using your own CMKs allows for independent encryption management, particularly in environments with strict security and compliance requirements.
Resolution:
Encrypt Cloud SQL
Risk: Critical
Target: VM Instance
Description:
Two-Factor Authentication, also called Multi-Factor Authentication (MFA), offers an extra layer of security besides the existing login credentials. By implementing 2FA/MFA, you can effectively fortify your production and mission-critical applications against malicious actors. Configuring 2FA in conjunction with OS Login requires the user (such as the instance administrator) to provide two or more distinct forms of authorization before being granted access, significantly lowering the risk of attack.
To secure access to your Google Cloud VM instances, it is recommended to configure Two-Factor Authentication (2FA) with the OS Login feature enabled at the virtual machine instance level.
Resolution:
Setup MFA
Risk: High
Target: Pub/Sub
Compliance:
Description:
To fully control data encryption and decryption, use Customer-Managed Keys (CMKs) for Google Cloud Pub/Sub topics. Although Pub/Sub encrypts messages by default, using your own CMKs provides independent encryption management. The service utilizes envelope encryption with CMKs, where Cloud KMS encrypts Data Encryption Keys (DEKs) created by Pub/Sub for each topic.
Resolution:
Encrypt Data Set
Risk: High
Target: Cloud Storage
Compliance:
Description:
To protect your data stored in Google Cloud Storage, you can use Customer-Managed Keys (CMKs) with the Cloud Key Management Service (Cloud KMS). This way, you can have complete control over your data encryption/decryption process, create, rotate, manage, and destroy your own CMKs. Google Cloud Storage encrypts data by default with Google-managed encryption keys, but with CMKs you can have an extra layer of security for your sensitive and confidential data, which is particularly important in companies where compliance and security are paramount.
Resolution:
Encrypt with CMEK
Risk: Critical
Target: Cloud Storage
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description
Denying public access to your cloud storage buckets on GCP is an important security measure that can help protect your data from unauthorized access, ensure compliance with regulations, and avoid unexpected costs.
While public access is disabled by default, an IAM principal with appropriate permissions can enable public access at the bucket or object level. Therefore, it is recommended to regularly review and update access control settings to ensure that only authorized users and applications can access your cloud storage and objects.
Resolution:
Restrict IAM for Cloud Storage
Risk: Critical
Target: VPC Firewall
Compliance:
Description Allowing unrestricted outbound/egress access on all TCP/UDP ports can create opportunities for malicious activities such as Distributed Denial of Service (DDoS) attacks. Reviewing your Google Cloud VPC network firewall for any egress rules that allow unrestricted access (i.e., 0.0.0.0/0) to any TCP/UDP ports is recommended to minimize security risks. Access should be limited to IP addresses and/or IP ranges that require implementing the principle of least privilege and reducing the attack surface.
Resolution: Update Firewall
Risk: Medium
Target: Cloud SQL Server
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: Disabling the contained database authentication flag for SQL Server database instances is an important security measure that can help reduce the attack surface, improve the security of your database, comply with security standards, and have better control over user access. Disabling this feature can help prevent unauthorized access and data breaches and ensure all user accounts are centrally managed and audited.
Resolution:
Configure database flags
Risk: Medium
Target: Cloud SQL Server
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: Disabling the database remote access flag for SQL Server database instances is an important security measure that can help improve the security of your database server, achieve compliance with security standards, have better control over database access, and reduce the attack surface. Enabling database remote access can increase the risk of unauthorized access and data breaches, potentially compromising the security of your database server. Disabling this feature can limit access to only authorized personnel and reduce the number of entry points that an attacker can use to access your database server.
Resolution:
Configure database flags
Risk: Medium
Target: Cloud SQL Server
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: Disabling the 3625 (trace flag) database flag for a Cloud SQL Server instance is an important security measure that can help improve the security of your database. This can help you achieve compliance with security standards, have better control over administrative access, and reduce the attack surface. Disabling this flag can prevent remote administrative connections to your SQL Server instance, limiting the potential for unauthorized access and data breaches.
