How can we help?
Table of Contents
< All Topics
Print

GCP Policy

Security

  1. Avoid Assigning Service Roles to IAM Users on a Project Level
  2. Encrypt Cloud Storage Using Customer-Managed Encryption Keys
  3. Deny Public Access to Cloud Storage
  4. Ensure that Default Network does not Exist in a Project
  5. Deny Admin Privileges to Service Accounts
  6. Deny Access to GKE Cluster
  7. Enable Red Hat ACS On Kubernetes Cluster
  8. Disable Public IP for Cloud SQL Database Instance
  9. Deny Usage of Public IP Addresses for Cloud SQL Database Instances
  10. Deny Usage of Default Service Accounts for Instances
  11. Disable 3625 (trace flag) Database Flag for Cloud SQL Server Instance
  12. Disable Alpha Clusters for Production Workloads
  13. Disable Basic Authentication using Static Passwords
  14. Disable Contained Database Authentication Flag for SQL Server Database Instances
  15. Disable External Scripts Enabled Flag for SQL Server Database Instances
  16. Disable Kubernetes Web UI
  17. Disable Legacy Authorization for GKE Cluster
  18. Disable Local_infile DB Flag for Cloud SQL
  19. Disable Log_min_duration_statement Database Flag for PostgreSQL Instance
  20. Disable Database Remote Access Flag for SQL Server Database Instances
  21. Disable User-Managed Service Account Key Creation
  22. Disable Client Certificate Authentication for GKE Cluster
  23. Disable Connecting to Serial Ports for VM Instance
  24. Enable the log_hostname DB Flag for Postgres and Cloud SQL
  25. Encrypt Application Layer Secrets for GKE Cluster
  26. Encrypt GKE Cluster Node Using CMK
  27. Enforce Separate Service Account Duties for Users
  28. Secure GKE Clusters with Private Cluster Configuration
  29. Disable Cross DB Ownership Flag for SQL DB Server
  30. Encrypt Dataproc Clusters Using Customer-Managed Encryption Keys
  31. Encrypt Pub/Sub Topics Using CMK
  32. Deny Usage of Service Accounts with Full Cloud API Access for VM Instances
  33. Enable MFA on Google Cloud VM Instances for OS Login
  34. Encrypt VM Disk with Customer-Managed Encryption Keys
  35. Encrypt VM Disk with Customer-Supplied Encryption Keys
  36. Deny Public Access to VM Instance
  37. Deny Public Access to Big Query
  38. Encrypt Big Query Using Customer-Managed Encryption Keys
  39. Encrypt Cloud SQL Using CMEK
  40. Check for Publicly Accessible Cloud KMS Keys
  41. Disable IP Forwarding for Compute Instances
  42. Deny Legacy Subnet Mode for VPC
  43. Remove User Options Database Flag for Cloud SQL SERVER Instance
  44. Rotate Google Cloud API Keys
  45. Secure SSL Cipher Suites
  46. Deny Public Access to Uncommon Ports
  47. Deny Public Access to DNS Port 53
  48. Deny Public Access to FTP Ports 20 and 21
  49. Deny Public Access to ICMP
  50. Deny Public Access to MySQL Server Port 3306
  51. Deny Public Access to Oracle Port 1521
  52. Deny Public Access to Egress on all Ports
  53. Deny Public Access to PostgreSQL Server Port 5432
  54. Deny Public Access to RDP Port 3389
  55. Deny Public Access to RPC Port 135
  56. Deny Public Access to SMTP Port 25
  57. Deny Public Access to SQL Port 1433
  58. Rotate KMS Key Every N Days
  59. Deny Public Access to SSH Port 22
  60. Enable HTTPS for Google Cloud Load Balancers
  61. Enable Log_connections DB Flag for PostgreSQL
  62. Check Permission of Ingress Setting of GCP cloud Function
  63. Configure HTTPS Target Proxy with Quic Protocol for Google Cloud Load Balancers
  64. Enable HTTPS for Cloud Functions
  65. GCP Cloud Function not Enabled with VPC Connector
  66. Enable Automated Backups for Cloud SQL Database
  67. Enable Cloud Asset Inventory
  68. Enable Compute Engine Using Instance-level SSH Keys
  69. Enable Confidential Computing for Compute Instances
  70. Enable Log_disconnections DB Flag for PostgreSQL
  71. Enable Uniform Bucket Level Access
  72. Enable OS Login for a Project
  73. Enable cloudsql.enable_pgaudit Database Flag for PostgreSQL Instance
  74. Enable skip_show_database Flag for Cloud SQL
  75. Enforce Separation of Duties while Assigning KMS Related Roles to Users
  76. Enforce User Connections Database Flag for SQL Server Instance is Set to Non-limiting Value
  77. Enforce Cloud SQL Incoming Connections To Use SSL
  78. Set log_min_error_statement Database Flag for Postgres Instance to Error or Stricter
  79. Enable DNSSEC Security Feature for Google Cloud DNS-Managed Zones
  80. Enable Shielded VM for Compute Instance

Encrypt VM Disk with Customer-Managed Encryption Keys

Risk: Medium

Target: VM (GCP)

Compliance

Description
Use Customer-Managed Keys (CMKs) to encrypt persistent disks on Google Compute Engine instances to gain greater control over sensitive data encryption and decryption. Create and manage CMKs with Cloud KMS, which provides secure key management. Although Compute Engine encrypts data at rest by default, using your own CMKs allows independent control of disk encryption, especially in environments with strict compliance and security requirements.

Resolution:
Encrypt Virtual Machine Disks

Encrypt VM Disk with Customer-Supplied Encryption Keys

Risk: Medium

Target: VM (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
To completely control data-at-rest encryption and decryption and meet strict compliance requirements, use Customer-Supplied Encryption Keys (CSEKs) for disks attached to Google Compute Engine instances. While Compute Engine automatically encrypts data at rest, providing your own encryption keys allows for independent control and management of instance disk encryption.

Resolution:
Encrypt Virtual Machine Disks

Enable Shielded VM for Compute Instance

Risk: Critical

Target: VM (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling a Shielded VM for compute instances can improve security by protecting against malicious software, enhance compliance by providing advanced security measures, increase trustworthiness by ensuring the integrity of the boot process, and provide flexibility in deployment options.

Resolution:
Modifying Shielded VM options on a VM instance

Deny Public Access to RDP Port 3389

Risk: High

Target: VPC Firewall

Description
To secure your Google Cloud Virtual Private Cloud (VPC) and reduce the attack surface, it is important to set firewall rules that restrict access to the Remote Desktop Protocol (RDP) on TCP port 3389 to trusted IP addresses or ranges only. Ensure only authorized traffic is allowed by blocking unrestricted access to this port (i.e., 0.0.0.0/0).

