GCP Policy
Operations
-
Enable cloudsql.enable_pgaudit Database Flag for PostgreSQL Instance
-
Enforce Separation of Duties while Assigning KMS Related Roles to Users
-
Enforce User Connections Database Flag for SQL Server Instance is Set to Non-limiting Value
-
Set log_min_error_statement Database Flag for Postgres Instance to Error or Stricter
-
Enable DNSSEC Security Feature for Google Cloud DNS-Managed Zones
-
Configure Production Cloud SQL Database Instances for High Availability
Security
-
Avoid Assigning Service Roles to IAM Users on a Project Level
-
Encrypt Cloud Storage Using Customer-Managed Encryption Keys
-
Deny Usage of Public IP Addresses for SQL Database Instances
-
Disable 3625 (trace flag) Database Flag for Cloud SQL Server Instance
-
Disable Contained Database Authentication Flag for SQL Server Database Instances
-
Disable External Scripts Enabled Flag for SQL Server Database Instances
-
Disable Log_min_duration_statement Database Flag for PostgreSQL Instance
-
Disable Database Remote Access Flag for SQL Server Database Instances
-
Encrypt Dataproc Clusters Using Customer-Managed Encryption Keys
-
Deny Usage of Service Accounts with Full Cloud API Access for VM Instances
-
Remove User Options Database Flag for Cloud SQL SERVER Instance
Tagging
Risk: Critical
Target: Virtual Machine
Description
Restrict firewall rule to maintain the principle of least privilege
Resolution:
Restrict firewall
Risk: Low
Target: Load Balancer
Description
This policy identifies Load Balancer HTTPS target proxies that are not configured with QUIC protocol. Enabling QUIC protocol in load balancer target https proxies adds advantage by establishing connections faster, stream-based multiplexing, improved loss recovery, and eliminates head-of-line blocking.
Resolution:
Enabling QUIC protocol in load balancer target https proxies adds advantage by establishing connections faster, stream-based multiplexing, improved loss recovery, and eliminates head-of-line blocking.
Risk: Medium
Target: VM Instances
Description
To improve reliability, ensure that Google Cloud Compute Engine service restarts automatically your virtual machine instances when they are terminated due to non-user initiated reasons such as maintenance events, hardware, and software failures.
Resolution:
Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute. In the navigation panel, select VM instances to access the list with all the Compute Engine instances provisioned for the selected project. Click on the name of the virtual machine (VM) instance that you want to reconfigure (see Audit section part I to identify the right instance). On the selected resource configuration page, click EDIT to enter the instance edit mode. In the Availability policies section, select On (recommended) from the Automatic restart dropdown list to enable automatic restart for the selected Google Cloud virtual machine instance. Click Save to apply the configuration changes. Repeat steps no. 5 – 8 to enable automatic restart for other production virtual machine (VM) instances available in the selected project.
Risk: Medium
Target: VM Instances
Description
Ensure that the Auto-Delete behavior rule is disabled for the persistent disks attached to your Google Cloud virtual machine (VM) instances in order to protect the VM data from being deleted and meet security and compliance requirements.
Resolution:
Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute. In the navigation panel, select VM instances to access the list with all the Compute Engine instances provisioned for the selected project. Click on the name of the virtual machine (VM) instance that you want to reconfigure. On the selected resource configuration page, click EDIT to enter the instance edit mode. In the Boot disk section, select Keep disk from When deleting instance dropdown list, to disable the Auto-Delete behavior rule and keep the boot disk when the VM instance is terminated. In the Additional disks section, if the selected instance has additional disks attached, click on the disk box header, select Keep disk under Deletion rule, and click Done to close the configuration box. Repeat this step to disable the Auto-Delete behavior for all the required data disks attached. Click Save to apply the configuration changes.
Risk: Medium
Target: Cloud Functions
Description
This policy identifies GCP Cloud Functions that are configured with overly permissive Ingress setting. With overly permissive Ingress setting, all inbound requests to the function are allowed, from both the public and resources within the same project. It is recommended to restrict the traffic from the public and other resources, to get better network-based access control and allow traffic from VPC networks in the same project or traffic through the Cloud Load Balancer.
Resolution:
- Login to GCP console\n2. Navigate to 'Cloud Functions' service (Left Panel)\n3. Click on the alerting function\n4. Click on 'EDIT'\n5. Click on 'Runtime, build, connections and security settings' drop-down to get the detailed view\n6. Click on the 'CONNECTIONS' tab\n7. In 'Ingress settings', select either 'Allow internal traffic only' or 'Allow internal traffic and traffic from Cloud Load Balancing'\n8. Click on 'NEXT'\n9. Click on 'DEPLOY'
Risk: Medium
Target: Cloud Functions
Description
This policy identifies GCP Cloud Functions for which the HTTP trigger is not secured. When you configure HTTP functions to be triggered only with HTTPS, user requests will be redirected to use the HTTPS protocol, which is more secure. It is recommended to set the 'Require HTTPS' for configuring HTTP triggers while deploying your function.