Resolution:
Configure database flags
Risk: Low
Target: CloudSQL MySQL Server
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: Disabling the local_infile database flag for Cloud SQL is a security best practice that can help prevent SQL injection attacks, comply with regulatory requirements, mitigate the risk of data loss or modification, and is a recommended best practice by Google and the MySQL community.
Resolution:
Configure database flags
Risk: Low
Target: CloudSQL Postgres
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: Enabling the log_hostname flag for Postgres and Cloud SQL can improve logging by providing additional context, enhance security by identifying unauthorized connections, aid in performance tuning, and provide additional benefits such as cost optimization in Cloud SQL by tracking which applications are accessing the database.
Resolution:
Configure database flags
Risk: Low
Target: CloudSQL Postgres
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: Enabling the log_connections flag in PostgreSQL can improve troubleshooting, security, performance tuning, and compliance by providing a record of connections made to the database, helping to identify issues related to the number of connections, and providing an audit trail for regulatory compliance.
Resolution:
Configure database flags
Risk: Medium
Target: Cloud SQL
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: Enforcing SSL for incoming connections to Cloud SQL can improve security by encrypting data in transit, meeting compliance requirements, providing authentication and adhering to best practices for database security.
Resolution:
Configure SSL/TLS certificates
Risk: Medium
Target: Networks
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: It is recommended to disable or delete the default network in a GCP project for security reasons. The default network has firewall rules that may expose your resources to external attacks. By disabling or deleting the default network, you can have greater control over the network security of your project and prevent the accidental creation of new resources in the default network. This can help you reduce the risk of unauthorized access and data breaches and simplify your network management tasks.
Resolution:
Create and Modify VPC networks
Risk: Medium
Target: Cloud Storage
Compliance:
Description Enabling uniform bucket-level access in Google Cloud Storage simplifies access control management, ensures consistent access, helps comply with security requirements, provides better security, and makes migration easier. With uniform bucket-level access, all objects in a bucket are subject to the same access controls, eliminating the need for object-level IAM policies.
Resolution:
Uniform bucket-level access
Risk: Medium
Target: Networks
Compliance:
Description: Denying the use of legacy subnet mode for Virtual Private Clouds (VPCs) can improve security by reducing the attack surface, meeting compliance requirements, providing better network segmentation and improving scalability.
Resolution:
Manage legacy networks
Risk: Medium
Target: VM Instance
Compliance:
Description: Enabling Compute Engine using instance-level SSH keys is important for securing access to your virtual machines (VMs) running on the Google Cloud Platform (GCP). Using instance-level SSH keys provides fine-grained access control, reduces the risk of privilege escalation, and allows you to enforce key rotation policies per-VM. This is a best practice for ensuring the security of your VMs on GCP.
Resolution:
Add SSH keys to VMs
Risk: Medium
Target: VM Instance
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: Enabling OS Login for GCP projects can improve security by allowing you to manage access to VM instances using IAM roles and permissions, simplify user management by centralizing SSH access, provide detailed logging and audit trails for SSH access, and streamline SSH access using gcloud or the Google Cloud Console.
Resolution:
Set up OS Login
Risk: Medium
Target: Service accounts
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
Disabling user-managed service account key creation is an important security measure that can help improve the security of your cloud resources, achieve compliance with security standards, have better control over access to cloud resources, and protect against insider threats. User-managed service account keys can provide access to your cloud resources without requiring a password or other form of authentication, potentially compromising the security of your cloud environment. Disabling this feature can enforce more secure authentication and access control mechanisms, ensure all access is granted through secure authentication mechanisms, and reduce the risk of unauthorized access and data breaches.
Resolution:
Restricting service account usage
Risk: Medium
Target: KMS
Compliance:
Description:
Rotating Key Management Service (KMS) encryption keys every 90 days can improve security by reducing the risk of unauthorized access or data breaches, meeting compliance requirements, following best practices in security, and providing better control over access to sensitive data.