Resolution:
Update Firewall

Deny Public Access to SSH Port 22

Risk: High

Target: VPC Firewall

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
To implement the principle of least privilege and reduce the attack surface, review the inbound rules of your Google Cloud Virtual Private Cloud (VPC) firewall for any rules that allow unrestricted access (i.e., 0.0.0.0/0) on TCP port 22. If such rules are found, restrict them to only trusted IP addresses or IP ranges to ensure that only authorized traffic is allowed access.

Resolution:
Update Firewall

Deny Public Access to DNS Port 53

Risk: Critical

Target: VPC Firewall

Compliance:

Description
Allowing unrestricted DNS access to Google Cloud virtual machines (VMs) via VPC network firewall rules can increase the risk of malicious activities such as DoS and DDoS attacks. Instead, VPC firewall rules should be configured to restrict access to specific resources based on legitimate business requirements. To protect VM instances associated with these rules, Google Cloud VPC network firewall rules should not allow unrestricted access on TCP and UDP port 53, which the Domain Name System uses during DNS resolution.

Resolution:
Update Firewall

Deny Public Access to Big Query

Risk: Critical

Target: Big Query Dataset

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
To ensure the security and privacy of sensitive data in Google Cloud Platform (GCP) BigQuery datasets, it is crucial to restrict access to authorized users or groups. Allowing public access may lead to data breaches, security threats, and compliance violations. To mitigate these risks, custom IAM roles should be created and granted to users or groups based on their roles and responsibilities, designed to provide the least privilege necessary for each user. Additionally, monitoring and auditing dataset access can detect unauthorized or suspicious activity, by enabling BigQuery audit logs and setting up alerting and monitoring systems. Following these security measures reduces the risk of unauthorized access or data breaches and maintains the security and privacy of BigQuery datasets.

Resolution:
Control Access to Data Set

Encrypt Big Query Using Customer-Managed Encryption Keys

Risk: Medium

Target: Big Query Table

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
For more granular control over data encryption and decryption, encrypt Google Cloud BigQuery dataset tables with Customer-Managed Keys (CMKs). Although BigQuery automatically encrypts content at rest, using CMKs allows you to independently manage encryption for sensitive or confidential data with Google Cloud Key Management Service (Cloud KMS).

Resolution:
Encrypt Data Set

Deny Public Access to FTP Ports 20 and 21

Risk: Critical

Target: VPC Firewall

Compliance:

Description
To prevent malicious activities, such as brute-force attacks, FTP bounce attacks, spoofing, and packet capture attacks on virtual machines (VMs) hosted on Google Cloud, it’s crucial to prevent unrestricted FTP access through VPC network firewall rules. Specifically, the firewall rules must not allow unrestricted access to TCP ports 20 and 21, which File Transfer Protocol (FTP) client-server applications use for data transfer and communication. By implementing this measure, potential attackers can be prevented from using brute-force methods to gain unauthorized access to VMs associated with the firewall rules.

Resolution:
Update Firewall

Deny Public Access to Uncommon Ports

Risk: Critical

Target: VPC Firewall

Compliance:

Description
A TCP/UDP port that is not included in the common service ports category is considered uncommon. A VPC network firewall rule that allows unrestricted access (0.0.0.0/0) to uncommon ports can increase the risk of hacking, data capture, and all kinds of attacks (brute-force attacks, man-in-the-middle attacks, and DDoS attacks). Configure your VPC network firewall rules to allow only trusted, authorized IP addresses or IP ranges to access uncommon TCP/UDP ports.

Resolution:
Update Firewall

Deny Public Access to MySQL Server Port 3306

Risk: Critical

Target: VPC Firewall

Compliance:

Description
Enabling unrestricted access on TCP port 3306 can heighten the probability of malicious actions like brute-force, bypass authentication attacks, and SQL injection attacks. To prevent this, VPC firewall rules should be set up to limit access to specific resources solely for those hosts or networks with legitimate access needs. Google Cloud VPC network firewall rules should be set up to disallow unrestricted access on TCP port 3306 to minimize security threats and safeguard the virtual machine (VM) instances targeted by the firewall rules.

Resolution: Update Firewall

Deny Public Access to Oracle Port 1521

Risk: Critical

Target: VPC Firewall

Compliance:

Description
TCP port 1521 is utilized by the Oracle Database (Oracle RDBMS) for communication. Allowing unrestricted ingress access on TCP port 1521 through VPC network firewall rules can open up opportunities for malicious activities like denial-of-service attacks, brute-force, and man-in-the-middle (MITM) attacks, which can ultimately lead to data loss. To prevent this, it is recommended to configure VPC firewall rules that restrict access to specific resources only for those hosts or networks with a legitimate business need for access. To reduce the attack surface and protect the virtual machine (VM) instances that are targeted by the firewall rules, it is advised that Google Cloud VPC network firewall rules should not allow unrestricted access on TCP port 1521.

Resolution: Update Firewall

Deny Public Access to PostgreSQL Server Port 5432

Risk: Critical

Target: VPC Firewall

Compliance:

Description
To secure your Google Cloud Virtual Private Cloud (VPC) and reduce the attack surface, it is important to set firewall rules that restrict access to the PostgreSQL Server Port 5432 to trusted IP addresses or ranges only. Ensure only authorized traffic is allowed by blocking unrestricted access to this port (i.e., 0.0.0.0/0)

Resolution: Update Firewall

Deny Public Access to RPC Port 135

Risk: Critical

Target: Firewall

Compliance:

Description
To reduce the attack surface and implement the principle of least privilege, ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access to TCP port 135 (i.e., 0.0.0.0/0). MSMQ (Message Queuing Message Queue) and other Microsoft Windows/Windows Server software use RPC TCP port 135 for client-server communications.

Resolution: Update Firewall

Deny Public Access to SMTP Port 25

Risk: Critical

Target: VPC Firewall

Compliance:

Description
TCP port 25 is typically utilized by Simple Mail Transfer Protocol (SMTP) servers for email transmission. Enabling unrestricted inbound/ingress access on TCP port 25 (SMTP) through VPC network firewall rules can create opportunities for various malicious activities, including hacking, spamming, Shellshock, and Distributed Denial-of-Service (DDoS) attacks.

To reduce the risk of common security threats for the SMTP server instances associated with these firewall rules, Google Cloud VPC network firewall rules should not allow unrestricted access (i.e., 0.0.0.0/0) on TCP port 25.