Resolution:
- Login to GCP console\n2. Navigate to 'Cloud Functions' service (Left Panel)\n3. Click on the alerting function\n4. Click on 'EDIT'\n5. Under section 'Trigger', click on 'EDIT'\n6. Select the checkbox against the field 'Require HTTPS'\n7. Click on 'SAVE'\n8. Click on 'NEXT'\n9. Click on 'DEPLOY'
Risk: Medium
Target: Cloud Functions
Description
This policy identifies GCP Cloud Functions that are not configured with a VPC connector. VPC connector helps function to connect to a resource inside a VPC in the same project. Setting up the VPC connector allows you to set up a secure perimeter to guard against data exfiltration and prevent functions from accidentally sending any data to unwanted destinations. It is recommended to configure the GCP Cloud Function with a VPC connector.\n\nNote: For the Cloud Functions function to access the public traffic with Serverless VPC connector, you have to introduce Cloud NAT.\nLink: https://cloud.google.com/functions/docs/networking/network-settings#route-egress-to-vpc
Resolution:
- Login to GCP console\n2. Navigate to 'Cloud Functions' service (Left Panel)\n3. Click on the alerting function\n4. Click on 'EDIT'\n5. Click on 'Runtime, build, connections and security settings’ drop-down to get the detailed view\n6. Click on the 'CONNECTIONS' tab\n7. Under Section 'Egress settings', select a VPC connector from the dropdown\n8. In case VPC connector is not available, select 'Custom' and\n9. Click on 'Create a Serverless VPC Connector', follow the link to create a Serverless VPC connector: https://cloud.google.com/vpc/docs/configure-serverless-vpc-access\n10. Once the Serverless VPC connector is available, select it from the dropdown\n11. Click on 'NEXT'\n12. Click on 'DEPLOY'
Risk: Low
Target: Load Balancer
Description
Configure Custom SSL policy for https target proxy instead of default gcp policy
Resolution:
Configure Custom SSL policy for https target proxy instead of default gcp policy
Risk: High
Target: VM Instance
Compliance
Description Use Customer-Managed Keys (CMKs) to encrypt persistent disks on Google Compute Engine instances to gain greater control over sensitive data encryption and decryption. Create and manage CMKs with Cloud KMS, which provides secure key management. Although Compute Engine encrypts data at rest by default, using your own CMKs allows independent control of disk encryption, especially in environments with strict compliance and security requirements.
Resolution:
Encrypt Virtual Machine Disks
Risk: High
Target: VM Instance
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
To completely control data-at-rest encryption and decryption and meet strict compliance requirements, use Customer-Supplied Encryption Keys (CSEKs) for disks attached to Google Compute Engine instances. While Compute Engine automatically encrypts data at rest, providing your own encryption keys allows for independent control and management of instance disk encryption.
Resolution:
Encrypt Virtual Machine Disks
Risk: Medium
Target: Virtual Machine
Description:
Google compute engines should be configured to use Shielded VM Security feature
Resolution:
- Select the VM instance you want to reconfigure
- Stop the VM
- Click Edit to enter the Edit mode
- Under "Shielded VM" : select "turn on vTPM" , "Turn on Integrity Monitoring" and "Turn on Secure Boot "
- Click on Save
- Click on Start
Reference: https://cloud.google.com/compute/shielded-vm/docs/modifying-shielded-vm
Risk: Critical
Target: VPC Firewall
Description: To secure your Google Cloud Virtual Private Cloud (VPC) and reduce the attack surface, it is important to set firewall rules that restrict access to the Remote Desktop Protocol (RDP) on TCP port 3389 to trusted IP addresses or ranges only. Ensure only authorized traffic is allowed by blocking unrestricted access to this port (i.e., 0.0.0.0/0).
Resolution:
Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: To implement the principle of least privilege and reduce the attack surface, review the inbound rules of your Google Cloud Virtual Private Cloud (VPC) firewall for any rules that allow unrestricted access (i.e., 0.0.0.0/0) on TCP port 22. If such rules are found, restrict them to only trusted IP addresses or IP ranges to ensure that only authorized traffic is allowed access.
Resolution:
Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description: Do not allow firewall rules that give unrestricted access (i.e., 0.0.0.0/0) on TCP and UDP port 53 to restrict Domain Name Server (DNS) traffic to reduce the attack surface.
Resolution:
Update Firewall
Risk: Critical
Target: Big Query Data
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: To ensure the security and privacy of sensitive data in Google Cloud Platform (GCP) BigQuery datasets, it is crucial to restrict access to authorized users or groups. Allowing public access may lead to data breaches, security threats, and compliance violations. To mitigate these risks, custom IAM roles should be created and granted to users or groups based on their roles and responsibilities, designed to provide the least privilege necessary for each user. Additionally, monitoring and auditing dataset access can detect unauthorized or suspicious activity, by enabling BigQuery audit logs and setting up alerting and monitoring systems. Following these security measures reduces the risk of unauthorized access or data breaches and maintains the security and privacy of BigQuery datasets.
Resolution:
Control Access to Data Set
Risk: High
Target: Big Query Table
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
For more granular control over data encryption and decryption, encrypt Google Cloud BigQuery dataset tables with Customer-Managed Keys (CMKs). Although BigQuery automatically encrypts content at rest, using CMKs allows you to independently manage encryption for sensitive or confidential data with Google Cloud Key Management Service (Cloud KMS).
Resolution:
Encrypt Data Set
Risk: Critical
Target: VPC Firewall
Description: To prevent malicious activities, such as brute-force attacks, FTP bounce attacks, spoofing, and packet capture attacks on virtual machines (VMs) hosted on Google Cloud, it's crucial to prevent unrestricted FTP access through VPC network firewall rules. Specifically, the firewall rules must not allow unrestricted access to TCP ports 20 and 21, which File Transfer Protocol (FTP) client-server applications use for data transfer and communication. By implementing this measure, potential attackers can be prevented from using brute-force methods to gain unauthorized access to VMs associated with the firewall rules.