Resolution:
Key rotation
Risk: Medium
Target: VM Instance
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
Disabling the ability to connect to serial ports for VM instances is an important security measure that can help improve the security of your cloud resources, achieve compliance with security standards, have better control over access to cloud resources, and reduce the attack surface. Allowing users to connect to serial ports on VM instances can provide unauthorized access to your cloud resources, potentially compromising the security of your cloud environment. Disabling this feature can limit access to only authorized personnel, enforce strong authentication mechanisms, and reduce the risk of unauthorized access and data breaches.
Resolution:
Troubleshooting using the serial console
Risk: Medium
Target: Service Account
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
Denying administrative privileges to service accounts in GCP is a critical security measure that can help reduce the risk of unauthorized access, data breaches, and other security incidents. Service accounts often provide applications and other services with the credentials to access cloud resources, but granting them administrative privileges can pose a security risk. Removing unnecessary administrative privileges from service accounts can help achieve better security posture and compliance with regulatory requirements. It is generally recommended to follow the principle of least privilege, which means granting the minimum necessary permissions to service accounts to perform their intended functions.
Resolution:
Manage access to service accounts
Risk: Medium
Target: VM Instance
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description
Denying the usage of service accounts with full Cloud API access for VM instances can improve security by reducing the risk of unauthorized access or data breaches, meeting compliance requirements, following the principle of least privilege, and improving audibility by providing a clearer audit trail.
Resolution:
Authenticate workloads using service accounts
Risk: Medium
Target: Project
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
Enabling Cloud Asset Inventory is important for maintaining visibility and control over your Google Cloud Platform (GCP) resources. It provides a unified view of all your resources, enables easy search and filtering, and allows you to monitor resource changes over time. Cloud Asset Inventory can help ensure compliance, detect security issues, and optimize your cloud resources. This is a best practice for maintaining a secure and efficient cloud environment.
Resolution:
Export asset metadata by using Cloud Asset Inventory
Risk: Medium
Target: VM Instance
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
Denying the usage of default service accounts for instances in GCP is an important security measure that can help protect your cloud resources from unauthorized access and malicious activities. This can reduce the attack surface, give you better control over permissions, comply with security requirements, and avoid accidental privilege escalation. Custom service accounts with the minimum necessary permissions can help achieve the principle of least privilege and improve the overall security of your cloud environment.
Resolution:
Service accounts
Risk: Medium
Target: Cloud SQL Postgres
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Enabling the cloudsql.enable_pgaudit database flag for a PostgreSQL instance in Google Cloud Platform (GCP) can help improve security by enabling the PostgreSQL Audit Extension to log all SQL statements and other activities on the database. It can also help meet compliance requirements, improve performance tuning, and provide valuable information for debugging issues with the application or database.
Resolution Audit for PostgreSQL using pgAudit
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Enabling VPC flow logs and intranode visibility for the GKE cluster provides benefits such as enhanced security, compliance with regulatory requirements, improved troubleshooting capabilities, and performance tuning. It lets you detect security threats, troubleshoot issues, optimize performance, and comply with security requirements.
Resolution Setting up intranode visibility
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Disabling legacy authorization for GKE clusters is an important security measure that can help improve the security of your Kubernetes workloads, achieve compliance with security standards, have better control over user access, and protect against insider threats. Enabling legacy authorization can increase the risk of unauthorized access and data breaches, compromising your cloud environment's security. Proper authentication and authorization mechanisms can help enforce security policies and reduce the risk of unauthorized access and data breaches.
Resolution Harden your cluster's security
Risk: Critical
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0
Description:
Enable private cluster when creating Kubernetes clusters. A private cluster prevents workloads from being accessible to the public internet by providing the nodes with reserved IP addresses.