Resolution:
Update Firewall

Deny Public Access to SQL Port 1433

Risk: Critical

Target: VPC Firewall

Compliance:

Description
Enabling unrestricted inbound access on TCP port 1433 through VPC network firewall rules for Microsoft SQL Server can increase the risk of hacking, brute-force attacks, and SQL injection attacks. To reduce the attack surface for the virtual machine instances associated with these firewall rules, Google Cloud VPC network firewall rules should not permit unrestricted access (i.e., 0.0.0.0/0) on TCP port 1433.

Resolution:
Update Firewall

Encrypt Cloud SQL Using CMEK

Risk: High

Target: Cloud SQL

Compliance:

Description
For greater control over data encryption and decryption in Google Cloud SQL database instances, use Customer-Managed Keys (CMKs). Create and manage CMKs with Cloud Key Management Service (Cloud KMS). Although Google Cloud SQL encrypts data at rest by default, using your own CMKs allows for independent encryption management, particularly in environments with strict security and compliance requirements.

Resolution:
Encrypt Cloud SQL

Enable MFA on Google Cloud VM Instances for OS Login

Risk: Critical

Target: VM (GCP)

Compliance:

Description
Two-Factor Authentication, also called Multi-Factor Authentication (MFA), offers an extra layer of security besides the existing login credentials. By implementing 2FA/MFA, you can effectively fortify your production and mission-critical applications against malicious actors. Configuring 2FA in conjunction with OS Login requires the user (such as the instance administrator) to provide two or more distinct forms of authorization before being granted access, significantly lowering the risk of attack.

To secure access to your Google Cloud VM instances, it is recommended to configure Two-Factor Authentication (2FA) with the OS Login feature enabled at the virtual machine instance level.

Resolution:
Setup MFA

Encrypt Pub/Sub Topics Using CMK

Risk: Medium

Target: Pub/Sub

Compliance:

Description
To fully control data encryption and decryption, use Customer-Managed Keys (CMKs) for Google Cloud Pub/Sub topics. Although Pub/Sub encrypts messages by default, using your own CMKs provides independent encryption management. The service utilizes envelope encryption with CMKs, where Cloud KMS encrypts Data Encryption Keys (DEKs) created by Pub/Sub for each topic.

Resolution:
Encrypt Data Set

Encrypt Cloud Storage Using Customer-Managed Encryption Keys

Risk: Medium

Target: Cloud Storage

Compliance:

Description
To protect your data stored in Google Cloud Storage, you can use Customer-Managed Keys (CMKs) with the Cloud Key Management Service (Cloud KMS). This way, you can have complete control over your data encryption/decryption process, create, rotate, manage, and destroy your own CMKs. Google Cloud Storage encrypts data by default with Google-managed encryption keys, but with CMKs you can have an extra layer of security for your sensitive and confidential data, which is particularly important in companies where compliance and security are paramount.

Resolution:
Encrypt with CMEK

Deny Public Access to Cloud Storage

Risk: Critical

Target: Cloud Storage

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Denying public access to your cloud storage buckets on GCP is an important security measure that can help protect your data from unauthorized access, ensure compliance with regulations, and avoid unexpected costs.

While public access is disabled by default, an IAM principal with appropriate permissions can enable public access at the bucket or object level. Therefore, it is recommended to regularly review and update access control settings to ensure that only authorized users and applications can access your cloud storage and objects.

Resolution:
Restrict IAM for Cloud Storage

Deny Public Access to Egress on All Ports

Risk: Critical

Target: VPC Firewall

Compliance:

Description
Allowing unrestricted outbound/egress access on all TCP/UDP ports can create opportunities for malicious activities such as Distributed Denial of Service (DDoS) attacks. Reviewing your Google Cloud VPC network firewall for any egress rules that allow unrestricted access (i.e., 0.0.0.0/0) to any TCP/UDP ports is recommended to minimize security risks. Access should be limited to IP addresses and/or IP ranges that require implementing the principle of least privilege and reducing the attack surface.

Resolution: Update Firewall

Disable Contained Database Authentication Flag for SQL Server Database Instances

Risk: High

Target: SQL Server (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Disabling the contained database authentication flag for SQL Server database instances is an important security measure that can help reduce the attack surface, improve the security of your database, comply with security standards, and have better control over user access. Disabling this feature can help prevent unauthorized access and data breaches and ensure all user accounts are centrally managed and audited.

Resolution:
Configure database flags

Disable Database Remote Access Flag for SQL Server Database Instances

Risk: High

Target: SQL Server (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Disabling the database remote access flag for SQL Server database instances is an important security measure that can help improve the security of your database server, achieve compliance with security standards, have better control over database access, and reduce the attack surface. Enabling database remote access can increase the risk of unauthorized access and data breaches, potentially compromising the security of your database server. Disabling this feature can limit access to only authorized personnel and reduce the number of entry points that an attacker can use to access your database server.

Resolution:
Configure database flags

Disable 3625 (Trace Flag) Database Flag for Cloud SQL Server Instance

Risk: High

Target: SQL Server (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Disabling the 3625 (trace flag) database flag for a Cloud SQL Server instance is an important security measure that can help improve the security of your database. This can help you achieve compliance with security standards, have better control over administrative access, and reduce the attack surface. Disabling this flag can prevent remote administrative connections to your SQL Server instance, limiting the potential for unauthorized access and data breaches.

Resolution:
Configure database flags

Disable Local_infile DB Flag for Cloud SQL

Risk: High

Target: MySQL Server (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Disabling the local_infile database flag for Cloud SQL is a security best practice that can help prevent SQL injection attacks, comply with regulatory requirements, mitigate the risk of data loss or modification, and is a recommended best practice by Google and the MySQL community.

Resolution:
Configure database flags

Enable the log_hostname DB Flag for Postgres and Cloud SQL

Risk: High

Target: PostgreSQL 

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling the log_hostname flag for Postgres and Cloud SQL can improve logging by providing additional context, enhance security by identifying unauthorized connections, aid in performance tuning, and provide additional benefits such as cost optimization in Cloud SQL by tracking which applications are accessing the database.

Resolution:
Configure database flags

Enable Log_connections DB Flag for PostgreSQL

Risk: High

Target: PostgreSQL 

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling the log_connections flag in PostgreSQL can improve troubleshooting, security, performance tuning, and compliance by providing a record of connections made to the database, helping to identify issues related to the number of connections, and providing an audit trail for regulatory compliance.

Resolution:
Configure database flags

Enforce Cloud SQL Incoming Connections To Use SSL

Risk: High

Target: Cloud SQL

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enforcing SSL for incoming connections to Cloud SQL can improve security by encrypting data in transit, meeting compliance requirements, providing authentication and adhering to best practices for database security.

