1 Identity and Access Management |
1.1 Ensure that corporate login
credentials are used instead of Gmail accounts |
1.2 Ensure that multi-factor
authentication is enabled for all non-service accounts |
1.3 Ensure that there are only
GCP-managed service account keys for each service account |
1.4 Ensure that ServiceAccount has no
Admin privileges. |
1.5 Ensure that IAM users are not
assigned Service Account User role at project level |
1.6 Ensure user-managed/external keys for
service accounts are rotated every 90 days or less |
1.7 Ensure that Separation of duties is
enforced while assigning service account related roles to users |
1.8 Ensure Encryption keys are rotated
within a period of 365 days |
1.9 Ensure that Separation of duties is
enforced while assigning KMS related roles to users |
1.10 Ensure API keys are not created for
a project |
1.11 Ensure API keys are restricted to
use by only specified Hosts and Apps |
1.12 Ensure API keys are restricted to
only APIs that application needs access |
1.13 Ensure API keys are rotated every 90
days |
2 Logging and Monitoring |
2.1 Ensure that Cloud Audit Logging is
configured properly across all services and all users from a project |
2.2 Ensure that sinks are configured for
all Log entries |
2.3 Ensure that object versioning is
enabled on log-buckets |
2.4 Ensure log metric filter and alerts
exists for Project Ownership assignments/changes |
2.5 Ensure log metric filter and alerts
exists for Audit Configuration Changes |
2.6 Ensure log metric filter and alerts
exists for Custom Role changes |
2.7 Ensure log metric filter and alerts
exists for VPC Network Firewall rule changes |
2.8 Ensure log metric filter and alerts
exists for VPC network route changes |
2.9 Ensure log metric filter and alerts
exists for VPC network changes |
2.10 Ensure log metric filter and alerts
exists for Cloud Storage IAM permission changes |
2.11 Ensure log metric filter and alerts
exists for SQL instance configuration changes |
3 Networking |
3.1 Ensure the default network does not
exist in a project |
3.2 Ensure legacy networks does not
exists for a project . 96 |
3.3 Ensure that DNSSEC is enabled for
Cloud DNS |
3.4 Ensure that RSASHA1 is not used for
key-signing key in Cloud DNS DNSSEC |
3.5 Ensure that RSASHA1 is not used for
zone-signing key in Cloud DNS DNSSEC |
3.6 Ensure that SSH access is restricted
from the internet |
3.7 Ensure that RDP access is restricted
from the internet |
3.8 Ensure Private Google Access is
enabled for all subnetwork in VPC Network |
3.9 Ensure VPC Flow logs is enabled for
every subnet in VPC Network |
4 Virtual Machines |
4.1 Ensure that instances are not
configured to use the default service account with full access to all Cloud
APIs |
4.2 Ensure “Block Project-wide SSH
keys” enabled for VM instances |
4.3 Ensure oslogin is enabled for a
Project |
4.4 Ensure ‘Enable connecting to serial
ports’ is not enabled for VM Instance |
4.5 Ensure that IP forwarding is not
enabled on Instances |
4.6 Ensure VM disks for critical VMs are
encrypted with Customer-Supplied Encryption Keys (CSEK) |
5 Storage |
5.1 Ensure that Cloud Storage bucket is
not anonymously or publicly accessible |
5.2 Ensure that there are no publicly
accessible objects in storage buckets |
5.3 Ensure that logging is enabled for
Cloud storage buckets |
6 Cloud SQL Database Services |
6.1 Ensure that Cloud SQL database
instance requires all incoming connections to use SSL |
6.2 Ensure that Cloud SQL database
Instances are not open to the world |
6.3 Ensure that MySql database instance
does not allow anyone to connect with administrative privileges. |
6.4 Ensure that MySQL Database Instance
does not allows root login from any Host |
7 Kubernetes Engine |
7.1 Ensure Stackdriver Logging is set to
Enabled on Kubernetes Engine Clusters |
7.2 Ensure Stackdriver Monitoring is set
to Enabled on Kubernetes Engine Clusters |
7.3 Ensure Legacy Authorization is set to
Disabled on Kubernetes Engine Clusters |
7.4 Ensure Master authorized networks is
set to Enabled on Kubernetes Engine Clusters |
7.5 Ensure Kubernetes Clusters are
configured with Labels |
7.6 Ensure Kubernetes web UI / Dashboard
is disabled |
7.7 Ensure `Automatic node repair` is
enabled for Kubernetes Clusters |
7.8 Ensure Automatic node upgrades is
enabled on Kubernetes Engine Clusters nodes |
7.9 Ensure Container-Optimized OS (cos)
is used for Kubernetes Engine Clusters Node image |
7.10 Ensure Basic Authentication is
disabled on Kubernetes Engine Clusters |
7.11 Ensure Network policy is enabled on
Kubernetes Engine Clusters |
7.12 Ensure Kubernetes Cluster is created
with Client Certificate enabled |
7.13 Ensure Kubernetes Cluster is created
with Alias IP ranges enabled |
7.14 Ensure PodSecurityPolicy controller
is enabled on the Kubernetes Engine Clusters |
7.15 Ensure Kubernetes Cluster is created
with Private cluster enabled |
7.16 Ensure Private Google Access is set
on Kubernetes Engine Cluster Subnets |
7.17 Ensure default Service account is
not used for Project access in Kubernetes Clusters |
7.18 Ensure Kubernetes Clusters created
with limited service account Access scopes for Project access |