Resolution:Creating Private Cluster
Risk: Critical
Target: VM Instance
Compliance:
Description A newly created VM instance in Google Cloud Platform (GCP) is assigned a public IP address by default, which allows it to be accessed from anywhere on the internet. However, this also increases the risk of unauthorized access, data breaches, and security threats. Denying public access to the VM instance is highly recommended to mitigate these risks. By doing so, you can limit access to only authorized users or networks, gain greater control over who can access the instance, and reduce the attack surface of your infrastructure. You can use a VPN connection or a bastion host to access the VM instance remotely and securely. These methods provide a secure channel for remote access, further reducing the risk of unauthorized access and enhancing the security of your infrastructure.
Resolution: Backend services overview
Risk: High
Target: VPC Firewall
Compliance:
Description Assigning mandatory tags to VPC Firewall can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Use Tags for firewalls
Risk: Critical
Target: VPC Firewall
Compliance:
Description To follow the principle of least privilege (POLP) and reduce the attack surface, it is recommended to review your Google Cloud VPC network firewall rules for inbound rules that grant unrestricted access (0.0.0.0/0) to any hosts using ICMP. Instead, access via ICMP should be restricted to trusted IP addresses/IP ranges only. Although ICMP is not a transport protocol, it is an error-reporting protocol commonly used for troubleshooting TCP/IP networks by generating error messages for IP packet delivery issues. However, it can also be used to exploit network vulnerabilities.
Resolution: Update Firewall Rules
Risk: Medium
Target: GKE Cluster
Compliance:
Description Enabling secure boot for Shielded GKE nodes provides protection against rootkits, boot kits, and firmware tampering and ensures the verification of the OS image. It helps comply with security requirements and provides an additional layer of security that protects against firmware and operating system attacks, ensuring that only trusted images are used.
Resolution Using Shielded GKE Nodes
Risk: High
Target: Pub/Sub
Compliance:
Description Assigning mandatory tags to PubSub Topics can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Create and manage topics
Risk: Medium
Target: Cloud SQL
Compliance:
Description Denying the usage of public IP addresses for SQL database instances is an important security measure that can help protect your database from unauthorized access and malicious activities. This can reduce the attack surface, give you better control over network traffic, help you comply with security requirements, and save on costs. By using private IP addresses and virtual private cloud (VPC) peering, you can enforce stricter security policies and protect your data from unauthorized access and data breaches.
Resolution Configure public IP
Risk: Medium
Target: VM Instance
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Disabling IP forwarding for compute instances can improve security by preventing IP spoofing attacks, meeting compliance requirements, reducing network traffic, and simplifying network management.
Resolution Create and start a VM instance
Risk: High
Target: Cloud SQL
Compliance:
Description Assigning mandatory tags to CloudSQL resources can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Attach and Manage Tags on CloudSQL instances
Risk: Medium
Target: Cloud Storage
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Enabling automated backups for Google Cloud SQL databases is important for ensuring the availability and durability of your data and minimizing the risk of data loss. Automated backups allow you to schedule regular database backups, customize backup frequency and retention, and enable point-in-time recovery. This is a best practice for ensuring your data is always available and recoverable when needed.
Resolution Create and manage on-demand and automatic backups
Risk: High
Target: Dataproc
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Ensure your Google Cloud Dataproc clusters on Compute Engine use Customer-Managed Keys (CMKs) for controlling encryption/decryption processes. Cloud KMS enables the creation and management of CMKs, providing secure encryption key management. While Dataproc encrypts data at rest by default, using your own CMKs offers an additional security layer, particularly in environments with strict compliance and security controls.
Resolution Use customer-managed encryption keys
Risk: High
Target: VM Instance
Compliance:
Description Compute Engine service performs maintenance events that may require moving virtual machine (VM) instances to a different host, which can cause disruptions to production applications. To prevent this, set the VM instance's availability policy to use live migration instead of instance termination, which ensures uninterrupted application availability. Periodic infrastructure maintenance can also migrate VM instances to new hardware. To ensure VM instances are migrated instead of terminated during maintenance events, set the "On Host Maintenance" configuration setting to "Migrate".