Resolution:
Configure SSL/TLS certificates

Ensure that Default Network does not Exist in a Project

Risk: Critical

Target: Cloud VPC

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
It is recommended to disable or delete the default network in a GCP project for security reasons. The default network has firewall rules that may expose your resources to external attacks. By disabling or deleting the default network, you can have greater control over the network security of your project and prevent the accidental creation of new resources in the default network. This can help you reduce the risk of unauthorized access and data breaches and simplify your network management tasks.

Resolution:
Create and Modify VPC networks

Enable Uniform Bucket Level Access

Risk: Critical

Target: Cloud Storage

Compliance:

Description
Enabling uniform bucket-level access in Google Cloud Storage simplifies access control management, ensures consistent access, helps comply with security requirements, provides better security, and makes migration easier. With uniform bucket-level access, all objects in a bucket are subject to the same access controls, eliminating the need for object-level IAM policies.

Resolution:
Uniform bucket-level access

Deny Legacy Subnet Mode for VPC

Risk: High

Target: Cloud VPC

Compliance:

Description
Denying the use of legacy subnet mode for Virtual Private Clouds (VPCs) can improve security by reducing the attack surface, meeting compliance requirements, providing better network segmentation and improving scalability.

Resolution:
Manage legacy networks

Enable Compute Engine Using Instance-level SSH Keys

Risk: High

Target: VM (GCP)

Compliance:

Description
Enabling Compute Engine using instance-level SSH keys is important for securing access to your virtual machines (VMs) running on the Google Cloud Platform (GCP). Using instance-level SSH keys provides fine-grained access control, reduces the risk of privilege escalation, and allows you to enforce key rotation policies per-VM. This is a best practice for ensuring the security of your VMs on GCP.

Resolution:
Add SSH keys to VMs

Enable OS Login for a Project

Risk: Medium

Target: VM (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling OS Login for GCP projects can improve security by allowing you to manage access to VM instances using IAM roles and permissions, simplify user management by centralizing SSH access, provide detailed logging and audit trails for SSH access, and streamline SSH access using gcloud or the Google Cloud Console.

Resolution:
Set up OS Login

Disable User-Managed Service Account Key Creation

Risk: Medium

Target: Service accounts

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Disabling user-managed service account key creation is an important security measure that can help improve the security of your cloud resources, achieve compliance with security standards, have better control over access to cloud resources, and protect against insider threats. User-managed service account keys can provide access to your cloud resources without requiring a password or other form of authentication, potentially compromising the security of your cloud environment. Disabling this feature can enforce more secure authentication and access control mechanisms, ensure all access is granted through secure authentication mechanisms, and reduce the risk of unauthorized access and data breaches.

Resolution:
Restricting service account usage

Rotate KMS Key Every N Days

Risk: High

Target: KMS Key (GCP)

Compliance:

Description
Rotating Key Management Service (KMS) encryption keys every 90 days can improve security by reducing the risk of unauthorized access or data breaches, meeting compliance requirements, following best practices in security, and providing better control over access to sensitive data.

Resolution:
Key rotation

Disable Connecting to Serial Ports for VM Instance

Risk: Medium

Target: VM Instance

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Disabling the ability to connect to serial ports for VM instances is an important security measure that can help improve the security of your cloud resources, achieve compliance with security standards, have better control over access to cloud resources, and reduce the attack surface. Allowing users to connect to serial ports on VM instances can provide unauthorized access to your cloud resources, potentially compromising the security of your cloud environment. Disabling this feature can limit access to only authorized personnel, enforce strong authentication mechanisms, and reduce the risk of unauthorized access and data breaches.

Resolution:
Troubleshooting using the serial console

Deny Admin Privileges to Service Accounts

Risk: High

Target: Service Accounts

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Denying administrative privileges to service accounts in GCP is a critical security measure that can help reduce the risk of unauthorized access, data breaches, and other security incidents. Service accounts often provide applications and other services with the credentials to access cloud resources, but granting them administrative privileges can pose a security risk. Removing unnecessary administrative privileges from service accounts can help achieve better security posture and compliance with regulatory requirements. It is generally recommended to follow the principle of least privilege, which means granting the minimum necessary permissions to service accounts to perform their intended functions.

Resolution:
Manage access to service accounts

Deny Usage of Service Accounts with Full Cloud API Access for VM Instances

Risk: High

Target: VM (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Denying the usage of service accounts with full Cloud API access for VM instances can improve security by reducing the risk of unauthorized access or data breaches, meeting compliance requirements, following the principle of least privilege, and improving audibility by providing a clearer audit trail.

Resolution:
Authenticate workloads using service accounts

Enable Cloud Asset Inventory

Risk: Critical

Target: Project

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling Cloud Asset Inventory is important for maintaining visibility and control over your Google Cloud Platform (GCP) resources. It provides a unified view of all your resources, enables easy search and filtering, and allows you to monitor resource changes over time. Cloud Asset Inventory can help ensure compliance, detect security issues, and optimize your cloud resources. This is a best practice for maintaining a secure and efficient cloud environment.

Resolution:
Export asset metadata by using Cloud Asset Inventory

Deny Usage of Default Service Accounts for Instances

Risk: High

Target: VM (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Denying the usage of default service accounts for instances in GCP is an important security measure that can help protect your cloud resources from unauthorized access and malicious activities. This can reduce the attack surface, give you better control over permissions, comply with security requirements, and avoid accidental privilege escalation. Custom service accounts with the minimum necessary permissions can help achieve the principle of least privilege and improve the overall security of your cloud environment.

Resolution:
Service accounts

Enable cloudsql.enable_pgaudit Database Flag for PostgreSQL Instance

Risk: High

Target: PostgreSQL 

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling the cloudsql.enable_pgaudit database flag for a PostgreSQL instance in Google Cloud Platform (GCP) can help improve security by enabling the PostgreSQL Audit Extension to log all SQL statements and other activities on the database. It can also help meet compliance requirements, improve performance tuning, and provide valuable information for debugging issues with the application or database.

Resolution
Audit for PostgreSQL using pgAudit

Enable VPC Flow Logs and Intranode Visibility for GKE Cluster

Risk: Medium

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF

Description
Enabling VPC flow logs and intranode visibility for the GKE cluster provides benefits such as enhanced security, compliance with regulatory requirements, improved troubleshooting capabilities, and performance tuning. It lets you detect security threats, troubleshoot issues, optimize performance, and comply with security requirements.

