Open DNS | Determines if TCP or UDP port 53 for DNS is open to the public |
Open SSH | Determines if TCP port 22 for FTP is open to the public |
Open CIFS | Determines if UDP port 445 for CIFS is open to the public |
Open FTP | Determines if TCP port 20 or 21 for FTP is open to the public |
Open Hadoop HDFS NameNode Metadata Service | Determines if TCP port 8020 for HDFS NameNode metadata service is open to the public. |
Open Hadoop HDFS NameNode WebUI | Determines if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public |
Open Kibana | Determines if TCP port 5601 for Kibana is open to the public |
Open MySQL | Determines if TCP port 4333 or 3306 for MySQL is open to the public |
Open NetBIOS | Determines if UDP port 137 or 138 for NetBIOS is open to the public |
Open Oracle | Determines if TCP port 1521 for Oracle is open to the public |
Open PostgreSQL | Determines if TCP port 5432 for PostgreSQL is open to the public |
Open RDP | Determines if TCP port 3389 for RDP is open to the public |
Open RPC | Determines if TCP port 135 for RPC is open to the public |
Open SMBoTCP | Determines if TCP port 445 for Windows SMB over TCP is open to the public |
Open SMTP | Determines if TCP port 25 for SMTP is open to the public |
Open SQLServer | Determines if TCP port 1433 or UDP port 1434 for SQL Server is open to the public |
Open Telnet | Determines if TCP port 23 for Telnet is open to the public |
Open VNC Client | Determines if TCP port 5500 for VNC Client is open to the public |
Open VNC Server | Determines if TCP port 5900 for VNC Server is open to the public |
Open Oracle Auto Data Warehouse | Determines if TCP port 1522 for Oracle Auto Data Warehouse is open to the public |
Multiple Subnets | Ensures that VPCs have multiple networks to provide a layered architecture |
Default VPC In Use | Determines whether the default VPC is being used for launching VM instances |
VM Max Instances | Ensures the total number of VM instances does not exceed a set threshold |
Instances Multi AZ | Ensures managed instances are regional for availability purposes. |
Key Rotation | Ensures cryptographic keys are set to rotate on a regular schedule |
DB Restorable | Ensures SQL instances can be restored to a recent point |
DB Automated Backups | Ensures automated backups are enabled for SQL instances |
DB Multiple AZ | Ensures that SQL instances have a failover replica to be cross-AZ for high availability |
DB Publicly Accessible | Ensures that SQL instances have a failover replica to be cross-AZ for high availability. |
Bucket Versioning | Ensures object versioning is enabled on storage buckets |
Bucket Logging | Ensures object logging is enabled on storage buckets |
CLB HTTPS Only | Ensures CLBs are configured to only accept connections on HTTPS ports |
Excessive Firewall Rules | Determines if there are an excessive number of firewall rules in the account |
Open All Ports | Determines if all ports are open to the public |
CLB No Instances | Detects CLBs that have no backend instances attached |
Flow Logs Enabled | Ensures VPC flow logs are enabled for traffic logging |
Autoscale Enabled | Ensures instance groups have autoscale enabled for high availability |
Service Limits | Determines if the number of resources is close to the per-account limit. |
Private Endpoint | Ensures the private endpoint setting is enabled for kubernetes clusters |
Monitoring Enabled | Ensures all Kubernetes clusters have monitoring enabled |
Private Access Enabled | Ensures Private Google Access is enabled for all Subnets |
Instance Level SSH Only | Ensures that instances are not configured to allow project-wide SSH keys |
VM Instances Least Privilege | Ensures that instances are not configured to use the default service account with full access to all cloud APIs |
IP Forwarding Disabled | Ensures that IP forwarding is disabled on all instances |
Connect Serial Ports Disabled | Ensures connecting to serial ports is not enabled for VM instances |
CSEK Encryption Enabled | Ensures Customer Supplied Encryption Key Encryption is enabled on disks |
Storage Bucket All Users Policy | Ensures Storage bucket policies do not allow global write delete or read permissions |
Security Policy Enabled | Ensures all backend services have an attached security policy |
CLB CDN Enabled | Ensures that Cloud CDN is enabled on all load balancers |
DNS Security Enabled | Ensures that DNS Security is enabled on all managed zones |
DNS Security Signing Algorithm | Ensures that DNS Security is not using the RSASHA1 algorithm for key or zone signing |
OS Login Enabled | Ensures OS login is enabled for the project |
Database SSL Enabled | Ensures SQL databases have SSL enabled |
Service Account Key Rotation | Ensures that service account keys are rotated within 90 days of creation. |
Service Account Managed Keys | Ensures that service account keys are being managed by Google. |
Cluster Least Privilege | Ensures Kubernetes clusters are created with limited service account access scopes |
Project Ownership Logging | Ensures that logging and log alerts exist for project ownership assignments and changes |
Storage Permissions Logging | Ensures that logging and log alerts exist for storage permission changes |
SQL Configuration Logging | Ensures that logging and log alerts exist for SQL configuration changes |
Audit Configuration Logging | Ensures that logging and log alerts exist for audit configuration changes. |
Custom Role Logging | Ensures that logging and log alerts exist for custom role creation and changes |
VPC Firewall Rule Logging | Ensures that logging and log alerts exist for firewall rule changes |
VPC Network Route Logging | Ensures that logging and log alerts exist for VPC network route changes |
VPC Network Logging | Ensures that logging and log alerts exist for VPC network changes |
Alias IP Ranges Enabled | Ensures all Kubernetes clusters have alias IP ranges enabled |
Legacy Authorization Disabled | Ensure legacy authorization is set to disabled on Kubernetes clusters |
Master Authorized Network | Ensures master authorized networks is set to enabled on Kubernetes clusters |
Cluster Labels Added | Ensures all Kubernetes clusters have labels added |
Web Dashboard Disabled | Ensures all Kubernetes clusters have the web dashboard disabled. |
Default Service Account | Ensures all Kubernetes cluster nodes are not using the default service account. |
COS Image Enabled | Ensures all Kubernetes cluster nodes have Container-Optimized OS enabled |
Automatic Node Repair Enabled | Ensures all Kubernetes cluster nodes have automatic repair enabled |
Automatic Node Upgrades Enabled | Ensures all Kubernetes cluster nodes have automatic upgrades enabled |
Network Policy Enabled | Ensures all Kubernetes clusters have network policy enabled |
Pod Security Policy Enabled | Ensures pod security policy is enabled for all Kubernetes clusters |
Any Host Root Access | Ensures SQL instances root user cannot be accessed from any host |
Service Account Admin | Ensures that user managed service accounts do not have any admin owner or write privileges. |
Service Account User | Ensures that no users have the Service Account User role. |
Service Account Separation | Ensures that no users have both the Service Account User and Service Account Admin role. |
KMS User Separation | Ensures that no users have the KMS admin role and any one of the CryptoKey roles. |
Audit Logging Enabled | Ensures that default audit logging is enabled on the project. |
Log Sinks Enabled | Ensures a log sink is enabled to export all logs |
Private Cluster Enabled | Ensures private cluster is enabled for all Kubernetes clusters |
Logging Enabled | Ensures all Kubernetes clusters have logging enabled |
Corporate Emails Only | Ensures that no users are using their Gmail accounts for access to GCP. |
Basic Authentication Disabled | Ensure basic authentication is set to disabled on Kubernetes clusters. |