Resolution Virtual machine instances
Risk: High
Target: Cloud SQL
Compliance:
Description Enabling High Availability (HA) configuration in Google Cloud SQL service provides data redundancy and reduces downtime during outages or planned maintenance disruptions. A regional instance with a primary and standby instance is created when configuring a Cloud SQL database instance for high availability. All writes are synchronously replicated to each zone's persistent disk, ensuring data availability to client applications in case of instance, network, or zone failure. To ensure the availability and automatic failover support of production and mission-critical Google Cloud SQL database instances, configure them for High Availability (HA).
Resolution Enable and disable high availability
Risk: High
Target: Big Query Dataset
Compliance
Description Assigning mandatory tags to BigQuery datasets provides several benefits, including improved visibility and organization, enhanced security and compliance, simplified billing and cost management, and streamlined operations and automation. Mandatory tags can help categorize and manage datasets, enforce access controls and audit policies, track and manage costs, and automate specific tasks.
Resolution Tag datasets
Risk: High
Target: Big Query Table
Compliance
Description Assigning mandatory tags with BigQuery tables can provide several benefits, including improved data governance, better resource allocation, enhanced data visibility, improved security, and streamlined operations. These tags help to correctly classify and label data, track resource usage, restrict access to sensitive data, automate routine tasks, and optimize resource allocation.
Resolution Tag datasets
Risk: High
Target: Cloud Storage
Compliance
Description Assigning mandatory tags to Cloud Storage can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Creating and managing tags
Risk: Medium
Target: IAM Users
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Avoiding assigning service roles to IAM users at the project level in GCP helps adhere to the principle of least privilege, enhances role-based access control, reduces the risk of unauthorized access, simplifies management, and maintains compliance. Instead, assign roles at more granular levels, such as the resource or service level, to create a more secure environment.
Resolution Manage access to projects, folders, and organizations
Risk: Critical
Target: GKE Cluster
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Alpha clusters are temporary clusters that run stable Kubernetes releases with all Kubernetes APIs and features enabled. However, they are not recommended for production workloads as they are not covered by a Service level agreement (SLA), do not receive security updates, automatic upgrades, or repairs, expire in 30 days, and GKE does not automatically save data stored on alpha clusters.
Resolution Alpha Clusters
Risk: Critical
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description
It is recommended to disable Basic Authentication as it uses static passwords without any encryption. This security threat can lead to attacks like brute force and credential stuffing. OpenID Connect and other authentication methods can still be used to authenticate on the cluster.
Resolution Harden your Cluster Security
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Disabling client certificate authentication for GKE clusters is an important security measure that can help improve the security of your Kubernetes workloads, achieve compliance with security standards, have better control over user access, and simplify authentication management. Client certificate authentication can increase the attack surface and risk of unauthorized access to your cluster, potentially compromising the security of your cloud environment. Disabling this feature can enforce proper authentication mechanisms, ensure all user accounts are properly authenticated, simplify authentication management, and improve the overall security of your GKE cluster.
Resolution Authenticating to the Kubernetes API server
Risk: Low
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Disabling the Kubernetes Web UI (Dashboard) is a security best practice that can help control access, reduce the attack surface, and optimize the resource utilization of a Kubernetes cluster. It is also a recommended best practice by the Kubernetes community.
Resolution Harden your cluster's security
Risk: Medium
Target: GKE Cluster
Compliance:
Description Enabling Cloud Logging and Monitoring for Google Kubernetes Engine (GKE) clusters is important for monitoring and troubleshooting applications running on Kubernetes and ensuring their performance and reliability. Cloud Logging allows capturing and analyzing logs, while Cloud Monitoring allows monitoring performance and availability. Both features help identify and respond to issues in a timely manner, optimize resource usage, and ensure that applications are running smoothly. This is a best practice for maintaining the reliability and performance of applications running on GKE clusters.