Resolution:
Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description: A TCP/UDP port that is not included in the common service ports category is considered uncommon. A VPC network firewall rule that allows unrestricted access (0.0.0.0/0) to uncommon ports can increase the risk of hacking, data capture, and all kinds of attacks (brute-force attacks, man-in-the-middle attacks, and DDoS attacks). Configure your VPC network firewall rules to allow only trusted, authorized IP addresses or IP ranges to access uncommon TCP/UDP ports.
Resolution:
Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description: Enabling unrestricted access on TCP port 3306 can heighten the probability of malicious actions like brute-force, bypass authentication attacks, and SQL injection attacks. To prevent this, VPC firewall rules should be set up to limit access to specific resources solely for those hosts or networks with legitimate access needs. Google Cloud VPC network firewall rules should be set up to disallow unrestricted access on TCP port 3306 to minimize security threats and safeguard the virtual machine (VM) instances targeted by the firewall rules.
Resolution: Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description: TCP port 1521 is utilized by the Oracle Database (Oracle RDBMS) for communication. Allowing unrestricted ingress access on TCP port 1521 through VPC network firewall rules can open up opportunities for malicious activities like denial-of-service attacks, brute-force, and man-in-the-middle (MITM) attacks, which can ultimately lead to data loss. To prevent this, it is recommended to configure VPC firewall rules that restrict access to specific resources only for those hosts or networks with a legitimate business need for access. To reduce the attack surface and protect the virtual machine (VM) instances that are targeted by the firewall rules, it is advised that Google Cloud VPC network firewall rules should not allow unrestricted access on TCP port 1521.
Resolution: Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description: To secure your Google Cloud Virtual Private Cloud (VPC) and reduce the attack surface, it is important to set firewall rules that restrict access to the PostgreSQL Server Port 5432 to trusted IP addresses or ranges only. Ensure only authorized traffic is allowed by blocking unrestricted access to this port (i.e., 0.0.0.0/0)
Resolution: Update Firewall
Risk: Critical
Target: Firewall
Compliance:
Description: To reduce the attack surface and implement the principle of least privilege, ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access to TCP port 135 (i.e., 0.0.0.0/0). MSMQ (Message Queuing Message Queue) and other Microsoft Windows/Windows Server software use RPC TCP port 135 for client-server communications.
Resolution: Update Firewall
Risk: Critical
Target: VPC Firewall
Compliance:
Description TCP port 25 is typically utilized by Simple Mail Transfer Protocol (SMTP) servers for email transmission. Enabling unrestricted inbound/ingress access on TCP port 25 (SMTP) through VPC network firewall rules can create opportunities for various malicious activities, including hacking, spamming, Shellshock, and Distributed Denial-of-Service (DDoS) attacks.
To reduce the risk of common security threats for the SMTP server instances associated with these firewall rules, Google Cloud VPC network firewall rules should not allow unrestricted access (i.e., 0.0.0.0/0) on TCP port 25.
Resolution:
Update Firewall
Risk: Critical
Target: VPC Firewall
Description Enabling unrestricted inbound access on TCP port 1433 through VPC network firewall rules for Microsoft SQL Server can increase the risk of hacking, brute-force attacks, and SQL injection attacks. To reduce the attack surface for the virtual machine instances associated with these firewall rules, Google Cloud VPC network firewall rules should not permit unrestricted access (i.e., 0.0.0.0/0) on TCP port 1433.
Resolution:
Update Firewall
Risk: High
Target: Cloud SQL
Compliance:
Description:
For greater control over data encryption and decryption in Google Cloud SQL database instances, use Customer-Managed Keys (CMKs). Create and manage CMKs with Cloud Key Management Service (Cloud KMS). Although Google Cloud SQL encrypts data at rest by default, using your own CMKs allows for independent encryption management, particularly in environments with strict security and compliance requirements.
Resolution:
Encrypt Cloud SQL
Risk: Critical
Target: VM Instance
Description:
Two-Factor Authentication, also called Multi-Factor Authentication (MFA), offers an extra layer of security besides the existing login credentials. By implementing 2FA/MFA, you can effectively fortify your production and mission-critical applications against malicious actors. Configuring 2FA in conjunction with OS Login requires the user (such as the instance administrator) to provide two or more distinct forms of authorization before being granted access, significantly lowering the risk of attack.
To secure access to your Google Cloud VM instances, it is recommended to configure Two-Factor Authentication (2FA) with the OS Login feature enabled at the virtual machine instance level.
Resolution:
Setup MFA
Risk: High
Target: Pub/Sub
Compliance:
Description:
To fully control data encryption and decryption, use Customer-Managed Keys (CMKs) for Google Cloud Pub/Sub topics. Although Pub/Sub encrypts messages by default, using your own CMKs provides independent encryption management. The service utilizes envelope encryption with CMKs, where Cloud KMS encrypts Data Encryption Keys (DEKs) created by Pub/Sub for each topic.
Resolution:
Encrypt Data Set
Risk: High
Target: Cloud Storage
Compliance:
Description:
To protect your data stored in Google Cloud Storage, you can use Customer-Managed Keys (CMKs) with the Cloud Key Management Service (Cloud KMS). This way, you can have complete control over your data encryption/decryption process, create, rotate, manage, and destroy your own CMKs. Google Cloud Storage encrypts data by default with Google-managed encryption keys, but with CMKs you can have an extra layer of security for your sensitive and confidential data, which is particularly important in companies where compliance and security are paramount.