Resolution
Setting up intranode visibility

Disable Legacy Authorization for GKE Cluster

Risk: Medium

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF

Description
Disabling legacy authorization for GKE clusters is an important security measure that can help improve the security of your Kubernetes workloads, achieve compliance with security standards, have better control over user access, and protect against insider threats. Enabling legacy authorization can increase the risk of unauthorized access and data breaches, compromising your cloud environment’s security. Proper authentication and authorization mechanisms can help enforce security policies and reduce the risk of unauthorized access and data breaches.

Resolution
Harden your cluster’s security

Secure GKE Clusters with Private Cluster Configuration

Risk: Critical

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0

Description
Enable private cluster when creating Kubernetes clusters. A private cluster prevents workloads from being accessible to the public internet by providing the nodes with reserved IP addresses.

Resolution:Creating Private Cluster

Deny Public Access to VM Instance

Risk: Critical

Target: VM (GCP)

Compliance:

Description
A newly created VM instance in Google Cloud Platform (GCP) is assigned a public IP address by default, which allows it to be accessed from anywhere on the internet. However, this also increases the risk of unauthorized access, data breaches, and security threats. Denying public access to the VM instance is highly recommended to mitigate these risks. By doing so, you can limit access to only authorized users or networks, gain greater control over who can access the instance, and reduce the attack surface of your infrastructure. You can use a VPN connection or a bastion host to access the VM instance remotely and securely. These methods provide a secure channel for remote access, further reducing the risk of unauthorized access and enhancing the security of your infrastructure.

Resolution: Backend services overview

Assign Mandatory Tags to VPC Firewall

Risk: High

Target: VPC Firewall

Compliance:

Description
Assigning mandatory tags to VPC Firewall can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Use Tags for firewalls

Deny Public Access to ICMP

Risk: Critical

Target: VPC Firewall

Compliance:

Description
To follow the principle of least privilege (POLP) and reduce the attack surface, it is recommended to review your Google Cloud VPC network firewall rules for inbound rules that grant unrestricted access (0.0.0.0/0) to any hosts using ICMP. Instead, access via ICMP should be restricted to trusted IP addresses/IP ranges only. Although ICMP is not a transport protocol, it is an error-reporting protocol commonly used for troubleshooting TCP/IP networks by generating error messages for IP packet delivery issues. However, it can also be used to exploit network vulnerabilities.

Resolution: Update Firewall Rules

Enable Secure Boot for Shielded GKE Nodes

Risk: Medium

Target: GKE Cluster

Compliance:

Description
Enabling secure boot for Shielded GKE nodes provides protection against rootkits, boot kits, and firmware tampering and ensures the verification of the OS image. It helps comply with security requirements and provides an additional layer of security that protects against firmware and operating system attacks, ensuring that only trusted images are used.

Resolution
Using Shielded GKE Nodes

Assign Mandatory Tags to PubSub Topics

Risk: High

Target: Pub/Sub

Compliance:

Description
Assigning mandatory tags to PubSub Topics can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Create and manage topics

Deny Usage of Public IP Addresses for Cloud SQL Database Instances

Risk: Critical

Target: Cloud SQL

Compliance:

Description
Denying the usage of public IP addresses for SQL database instances is an important security measure that can help protect your database from unauthorized access and malicious activities. This can reduce the attack surface, give you better control over network traffic, help you comply with security requirements, and save on costs. By using private IP addresses and virtual private cloud (VPC) peering, you can enforce stricter security policies and protect your data from unauthorized access and data breaches.

Resolution
Configure public IP

Disable IP Forwarding for Compute Instances

Risk: High

Target: VM (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Disabling IP forwarding for compute instances can improve security by preventing IP spoofing attacks, meeting compliance requirements, reducing network traffic, and simplifying network management.

Resolution
Create and start a VM instance

Assign Mandatory Tags to CloudSQL

Risk: High

Target: Cloud SQL

Compliance:

Description
Assigning mandatory tags to CloudSQL resources can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Attach and Manage Tags on CloudSQL instances

Enable Automated Backups for Cloud SQL Database

Risk: Medium

Target: Cloud Storage

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling automated backups for Google Cloud SQL databases is important for ensuring the availability and durability of your data and minimizing the risk of data loss. Automated backups allow you to schedule regular database backups, customize backup frequency and retention, and enable point-in-time recovery. This is a best practice for ensuring your data is always available and recoverable when needed.

Resolution
Create and manage on-demand and automatic backups

Encrypt Dataproc Clusters Using Customer-Managed Encryption Keys

Risk: Medium

Target: Dataproc Cluster

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Ensure your Google Cloud Dataproc clusters on Compute Engine use Customer-Managed Keys (CMKs) for controlling encryption/decryption processes. Cloud KMS enables the creation and management of CMKs, providing secure encryption key management. While Dataproc encrypts data at rest by default, using your own CMKs offers an additional security layer, particularly in environments with strict compliance and security controls.

Resolution
Use customer-managed encryption keys

Migrate VM Instance During Maintenance

Risk: High

Target: VM(GCP)

Compliance:

Description
Compute Engine service performs maintenance events that may require moving virtual machine (VM) instances to a different host, which can cause disruptions to production applications. To prevent this, set the VM instance’s availability policy to use live migration instead of instance termination, which ensures uninterrupted application availability. Periodic infrastructure maintenance can also migrate VM instances to new hardware. To ensure VM instances are migrated instead of terminated during maintenance events, set the “On Host Maintenance” configuration setting to “Migrate”.

Resolution
Virtual machine instances

Configure Production Cloud SQL Database Instances for High Availability

Risk: High

Target: Cloud SQL

Compliance:

Description
Enabling High Availability (HA) configuration in Google Cloud SQL service provides data redundancy and reduces downtime during outages or planned maintenance disruptions. A regional instance with a primary and standby instance is created when configuring a Cloud SQL database instance for high availability. All writes are synchronously replicated to each zone’s persistent disk, ensuring data availability to client applications in case of instance, network, or zone failure. To ensure the availability and automatic failover support of production and mission-critical Google Cloud SQL database instances, configure them for High Availability (HA).

Resolution
Enable and disable high availability

Assign Mandatory Tags to BigQueryDataset

Risk: High

Target: BigQuery Dataset

Compliance

Description
Assigning mandatory tags to BigQuery datasets provides several benefits, including improved visibility and organization, enhanced security and compliance, simplified billing and cost management, and streamlined operations and automation. Mandatory tags can help categorize and manage datasets, enforce access controls and audit policies, track and manage costs, and automate specific tasks.

Resolution
Tag datasets

Assign Mandatory Tags with BigQueryTable

Risk: High

Target: BigQuery Table

Compliance

Description
Assigning mandatory tags with BigQuery tables can provide several benefits, including improved data governance, better resource allocation, enhanced data visibility, improved security, and streamlined operations. These tags help to correctly classify and label data, track resource usage, restrict access to sensitive data, automate routine tasks, and optimize resource allocation.