Resolution Configuring Cloud Operations for GKE
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Configuring VPC-native for clusters in GKE provides benefits such as improved performance, security, compatibility with other Google Cloud services, compliance with security requirements, and simplified networking configuration. It allows for faster communication between pods and services, improved security and isolation, easier integration with other services, compliance with security requirements, and simplified networking.
Resolution VPC-native clusters
Risk: High
Target: IAM Users
Compliance:
Description Ensure that the principle of separation of duties (SoD) is applied to all Google Cloud Platform (GCP) service-account related roles. SoD, aimed at preventing fraud and human error, distributes tasks and associated privileges for a specific business process among multiple users/members. Adhering to security best practices, GCP service accounts should not concurrently have the Service Account Admin and Service Account User roles assigned. Enforcing SoD helps eliminate the need for high-privileged IAM members, reducing the risk of malicious or unwanted actions.
Resolution Best practices for using service accounts
Risk: Medium
Target: IAM Users
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Enforcing separation of duties while assigning Key Management Service (KMS) related roles to users can provide benefits such as reduced risk of unauthorized access, compliance with regulatory standards, improved accountability, and better resource management.\
Resolution Separation of duties
Risk: Critical
Target: GKE Cluster
Compliance:
Description To enhance the security of your Google Kubernetes Engine (GKE) clusters and minimize their exposure to the internet, it's essential to configure them with master authorized networks. This feature allows you to add specific IP addresses and/or IP address ranges to an allowlist, which authorizes them to access your cluster master endpoint using HTTPS.
By adding master authorized networks to your GKE cluster, you can enjoy improved network-level protection and security. Authorized networks provide access only to a limited set of trusted IP addresses, such as those originating from a secure network. This ensures that your GKE cluster is accessible only to authorized users, which can be crucial in case of a vulnerability in the cluster's authentication or authorization mechanism. Overall, it's highly recommended to use master authorized networks to help secure your GKE clusters and prevent unauthorized access.
Resolution: Harden GKE Cluster's Security
Risk: Medium
Target: Cloud SQL Server
Compliance:
Description Disabling the External Scripts Enabled flag for SQL Server database instances is an important security measure that can help reduce the attack surface, improve the security of your database, comply with security standards, and have better control over code execution. This can help prevent unauthorized access and data breaches and ensure that only trusted code is executed on your database server.
Resolution Configure database flags
Risk: Medium
Target: CloudSQL MySQLServer
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Enabling the skip_show_database flag for Cloud SQL can hide the names of databases from users who do not have the necessary privileges to view them, which can provide some additional security benefits. However, it may not be appropriate for all use cases, such as multi-tenant applications or cases where specific users or groups require access to specific databases. It's important to carefully consider whether this flag is appropriate for your specific use case and to use other methods to restrict access to specific databases if needed.
Resolution Configure database flags
Risk: Critical
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0
Description Google Kubernetes Engine (GKE) automatically encrypts all customer content, including Secrets, when it's at rest without requiring additional input. Application-layer secrets encryption is another security measure for sensitive data kept in etcd by allowing data encryption at the application level with a Cloud KMS key. This provides added protection against offline attacks. To use this encryption method, it is necessary to first create a Cloud KMS key and give GKE service account access. The Cloud KMS key should be situated in the same location as the cluster to decrease latency and prevent problems with multiple failure domains. When the encryption feature is enabled, both new and existing Secrets are encrypted utilizing the designated encryption key.
Resolution:Encrypt Secrets at the Application Layer
Risk: High
Target: GKE Cluster
Compliance:
Description To gain finer control over your GKE data encryption/decryption process, use Customer-Managed Keys (CMKs) to encrypt cluster nodes. Cloud KMS allows you to create and manage your own CMKs, offering secure encryption key management. Although GKE automatically encrypts data at rest, using your own CMKs is recommended to meet strict compliance requirements and protect sensitive GKE data.