Resolution:
Encrypt with CMEK
Risk: Critical
Target: Cloud Storage
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description
Denying public access to your cloud storage buckets on GCP is an important security measure that can help protect your data from unauthorized access, ensure compliance with regulations, and avoid unexpected costs.
While public access is disabled by default, an IAM principal with appropriate permissions can enable public access at the bucket or object level. Therefore, it is recommended to regularly review and update access control settings to ensure that only authorized users and applications can access your cloud storage and objects.
Resolution:
Restrict IAM for Cloud Storage
Risk: Critical
Target: VPC Firewall
Compliance:
Description Allowing unrestricted outbound/egress access on all TCP/UDP ports can create opportunities for malicious activities such as Distributed Denial of Service (DDoS) attacks. Reviewing your Google Cloud VPC network firewall for any egress rules that allow unrestricted access (i.e., 0.0.0.0/0) to any TCP/UDP ports is recommended to minimize security risks. Access should be limited to IP addresses and/or IP ranges that require implementing the principle of least privilege and reducing the attack surface.
Resolution: Update Firewall
Risk: Medium
Target: Cloud SQL Server
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: Disabling the contained database authentication flag for SQL Server database instances is an important security measure that can help reduce the attack surface, improve the security of your database, comply with security standards, and have better control over user access. Disabling this feature can help prevent unauthorized access and data breaches and ensure all user accounts are centrally managed and audited.
Resolution:
Configure database flags
Risk: Medium
Target: Cloud SQL Server
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: Disabling the database remote access flag for SQL Server database instances is an important security measure that can help improve the security of your database server, achieve compliance with security standards, have better control over database access, and reduce the attack surface. Enabling database remote access can increase the risk of unauthorized access and data breaches, potentially compromising the security of your database server. Disabling this feature can limit access to only authorized personnel and reduce the number of entry points that an attacker can use to access your database server.
Resolution:
Configure database flags
Risk: Medium
Target: Cloud SQL Server
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: Disabling the 3625 (trace flag) database flag for a Cloud SQL Server instance is an important security measure that can help improve the security of your database. This can help you achieve compliance with security standards, have better control over administrative access, and reduce the attack surface. Disabling this flag can prevent remote administrative connections to your SQL Server instance, limiting the potential for unauthorized access and data breaches.
Resolution:
Configure database flags
Risk: Low
Target: MySQL SERVER
Description: Ensure that the "local_infile" database flag is disabled for your Google Cloud MySQL database instances, in order to follow data security best practices
Resolution:
1.Navigate cloud sql instances at https://console.cloud.google.com/sql/instances
2.Click Filter tree box, select Type and MySQL
3.Click the database you want to reconfigure
4.In the navigation panel, select Overview
5.Click on Edit button
6.In the Configuration options, click on Flags
7.Find the local_infile flag and turn it off by selecting off from the flag configuration dropdown list
8.Click Save to apply the configuration changes.
Reference: https://cloud.google.com/sql/docs/mysql/flags
Risk: Low
Target: Postgres SERVER
Description: Ensure that the "log_hostname" database flag is disabled for your Google Cloud Postgres database instances, in order to follow data security best practices
Resolution:
1.Navigate cloud sql instances at https://console.cloud.google.com/sql/instances
2.Click Filter tree box, select Type and Postgres
3.Click the database you want to reconfigure
4.In the navigation panel, select Overview
5.Click on Edit button
6.In the Configuration options, click on Flags
7.Find the log_hostname flag and turn it on by selecting on from the flag configuration dropdown list
8.Click Save to apply the configuration changes.
Reference: https://cloud.google.com/sql/docs/postgres/flags
Risk: Low
Target: Postgres SERVER
Description: Ensure that "log_connections" database flag is enabled for your Google Cloud PostgreSQL database instances. The "log_connections" flag causes each attempted connection to the database instance to be logged, including successful client authentication request
Resolution:
1.Navigate cloud sql instances at https://console.cloud.google.com/sql/instancess
2.Click Filter tree box, select Type and PostGres
3.Click the database you want to reconfigure
4.In the navigation panel, select Overview
5.Click on Edit button
6.In the Configuration options, click on Flags
7.Find the Log_connections flag and turn it off by selecting off from the flag configuration dropdown list
8.Click Save to apply the configuration changes.
Reference: https://cloud.google.com/sql/docs/postgres/flags
Risk: Medium
Target: Cloud SQL
Description: Enforce all incoming connections to your Cloud SQL database instances to use SSL/TLS only. If the SSL/TLS protocol is not enforced for all Cloud SQL connections, clients without a valid certificate are not allowed to connect to the database.
Resolution:
1.Go to GCP portal
2.navigate to Cloud SQL Instances
3.select database instance that you want to examine
4.In the navigation panel, select Connections to access the connectivity configuration details available for the selected instance.
5.In the SSL section, under SSL connections, check the configuration status of the SSL Connections feature. If the feature status is set to "Unsecured connections are allowed to connect to this instance.", the selected Cloud SQL database instance is not configured to require all incoming connections to use SSL/TLS.