Resolution
Tag datasets

Assign Mandatory Tags to CloudStorage

Risk: High

Target: Cloud Storage

Compliance

Description
Assigning mandatory tags to Cloud Storage can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Creating and managing tags

Avoid Assigning Service Roles to IAM Users on a Project Level

Risk: Medium

Target: IAM User (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Avoiding assigning service roles to IAM users at the project level in GCP helps adhere to the principle of least privilege, enhances role-based access control, reduces the risk of unauthorized access, simplifies management, and maintains compliance. Instead, assign roles at more granular levels, such as the resource or service level, to create a more secure environment.

Resolution
Manage access to projects, folders, and organizations

Disable Alpha Clusters for Production Workloads

Risk: Critical

Target: GKE Cluster

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Alpha clusters are temporary clusters that run stable Kubernetes releases with all Kubernetes APIs and features enabled. However, they are not recommended for production workloads as they are not covered by a Service level agreement (SLA), do not receive security updates, automatic upgrades, or repairs, expire in 30 days, and GKE does not automatically save data stored on alpha clusters.

Resolution
Alpha Clusters

Disable Basic Authentication Using Static Passwords 

Risk: Critical

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF

Description

It is recommended to disable Basic Authentication as it uses static passwords without any encryption. This security threat can lead to attacks like brute force and credential stuffing. OpenID Connect and other authentication methods can still be used to authenticate on the cluster.

Resolution
Harden your Cluster Security

Disable Client Certificate Authentication for GKE Cluster

Risk: Medium

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF

Description
Disabling client certificate authentication for GKE clusters is an important security measure that can help improve the security of your Kubernetes workloads, achieve compliance with security standards, have better control over user access, and simplify authentication management. Client certificate authentication can increase the attack surface and risk of unauthorized access to your cluster, potentially compromising the security of your cloud environment. Disabling this feature can enforce proper authentication mechanisms, ensure all user accounts are properly authenticated, simplify authentication management, and improve the overall security of your GKE cluster.

Resolution
Authenticating to the Kubernetes API server

Disable Kubernetes Web UI

Risk: Low

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF

Description
Disabling the Kubernetes Web UI (Dashboard) is a security best practice that can help control access, reduce the attack surface, and optimize the resource utilization of a Kubernetes cluster. It is also a recommended best practice by the Kubernetes community.

Resolution
Harden your cluster’s security

Enable Cloud Logging and Monitoring for GKE Cluster

Risk: Medium

Target: GKE Cluster

Compliance:

Description
Enabling Cloud Logging and Monitoring for Google Kubernetes Engine (GKE) clusters is important for monitoring and troubleshooting applications running on Kubernetes and ensuring their performance and reliability. Cloud Logging allows capturing and analyzing logs, while Cloud Monitoring allows monitoring performance and availability. Both features help identify and respond to issues in a timely manner, optimize resource usage, and ensure that applications are running smoothly. This is a best practice for maintaining the reliability and performance of applications running on GKE clusters.

Resolution
Configuring Cloud Operations for GKE

Configure VPC-Native for Clusters in GKE

Risk: Medium

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF

Description
Configuring VPC-native for clusters in GKE provides benefits such as improved performance, security, compatibility with other Google Cloud services, compliance with security requirements, and simplified networking configuration. It allows for faster communication between pods and services, improved security and isolation, easier integration with other services, compliance with security requirements, and simplified networking.

Resolution
VPC-native clusters

Enforce Separate Service Account Duties for Users

Risk: Critical

Target: IAM User (GCP)

Compliance:

Description
Ensure that the principle of separation of duties (SoD) is applied to all Google Cloud Platform (GCP) service-account related roles. SoD, aimed at preventing fraud and human error, distributes tasks and associated privileges for a specific business process among multiple users/members. Adhering to security best practices, GCP service accounts should not concurrently have the Service Account Admin and Service Account User roles assigned. Enforcing SoD helps eliminate the need for high-privileged IAM members, reducing the risk of malicious or unwanted actions.

Resolution
Best practices for using service accounts

Risk: Critical

Target: IAM User (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enforcing separation of duties while assigning Key Management Service (KMS) related roles to users can provide benefits such as reduced risk of unauthorized access, compliance with regulatory standards, improved accountability, and better resource management.

Resolution
Separation of duties

Deny Access to GKE Cluster

Risk: Critical

Target: GKE Cluster

Compliance:

Description
To enhance the security of your Google Kubernetes Engine (GKE) clusters and minimize their exposure to the internet, it’s essential to configure them with master authorized networks. This feature allows you to add specific IP addresses and/or IP address ranges to an allowlist, which authorizes them to access your cluster master endpoint using HTTPS.

By adding master authorized networks to your GKE cluster, you can enjoy improved network-level protection and security. Authorized networks provide access only to a limited set of trusted IP addresses, such as those originating from a secure network. This ensures that your GKE cluster is accessible only to authorized users, which can be crucial in case of a vulnerability in the cluster’s authentication or authorization mechanism. Overall, it’s highly recommended to use master authorized networks to help secure your GKE clusters and prevent unauthorized access.

Resolution:
Harden GKE Cluster’s Security

Enable Red Hat ACS On Kubernetes Cluster

Risk: Critical

Target: GKE Cluster

Compliance:

Description
The policy aims to validate and enforce the adherence of Kubernetes clusters to the requirement of being scanned by Red Hat security tools, specifically Red Hat Advanced Cluster Security. It ensures that all Kubernetes clusters within the organization’s infrastructure have undergone the necessary security scanning provided by Red Hat to mitigate vulnerabilities, threats, and compliance risks.

Resolution:
Installing ACS on GKE

Disable External Scripts Enabled Flag for SQL Server Database Instances

Risk: High

Target: SQL Server (GCP)

Compliance:

Description
Disabling the External Scripts Enabled flag for SQL Server database instances is an important security measure that can help reduce the attack surface, improve the security of your database, comply with security standards, and have better control over code execution. This can help prevent unauthorized access and data breaches and ensure that only trusted code is executed on your database server.

Resolution
Configure database flags

Enable skip_show_database Flag for Cloud SQL

Risk: High

Target: MySQLServer (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling the skip_show_database flag for Cloud SQL can hide the names of databases from users who do not have the necessary privileges to view them, which can provide some additional security benefits. However, it may not be appropriate for all use cases, such as multi-tenant applications or cases where specific users or groups require access to specific databases. It’s important to carefully consider whether this flag is appropriate for your specific use case and to use other methods to restrict access to specific databases if needed.