Resolution Use customer-managed encryption keys (CMEK)
Risk: Medium
Target: CloudSQL PostGres
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Setting the log_min_error_statement database flag for a PostgreSQL instance to "error" or a stricter level can improve error tracking, enhance performance by reducing disk usage, help identify potential security issues, and meet compliance requirements for auditing and reporting.
Resolution Configure database flags
Risk: Medium
Target: Cloud DNS
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Enabling DNSSEC security feature for Google Cloud DNS-managed zones can improve security by preventing DNS spoofing and other attacks, provide authentication, meet compliance requirements, and improve reputation management by ensuring trustworthy DNS data.
Resolution Manage DNSSEC configuration
Risk: High
Target: Cloud SQL
Compliance:
Description Ensure the "cross db ownership chaining" flag is disabled for Google Cloud SQL Server database instances, as enabling it may have security implications. Only activate this flag if all hosted databases must participate in cross-database ownership chaining and you understand the potential risks.
Resolution Configure database flags
Risk: Critical
Target: KMS Key
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description To ensure the security of your Cloud Key Management Service (KMS) keys, it is crucial to configure the associated Cloud Identity and Access Management (IAM) policies to restrict access by anonymous and public users. To achieve this, it is recommended that you remove the "allUsers" and "allAuthenticatedUsers" members from the KMS key's IAM policy bindings. This is because allowing access permissions to these members can pose a significant security risk to your KMS keys and encrypted data, making them susceptible to unauthorized access. Therefore, taking this step is essential in preventing data loss and leakage.
Resolution: Access Control with IAM
Risk: Medium
Target: Cloud SQL Postgres
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Disabling the log_min_duration_statement database flag for PostgreSQL instances is an important security measure that can help reduce the exposure of sensitive data, improve performance, achieve compliance with security standards, and have better control over logging policies. Logging all SQL statements that take longer than a certain duration to execute can impact the performance of your database and expose sensitive data to unauthorized access or disclosure. Disabling this flag can help protect your database from potential vulnerabilities and security threats.
Resolution Configure database flags
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Enabling integrity monitoring for Shielded Google Kubernetes Engine (GKE) nodes is important for ensuring the security and integrity of your Kubernetes clusters. Shielded GKE nodes use advanced security features to protect the nodes from potential attacks or tampering, and integrity monitoring ensures that the nodes have not been modified in an unauthorized way. Enabling integrity monitoring can help detect potential security breaches, configure alerts and notifications, and respond to potential threats in a timely manner. This is a best practice for maintaining the security and integrity of your Kubernetes clusters.
Resolution Monitoring integrity on Shielded VMs
Risk: Low
Target: CloudSQL SQL Server
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Removing the user options database flag for Cloud SQL SERVER instance can improve security by preventing unauthorized changes, improve stability by avoiding changes that can cause issues, help with compliance by ensuring all options and settings are monitored by the database administrator, and promote standardization of the database environment.
Resolution Configure database flags
Risk: Medium
Target: API Keys
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Configuring API restrictions for API keys is important for securing your APIs and protecting your resources from unauthorized access or misuse. By limiting the usage of your API key to specific APIs or API methods, you can ensure that only authorized requests are allowed and prevent potential security breaches or financial loss. This is a best practice for ensuring the security of your APIs and preventing unauthorized access to your resources.
Resolution API security best practices
Risk: Medium
Target: API Keys
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Rotating Google Cloud API keys can improve security by reducing the risk of unauthorized access or data breaches, meeting compliance requirements, following best practices in security, and providing better control over access to resources.
Resolution API security best practices
Risk: Medium
Target: API Keys
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Configuring application restrictions for a Google Cloud API key is important for securing your resources and protecting your applications from unauthorized access and malicious attacks. By limiting the usage of your API key to specific applications or APIs, you can ensure that only authorized requests are allowed and prevent potential security breaches, data loss, or financial loss.