Reference: https://cloud.google.com/sql/docs/mysql/configure-ssl-instance
Risk: Medium
Target: Networks
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description: It is recommended to disable or delete the default network in a GCP project for security reasons. The default network has firewall rules that may expose your resources to external attacks. By disabling or deleting the default network, you can have greater control over the network security of your project and prevent the accidental creation of new resources in the default network. This can help you reduce the risk of unauthorized access and data breaches and simplify your network management tasks.
Resolution:
Create and Modify VPC networks
Risk: Medium
Target: cloudstorage
Description: Ensure that uniform bucket-level access is enabled for all your Google Cloud Storage buckets. With this level of access, object access is controlled entirely through bucket-level permissions (IAM) to ensure uniform access to all the objects within a storage bucket.
Resolution:
1.Go to Google Cloud Management Console.
2.Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar and navigate to Cloud Storage dashboard at https://console.cloud.google.com/storage.
3.In the navigation panel, select Browser to access the list with all the Cloud Storage buckets provisioned for the selected project and Click on the name of the storage bucket that you want to reconfigure.
4.Select the Permissions tab to access the permissions available for selected bucket.
5.On the Permissions panel, click on the Edit button inside the box with the following description: "This bucket uses fine-grained access control, allowing you to specify access to individual objects. To control access uniformly at the bucket level, switch to uniform access control", to enter the edit access control mode.
6.Inside the Edit access control configuration box, -
a)Select Uniform to enable uniform access to all objects available in the selected bucket by using only bucket-level permissions (IAM).
b)Select the Add project role ACLs to the bucket IAM policy checkbox to ensure that the users who rely on project owner, editor, and viewer roles can still access the bucket's objects.
c)Click SAVE to apply the changes and enable uniform bucket-level access for the selected Google Cloud Storage bucket.
Reference: https://cloud.google.com/storage/docs/uniform-bucket-level-access
Risk: Medium
Target: networks
Description: Ensure Legacy Networks Do Not Exist for Older Projects
Resolution:
- Create a new VPC with subnet mode as CUSTOM
- Migrate the old VPC to this newly created VPC
Reference: https://cloud.google.com/vpc/docs/using-legacy
Risk: Medium
Target: VM Instance
Compliance:
Description: Enabling Compute Engine using instance-level SSH keys is important for securing access to your virtual machines (VMs) running on the Google Cloud Platform (GCP). Using instance-level SSH keys provides fine-grained access control, reduces the risk of privilege escalation, and allows you to enforce key rotation policies per-VM. This is a best practice for ensuring the security of your VMs on GCP.
Resolution:
Add SSH keys to VMs
Risk: Medium
Target: GCP Tagging
Description: Ensure that the OS Login feature is enabled at the Google Cloud Platform project level in order to provide you with centralized and automated SSH key pair management.
Resolution:
1.Go to GCP portal
2.Navigate to Google Compute Engine
3.In navigation panel under setting select Metadata for selected project
4. click on edit and if enable-oslogin key exists and value is set to false change the value to true.if the enable-oslogin key is not addded click on Add item and add enable-oslogin key with value set to true
5.save the changes.
Reference: OS LogIn
Risk: Medium
Target: Service accounts
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
Disabling user-managed service account key creation is an important security measure that can help improve the security of your cloud resources, achieve compliance with security standards, have better control over access to cloud resources, and protect against insider threats. User-managed service account keys can provide access to your cloud resources without requiring a password or other form of authentication, potentially compromising the security of your cloud environment. Disabling this feature can enforce more secure authentication and access control mechanisms, ensure all access is granted through secure authentication mechanisms, and reduce the risk of unauthorized access and data breaches.
Resolution:
Restricting service account usage
Risk: Medium
Target: kmsKeys
Description:
Ensure that all your Cloud Key Management Service (KMS) keys are rotated within a period of 90 days in order to meet security and compliance requirements.
Resolution:
1.Log in to the GCP Console at https://console.cloud.google.com/.
2.Navigate to Cryptographic Keys.
3.Select the specific key ring.
4.From the list of keys, select the specific key and Click on the blade (3 dots) on the right side of the pop up.
5.Click Edit rotation period.
6.On the pop-up window, Select a new rotation period in days; this should be less than 90 days. Then select a Starting on date; this is when the rotation period begins.
Risk: Medium
Target: VM Instance
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
Disabling the ability to connect to serial ports for VM instances is an important security measure that can help improve the security of your cloud resources, achieve compliance with security standards, have better control over access to cloud resources, and reduce the attack surface. Allowing users to connect to serial ports on VM instances can provide unauthorized access to your cloud resources, potentially compromising the security of your cloud environment. Disabling this feature can limit access to only authorized personnel, enforce strong authentication mechanisms, and reduce the risk of unauthorized access and data breaches.
Resolution:
Troubleshooting using the serial console
Risk: Medium
Target: Service Account
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
Denying administrative privileges to service accounts in GCP is a critical security measure that can help reduce the risk of unauthorized access, data breaches, and other security incidents. Service accounts often provide applications and other services with the credentials to access cloud resources, but granting them administrative privileges can pose a security risk. Removing unnecessary administrative privileges from service accounts can help achieve better security posture and compliance with regulatory requirements. It is generally recommended to follow the principle of least privilege, which means granting the minimum necessary permissions to service accounts to perform their intended functions.