Resolution
Configure database flags

Encrypt Application Layer Secrets for GKE Cluster

Risk: Critical

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0

Description
Google Kubernetes Engine (GKE) automatically encrypts all customer content, including Secrets, when it’s at rest without requiring additional input. Application-layer secrets encryption is another security measure for sensitive data kept in etcd by allowing data encryption at the application level with a Cloud KMS key. This provides added protection against offline attacks. To use this encryption method, it is necessary to first create a Cloud KMS key and give GKE service account access. The Cloud KMS key should be situated in the same location as the cluster to decrease latency and prevent problems with multiple failure domains. When the encryption feature is enabled, both new and existing Secrets are encrypted utilizing the designated encryption key.

Resolution:Encrypt Secrets at the Application Layer

Encrypt GKE Cluster Node Using CMK

Risk: Medium

Target: GKE Cluster

Compliance:

Description
To gain finer control over your GKE data encryption/decryption process, use Customer-Managed Keys (CMKs) to encrypt cluster nodes. Cloud KMS allows you to create and manage your own CMKs, offering secure encryption key management. Although GKE automatically encrypts data at rest, using your own CMKs is recommended to meet strict compliance requirements and protect sensitive GKE data.

Resolution
Use customer-managed encryption keys (CMEK)

Set log_min_error_statement Database Flag for Postgres Instance to Error or Stricter

Risk: High

Target: PostGreSQL

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Setting the log_min_error_statement database flag for a PostgreSQL instance to “error” or a stricter level can improve error tracking, enhance performance by reducing disk usage, help identify potential security issues, and meet compliance requirements for auditing and reporting.

Resolution
Configure database flags

Enable DNSSEC Security Feature for Google Cloud DNS-Managed Zones

Risk: High

Target: Cloud DNS

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling DNSSEC security feature for Google Cloud DNS-managed zones can improve security by preventing DNS spoofing and other attacks, provide authentication, meet compliance requirements, and improve reputation management by ensuring trustworthy DNS data.

Resolution
Manage DNSSEC configuration

Disable Cross DB Ownership Flag for SQL DB Server

Risk: High

Target: Cloud SQL

Compliance:

Description
Ensure the “cross db ownership chaining” flag is disabled for Google Cloud SQL Server database instances, as enabling it may have security implications. Only activate this flag if all hosted databases must participate in cross-database ownership chaining and you understand the potential risks.

Resolution
Configure database flags

Check for Publicly Accessible Cloud KMS Keys

Risk: Critical

Target: KMS Key (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
To ensure the security of your Cloud Key Management Service (KMS) keys, it is crucial to configure the associated Cloud Identity and Access Management (IAM) policies to restrict access by anonymous and public users. To achieve this, it is recommended that you remove the “allUsers” and “allAuthenticatedUsers” members from the KMS key’s IAM policy bindings. This is because allowing access permissions to these members can pose a significant security risk to your KMS keys and encrypted data, making them susceptible to unauthorized access. Therefore, taking this step is essential in preventing data loss and leakage.

Resolution: Access Control with IAM

Disable Log_min_duration_statement Database Flag for PostgreSQL Instance

Risk: High

Target: PostgreSQL 

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Disabling the log_min_duration_statement database flag for PostgreSQL instances is an important security measure that can help reduce the exposure of sensitive data, improve performance, achieve compliance with security standards, and have better control over logging policies. Logging all SQL statements that take longer than a certain duration to execute can impact the performance of your database and expose sensitive data to unauthorized access or disclosure. Disabling this flag can help protect your database from potential vulnerabilities and security threats.

Resolution
Configure database flags

Enable Integrity Monitoring for Shielded GKE Nodes

Risk: Medium

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF

Description
Enabling integrity monitoring for Shielded Google Kubernetes Engine (GKE) nodes is important for ensuring the security and integrity of your Kubernetes clusters. Shielded GKE nodes use advanced security features to protect the nodes from potential attacks or tampering, and integrity monitoring ensures that the nodes have not been modified in an unauthorized way. Enabling integrity monitoring can help detect potential security breaches, configure alerts and notifications, and respond to potential threats in a timely manner. This is a best practice for maintaining the security and integrity of your Kubernetes clusters.

Resolution
Monitoring integrity on Shielded VMs

Remove User Options Database Flag for Cloud SQL SERVER Instance

Risk: High

Target: SQL Server (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Removing the user options database flag for Cloud SQL SERVER instance can improve security by preventing unauthorized changes, improve stability by avoiding changes that can cause issues, help with compliance by ensuring all options and settings are monitored by the database administrator, and promote standardization of the database environment.

Resolution
Configure database flags

Enhance Security with Specific API Restrictions for Google Cloud API Keys

Risk: Medium

Target: API Keys

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enhance security by restricting Google Cloud API keys to specific APIs like Cloud Key Management Service (KMS), Cloud Storage, Cloud Monitoring, and Cloud Logging. Applying API restrictions for production applications is essential to follow cloud security best practices and minimize potential risks. By doing so, you protect your application and data from unauthorized access and potential attacks.

Resolution
API security best practices

Rotate Google Cloud API Keys

Risk: Medium

Target: API Keys

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Rotating Google Cloud API keys can improve security by reducing the risk of unauthorized access or data breaches, meeting compliance requirements, following best practices in security, and providing better control over access to resources.

Resolution
API security best practices

 

 

Secure Google Cloud API Keys with Application Restrictions

Risk: Medium

Target: API Keys

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Secure Google Cloud API keys with application restrictions to limit access to trusted hosts, HTTP referrers, and specific Android/iOS applications. This prevents unauthorized usage and reduces the risk of compromising sensitive data. Implementing these restrictions is essential for following cloud security best practices and protecting your applications effectively.

Resolution
Adding restrictions to API keys

Enable Auto-Upgrade for GKE Nodes

Risk: Medium

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF

Description
Enabling auto-upgrade for Google Kubernetes Engine (GKE) nodes is important for ensuring the security and reliability of your Kubernetes cluster. Auto-upgrade automatically upgrades the nodes in your cluster to the latest version, ensuring that your cluster is always up-to-date with the latest security patches and improvements. This is a best practice for ensuring the security and reliability of your Kubernetes cluster while reducing the burden of manual upgrades and maintenance.

Resolution
Auto-upgrading nodes

Enable Confidential Computing for Compute Instances

Risk: Critical

Target: VM (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling confidential computing for compute instances protects sensitive data and workloads from potential attacks or unauthorized access. It uses hardware-based Trusted Execution Environments (TEEs) to create secure enclaves that isolate the data and code being processed from the rest of the system. Enabling confidential computing can help meet compliance requirements and protect reputation in case of a security breach. This is a best practice for securing sensitive data and workloads and maintaining trust with customers and stakeholders.