Resolution Adding restrictions to API keys
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Enabling auto-upgrade for Google Kubernetes Engine (GKE) nodes is important for ensuring the security and reliability of your Kubernetes cluster. Auto-upgrade automatically upgrades the nodes in your cluster to the latest version, ensuring that your cluster is always up-to-date with the latest security patches and improvements. This is a best practice for ensuring the security and reliability of your Kubernetes cluster while reducing the burden of manual upgrades and maintenance.
Resolution Auto-upgrading nodes
Risk: Medium
Target: VM Instance
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Enabling confidential computing for compute instances protects sensitive data and workloads from potential attacks or unauthorized access. It uses hardware-based Trusted Execution Environments (TEEs) to create secure enclaves that isolate the data and code being processed from the rest of the system. Enabling confidential computing can help meet compliance requirements and protect reputation in case of a security breach. This is a best practice for securing sensitive data and workloads and maintaining trust with customers and stakeholders.
Resolution Creating a Confidential VM instance
Risk: Medium
Target: GCP Load Balancer
Compliance:
Description Enabling HTTPS logging for load-balancing backend services provides benefits such as enhanced security, compliance with regulatory requirements, improved troubleshooting capabilities, and performance tuning. It allows you to identify suspicious activity, troubleshoot issues, and optimize performance, contributing to your application's overall security, compliance, and performance.
Resolution Global external HTTP(S) load balancer logging and monitoring
Risk: Medium
Target: GCP
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Securing SSL cipher suites can improve security by providing stronger encryption algorithms and key exchange protocols, meeting compliance requirements, improving reputation, and ensuring compatibility with modern browsers and operating systems.
Resolution SSL policies for SSL and TLS protocols
Risk: Medium
Target: Cloud SQL
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Disabling the public IP for a Cloud SQL database instance is an important security measure that can help protect your database from unauthorized access and malicious activities. This can reduce the attack surface, give you better control over network traffic, help you comply with security requirements, and save on costs. By using private IP addresses and virtual private cloud (VPC) peering, you can enforce stricter security policies and protect your data from unauthorized access and data breaches.
Resolution Configure public IP
Risk: High
Target: GCP Load Balancer
Compliance:
Description Enforcing HTTPS for your Google Cloud load balancers is crucial to protect the communication between clients and load balancers from eavesdropping and MITM attacks. This is especially important when sensitive data is involved. Configuring valid SSL/TLS certificates on GCP load balancers is essential to ensure encrypted web traffic between clients and load balancers.
Resolution Set up a global external HTTP(S) load balancer (classic) with a managed instance group backend
Risk: High
Target: VM Instance
Compliance:
Description Assigning mandatory tags to VMs can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Add/Remove Tags
Risk: Medium
Target: Cloud SQL Postgres
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Enabling the log_disconnections flag in PostgreSQL allows the database server to log all client disconnections. This can help with debugging, security monitoring, and performance tuning. It provides useful information to identify unusual behavior, detect suspicious activity, and optimize performance.
Resolution Configure database flags
Risk: Medium
Target: CloudSQL SQLServer
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Enforcing a non-limiting value for a SQL Server instance's "user connections" database flag can improve stability, optimize resource usage, improve security, and ensure compliance with license restrictions. Limiting the number of concurrent connections can prevent overloading, optimize system resources, reduce the attack surface, and ensure compliance with licensing restrictions.
Resolution Configure database flags
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Enabling auto-repair for Google Kubernetes Engine (GKE) nodes is important for ensuring the availability and reliability of your applications running on the Kubernetes cluster. Auto-repair detects and repairs or replaces unhealthy nodes automatically, helping to prevent downtime or other issues caused by unhealthy nodes. This is a best practice for ensuring the availability and reliability of your applications running on GKE.
Resolution Auto-repair nodes
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Creating clusters with private nodes can improve security by reducing the attack surface and preventing unauthorized access, reducing exposure to the public internet, meeting compliance requirements for protecting sensitive data, enhancing performance by reducing network latency, and reducing costs associated with network egress.
Resolution Private clusters in GKE