Resolution:
Manage access to service accounts
Risk: medium
Target: Virtual Machine
Description
Enforce the principle of least privilege to prevent privilege escalation, ensure that compute engine instances are not configured to use default service account with the cloud api access scope set to "Allow full acess to all cloud Apis"
Resolution:
To ensure the principle of least privilege execute one of the two options:
1.replace default service account with a secure and compliant service account
2.change the access scope for default service account
Risk: Medium
Target: Project
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
Enabling Cloud Asset Inventory is important for maintaining visibility and control over your Google Cloud Platform (GCP) resources. It provides a unified view of all your resources, enables easy search and filtering, and allows you to monitor resource changes over time. Cloud Asset Inventory can help ensure compliance, detect security issues, and optimize your cloud resources. This is a best practice for maintaining a secure and efficient cloud environment.
Resolution:
Export asset metadata by using Cloud Asset Inventory
Risk: Medium
Target: VM Instance
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description:
Denying the usage of default service accounts for instances in GCP is an important security measure that can help protect your cloud resources from unauthorized access and malicious activities. This can reduce the attack surface, give you better control over permissions, comply with security requirements, and avoid accidental privilege escalation. Custom service accounts with the minimum necessary permissions can help achieve the principle of least privilege and improve the overall security of your cloud environment.
Resolution:
Service accounts
Risk: Medium
Risk: Medium
Risk: Medium
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Disabling legacy authorization for GKE clusters is an important security measure that can help improve the security of your Kubernetes workloads, achieve compliance with security standards, have better control over user access, and protect against insider threats. Enabling legacy authorization can increase the risk of unauthorized access and data breaches, compromising your cloud environment's security. Proper authentication and authorization mechanisms can help enforce security policies and reduce the risk of unauthorized access and data breaches.
Resolution Harden your cluster's security
Risk: Critical
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0
Description:
Enable private cluster when creating Kubernetes clusters. A private cluster prevents workloads from being accessible to the public internet by providing the nodes with reserved IP addresses.
Resolution:Creating Private Cluster
Risk: Critical
Target: VM Instance
Compliance:
Description A newly created VM instance in Google Cloud Platform (GCP) is assigned a public IP address by default, which allows it to be accessed from anywhere on the internet. However, this also increases the risk of unauthorized access, data breaches, and security threats. To mitigate these risks, denying public access to the VM instance is highly recommended. By doing so, you can limit access to only authorized users or networks, gain greater control over who can access the instance, and reduce the attack surface of your infrastructure. You can use a VPN connection or a bastion host to securely access the VM instance remotely. These methods provide a secure channel for remote access, further reducing the risk of unauthorized access and enhancing the security of your infrastructure.
Resolution: [Securely Connecting to VM Instances](Securely connecting to VM instances)
Risk: High
Target: VPC Firewall
Compliance:
Description Assigning mandatory tags to VPC Firewall can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Use Tags for firewalls
Risk: Critical
Target: VPC Firewall
Compliance:
Description To follow the principle of least privilege (POLP) and reduce the attack surface, it is recommended to review your Google Cloud VPC network firewall rules for inbound rules that grant unrestricted access (0.0.0.0/0) to any hosts using ICMP. Instead, access via ICMP should be restricted to trusted IP addresses/IP ranges only. Although ICMP is not a transport protocol, it is an error-reporting protocol commonly used for troubleshooting TCP/IP networks by generating error messages for IP packet delivery issues. However, it can also be used to exploit network vulnerabilities.
Resolution: Update Firewall Rules
Risk: Medium
Risk: High
Target: Pub/Sub
Compliance:
Description Assigning mandatory tags to PubSub Topics can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Create and manage topics
Risk: Medium
Target: Cloud SQL
Compliance:
Description Denying the usage of public IP addresses for SQL database instances is an important security measure that can help protect your database from unauthorized access and malicious activities. This can reduce the attack surface, give you better control over network traffic, help you comply with security requirements, and save on costs. By using private IP addresses and virtual private cloud (VPC) peering, you can enforce stricter security policies and protect your data from unauthorized access and data breaches.
Resolution Configure public IP
Risk: Medium
Risk: High
Target: Cloud SQL
Compliance:
Description Assigning mandatory tags to CloudSQL resources can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Attach and Manage Tags on CloudSQL instances
Risk: Medium
Target: Cloud Storage
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Enabling automated backups for Google Cloud SQL databases is important for ensuring the availability and durability of your data and minimizing the risk of data loss. Automated backups allow you to schedule regular database backups, customize backup frequency and retention, and enable point-in-time recovery. This is a best practice for ensuring your data is always available and recoverable when needed.
Resolution Create and manage on-demand and automatic backups
Risk: High
Target: Dataproc
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Ensure your Google Cloud Dataproc clusters on Compute Engine use Customer-Managed Keys (CMKs) for controlling encryption/decryption processes. Cloud KMS enables the creation and management of CMKs, providing secure encryption key management. While Dataproc encrypts data at rest by default, using your own CMKs offers an additional security layer, particularly in environments with strict compliance and security controls.
Resolution Use customer-managed encryption keys
Risk: High
Target: VM Instance
Compliance:
Description Compute Engine service performs maintenance events that may require moving virtual machine (VM) instances to a different host, which can cause disruptions to production applications. To prevent this, set the VM instance's availability policy to use live migration instead of instance termination, which ensures uninterrupted application availability. Periodic infrastructure maintenance can also migrate VM instances to new hardware. To ensure VM instances are migrated instead of terminated during maintenance events, set the "On Host Maintenance" configuration setting to "Migrate".