Resolution
Creating a Confidential VM instance

Enable HTTPS Logging for Load Balancing Backend Services

Risk: Medium

Target: Load Balancer (GCP)

Compliance:

Description
Enabling HTTPS logging for load-balancing backend services provides benefits such as enhanced security, compliance with regulatory requirements, improved troubleshooting capabilities, and performance tuning. It allows you to identify suspicious activity, troubleshoot issues, and optimize performance, contributing to your application’s overall security, compliance, and performance.

Resolution
Global external HTTP(S) load balancer logging and monitoring

Secure SSL Cipher Suites

Risk: Medium

Target: Load Balancer (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Securing SSL cipher suites can improve security by providing stronger encryption algorithms and key exchange protocols, meeting compliance requirements, improving reputation, and ensuring compatibility with modern browsers and operating systems.

Resolution
SSL policies for SSL and TLS protocols

Disable Public IP for Cloud SQL Database Instance

Risk: Medium

Target: Cloud SQL

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Disabling the public IP for a Cloud SQL database instance is an important security measure that can help protect your database from unauthorized access and malicious activities. This can reduce the attack surface, give you better control over network traffic, help you comply with security requirements, and save on costs. By using private IP addresses and virtual private cloud (VPC) peering, you can enforce stricter security policies and protect your data from unauthorized access and data breaches.

Resolution
Configure public IP

Enable HTTPS for Google Cloud Load Balancers

Risk: High

Target: Load Balancer (GCP)

Compliance:

Description
Enforcing HTTPS for your Google Cloud load balancers is crucial to protect the communication between clients and load balancers from eavesdropping and MITM attacks. This is especially important when sensitive data is involved. Configuring valid SSL/TLS certificates on GCP load balancers is essential to ensure encrypted web traffic between clients and load balancers.

Resolution
Set up a global external HTTP(S) load balancer (classic) with a managed instance group backend

Assign Mandatory Tags to VM

Risk: High

Target: VM (GCP)

Compliance:

Description
Assigning mandatory tags to VMs can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution Add/Remove Tags

Enable Log_disconnections DB Flag for PostgreSQL

Risk: Medium

Target: Cloud SQL Postgres

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling the log_disconnections flag in PostgreSQL allows the database server to log all client disconnections. This can help with debugging, security monitoring, and performance tuning. It provides useful information to identify unusual behavior, detect suspicious activity, and optimize performance.

Resolution
Configure database flags

Enforce User Connections Database Flag for SQL Server Instance is Set to Non-limiting Value

Risk: High

Target: SQLServer (GCP)

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enforcing a non-limiting value for a SQL Server instance’s “user connections” database flag can improve stability, optimize resource usage, improve security, and ensure compliance with license restrictions. Limiting the number of concurrent connections can prevent overloading, optimize system resources, reduce the attack surface, and ensure compliance with licensing restrictions.

Resolution
Configure database flags

Enable Auto-Repair for GKE Nodes

Risk: Medium

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF

Description
Enabling auto-repair for Google Kubernetes Engine (GKE) nodes is important for ensuring the availability and reliability of your applications running on the Kubernetes cluster. Auto-repair detects and repairs or replaces unhealthy nodes automatically, helping to prevent downtime or other issues caused by unhealthy nodes. This is a best practice for ensuring the availability and reliability of your applications running on GKE.

Resolution
Auto-repair nodes

Create Clusters with Private Nodes

Risk: Medium

Target: GKE Cluster

Compliance: CIS Google Kubernetes Engine (GKE) Benchmark v1.3.0 DRAFT PDF

Description
Creating clusters with private nodes can improve security by reducing the attack surface and preventing unauthorized access, reducing exposure to the public internet, meeting compliance requirements for protecting sensitive data, enhancing performance by reducing network latency, and reducing costs associated with network egress.

Resolution
Private clusters in GKE

 

Check Permission of Ingress Setting of GCP cloud Function

Risk: Medium

Target: Cloud Functions

Compliance: 

Description

Checking the permissions of Ingress settings for a Google Cloud Function is a vital practice to protect your function and its resources. Properly configuring these settings prevents unauthorized access, safeguards sensitive data, and ensures resource efficiency. It also defends against DDoS attacks, aids compliance, follows the principle of least privilege, and facilitates auditing and monitoring.

Resolution

Restricting ingress for Cloud Run

Configure HTTPS Target Proxy with Quic Protocol for Google Cloud Load Balancers

Risk: Medium

Target: Load Balancer (GCP)

Compliance: 

Description

Configuring QUIC (Quick UDP Internet Connections) protocol with HTTPS Target Proxy for Google Cloud Load Balancers offers faster performance, enhanced security, and improved user experience. It reduces latency, ensures encrypted data transmission, and adapts to network changes gracefully. With support from modern browsers and Google Cloud’s integration, QUIC optimizes connections, minimizes delays, and prepares your services for future networking advancements.

Resolution

QUIC Support for HTTPS Load Balancing

Enable HTTPS for Cloud Functions

Risk: Medium

Target: GCP Cloud Functions Generation 1

Compliance: 

Description

Enabling HTTPS for Cloud Functions in GCP is vital for data security, user trust, and regulation compliance. It encrypts data, verifies authenticity, improves search engine ranking, and ensures compatibility with modern browsers. This fosters trust, protects sensitive information, and prepares your functions for future security standards and technological advancements.

Resolution

HTTP triggers

 

GCP Cloud Function not Enabled with VPC Connector

Risk: Medium

Target: GCP Cloud Functions

Compliance: 

Description

Enabling a VPC connector for GCP Cloud Functions is not always necessary or beneficial. If your use case involves simplicity, public-facing services, limited VPC resources, cost considerations, event-driven nature, or compatibility issues, it might be better to avoid using a VPC connector. Carefully evaluate whether the benefits of VPC connectivity align with your function’s requirements before making a decision.

Resolution

Connect to a VPC network

 

Delete Unused VM Disk

Risk: High

Target: Managed Disk (GCP)

Compliance: 

Description

Deleting unused VM disks in GCP is essential for cost savings, resource management, security, and performance optimization. It streamlines your cloud environment, reduces expenses, and ensures compliance with data protection regulations.

Resolution

Delete a VM

Delete Unused Load Balancer

Risk: High

Target: Load Balancer (GCP)

Compliance: 

Description

Deleting unused Load Balancers in GCP is crucial for cost savings, resource efficiency, security, simplified management, and compliance adherence. It helps streamline your infrastructure, reduce expenses, and mitigate potential security risks.

Resolution

Clean up a Load Balancing Setup