Resolution Virtual machine instances
Risk: High
Target: Cloud SQL
Compliance:
Description Enabling High Availability (HA) configuration in Google Cloud SQL service provides data redundancy and reduces downtime during outages or planned maintenance disruptions. A regional instance with a primary and standby instance is created when configuring a Cloud SQL database instance for high availability. All writes are synchronously replicated to each zone's persistent disk, ensuring data availability to client applications in case of instance, network, or zone failure. To ensure the availability and automatic failover support of production and mission-critical Google Cloud SQL database instances, configure them for High Availability (HA).
Resolution Enable and disable high availability
Risk: High
Target: Big Query Dataset
Compliance
Description Assigning mandatory tags to BigQuery datasets provides several benefits, including improved visibility and organization, enhanced security and compliance, simplified billing and cost management, and streamlined operations and automation. Mandatory tags can help categorize and manage datasets, enforce access controls and audit policies, track and manage costs, and automate specific tasks.
Resolution Tag datasets
Risk: High
Target: Big Query Table
Compliance
Description Assigning mandatory tags with BigQuery tables can provide several benefits, including improved data governance, better resource allocation, enhanced data visibility, improved security, and streamlined operations. These tags help to correctly classify and label data, track resource usage, restrict access to sensitive data, automate routine tasks, and optimize resource allocation.
Resolution Tag datasets
Risk: High
Target: Cloud Storage
Compliance
Description Assigning mandatory tags to Cloud Storage can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Creating and managing tags
Risk: Medium
Target: IAM Users
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Avoiding assigning service roles to IAM users at the project level in GCP helps adhere to the principle of least privilege, enhances role-based access control, reduces the risk of unauthorized access, simplifies management, and maintains compliance. Instead, assign roles at more granular levels, such as the resource or service level, to create a more secure environment.
Resolution Manage access to projects, folders, and organizations
Risk: Critical
Target: GKE Cluster
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Alpha clusters are temporary clusters that run stable Kubernetes releases with all Kubernetes APIs and features enabled. However, they are not recommended for production workloads as they are not covered by a Service level agreement (SLA), do not receive security updates, automatic upgrades, or repairs, expire in 30 days, and GKE does not automatically save data stored on alpha clusters.
Resolution Alpha Clusters
Risk: Critical
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description
It is recommended to disable Basic Authentication as it uses static passwords without any encryption. This security threat can lead to attacks like brute force and credential stuffing. OpenID Connect and other authentication methods can still be used to authenticate on the cluster.
Resolution Harden your Cluster Security
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Disabling client certificate authentication for GKE clusters is an important security measure that can help improve the security of your Kubernetes workloads, achieve compliance with security standards, have better control over user access, and simplify authentication management. Client certificate authentication can increase the attack surface and risk of unauthorized access to your cluster, potentially compromising the security of your cloud environment. Disabling this feature can enforce proper authentication mechanisms, ensure all user accounts are properly authenticated, simplify authentication management, and improve the overall security of your GKE cluster.
Resolution Authenticating to the Kubernetes API server
Risk: Low
Risk: Medium
Target: GKE Cluster
Compliance:
Description Enabling Cloud Logging and Monitoring for Google Kubernetes Engine (GKE) clusters is important for monitoring and troubleshooting applications running on Kubernetes and ensuring their performance and reliability. Cloud Logging allows capturing and analyzing logs, while Cloud Monitoring allows monitoring performance and availability. Both features help identify and respond to issues in a timely manner, optimize resource usage, and ensure that applications are running smoothly. This is a best practice for maintaining the reliability and performance of applications running on GKE clusters.
Resolution Configuring Cloud Operations for GKE
Risk: Medium
Risk: Medium
Risk: High
Target: IAM Users
Compliance:
Description Ensure that the principle of separation of duties (SoD) is applied to all Google Cloud Platform (GCP) service-account related roles. SoD, aimed at preventing fraud and human error, distributes tasks and associated privileges for a specific business process among multiple users/members. Adhering to security best practices, GCP service accounts should not concurrently have the Service Account Admin and Service Account User roles assigned. Enforcing SoD helps eliminate the need for high-privileged IAM members, reducing the risk of malicious or unwanted actions.
Resolution [Best practices for using service accounts])https://cloud.google.com/iam/docs/best-practices-service-accounts)
Risk: Medium
Risk: Critical
Target: GKE Cluster
Compliance:
Description To enhance the security of your Google Kubernetes Engine (GKE) clusters and minimize their exposure to the internet, it's essential to configure them with master authorized networks. This feature allows you to add specific IP addresses and/or IP address ranges to an allowlist, which authorizes them to access your cluster master endpoint using HTTPS.
By adding master authorized networks to your GKE cluster, you can enjoy improved network-level protection and security. Authorized networks provide access only to a limited set of trusted IP addresses, such as those originating from a secure network. This ensures that your GKE cluster is accessible only to authorized users, which can be crucial in case of a vulnerability in the cluster's authentication or authorization mechanism. Overall, it's highly recommended to use master authorized networks to help secure your GKE clusters and prevent unauthorized access.
Resolution: Harden GKE Cluster's Security
Risk: Medium
Target: Cloud SQL Server
Compliance:
Description Disabling the External Scripts Enabled flag for SQL Server database instances is an important security measure that can help reduce the attack surface, improve the security of your database, comply with security standards, and have better control over code execution. This can help prevent unauthorized access and data breaches and ensure that only trusted code is executed on your database server.
Resolution Configure database flags
Risk: Medium
Risk: Critical
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0
Description Google Kubernetes Engine (GKE) automatically encrypts all customer content, including Secrets, when it's at rest without requiring additional input. Application-layer secrets encryption is another security measure for sensitive data kept in etcd by allowing data encryption at the application level with a Cloud KMS key. This provides added protection against offline attacks. To use this encryption method, it is necessary to first create a Cloud KMS key and give GKE service account access. The Cloud KMS key should be situated in the same location as the cluster to decrease latency and prevent problems with multiple failure domains. When the encryption feature is enabled, both new and existing Secrets are encrypted utilizing the designated encryption key.
Resolution:Encrypt Secrets at the Application Layer
Risk: High
Target: GKE Cluster
Compliance:
Description To gain finer control over your GKE data encryption/decryption process, use Customer-Managed Keys (CMKs) to encrypt cluster nodes. Cloud KMS allows you to create and manage your own CMKs, offering secure encryption key management. Although GKE automatically encrypts data at rest, using your own CMKs is recommended to meet strict compliance requirements and protect sensitive GKE data.
Resolution Use customer-managed encryption keys (CMEK)
Risk: Medium
Risk: Medium
Risk: High
Target: Cloud SQL
Compliance:
Description Ensure the "cross db ownership chaining" flag is disabled for Google Cloud SQL Server database instances, as enabling it may have security implications. Only activate this flag if all hosted databases must participate in cross-database ownership chaining and you understand the potential risks.
Resolution Configure database flags
Risk: Critical
Target: KMS Key
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description To ensure the security of your Cloud Key Management Service (KMS) keys, it is crucial to configure the associated Cloud Identity and Access Management (IAM) policies to restrict access by anonymous and public users. To achieve this, it is recommended that you remove the "allUsers" and "allAuthenticatedUsers" members from the KMS key's IAM policy bindings. This is because allowing access permissions to these members can pose a significant security risk to your KMS keys and encrypted data, making them susceptible to unauthorized access. Therefore, taking this step is essential in preventing data loss and leakage.
Resolution: Access Control with IAM
Risk: Medium
Target: Cloud SQL Postgres
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Disabling the log_min_duration_statement database flag for PostgreSQL instances is an important security measure that can help reduce the exposure of sensitive data, improve performance, achieve compliance with security standards, and have better control over logging policies. Logging all SQL statements that take longer than a certain duration to execute can impact the performance of your database and expose sensitive data to unauthorized access or disclosure. Disabling this flag can help protect your database from potential vulnerabilities and security threats.
Resolution Configure database flags
Risk: Medium
Risk: Low
Risk: High
Risk: High
Risk: Medium
Risk: Medium
Target: API Keys
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Configuring API restrictions for API keys is important for securing your APIs and protecting your resources from unauthorized access or misuse. By limiting the usage of your API key to specific APIs or API methods, you can ensure that only authorized requests are allowed and prevent potential security breaches or financial loss. This is a best practice for ensuring the security of your APIs and preventing unauthorized access to your resources.
Resolution API security best practices
Risk: Medium
Risk: Medium
Target: API Keys
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Configuring application restrictions for a Google Cloud API key is important for securing your resources and protecting your applications from unauthorized access and malicious attacks. By limiting the usage of your API key to specific applications or APIs, you can ensure that only authorized requests are allowed and prevent potential security breaches, data loss, or financial loss.
Resolution Adding restrictions to API keys
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Enabling auto-upgrade for Google Kubernetes Engine (GKE) nodes is important for ensuring the security and reliability of your Kubernetes cluster. Auto-upgrade automatically upgrades the nodes in your cluster to the latest version, ensuring that your cluster is always up-to-date with the latest security patches and improvements. This is a best practice for ensuring the security and reliability of your Kubernetes cluster while reducing the burden of manual upgrades and maintenance.
Resolution Auto-upgrading nodes
Risk: Medium
Risk: Medium
Risk: Medium
Risk: Medium
Risk: Medium
Target: Cloud SQL
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description Disabling the public IP for a Cloud SQL database instance is an important security measure that can help protect your database from unauthorized access and malicious activities. This can reduce the attack surface, give you better control over network traffic, help you comply with security requirements, and save on costs. By using private IP addresses and virtual private cloud (VPC) peering, you can enforce stricter security policies and protect your data from unauthorized access and data breaches.
Resolution Configure public IP
Risk: High
Target: GCP Load Balancer
Compliance:
Description Enforcing HTTPS for your Google Cloud load balancers is crucial to protect the communication between clients and load balancers from eavesdropping and MITM attacks. This is especially important when sensitive data is involved. Configuring valid SSL/TLS certificates on GCP load balancers is essential to ensure encrypted web traffic between clients and load balancers.
Resolution Set up a global external HTTP(S) load balancer (classic) with a managed instance group backend
Risk: High
Target: VM Instance
Compliance:
Description Assigning mandatory tags to VMs can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution (https://cloud.google.com/vpc/docs/add-remove-network-tags)
Risk: Medium
Risk: Medium
Risk: Medium
Target: GKE Cluster
Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF
Description Enabling auto-repair for Google Kubernetes Engine (GKE) nodes is important for ensuring the availability and reliability of your applications running on the Kubernetes cluster. Auto-repair detects and repairs or replaces unhealthy nodes automatically, helping to prevent downtime or other issues caused by unhealthy nodes. This is a best practice for ensuring the availability and reliability of your applications running on GKE.
Resolution Auto-repair nodes
