CIS Google Cloud Platform v1.1.0 L1

Audit Details

Name: CIS Google Cloud Platform v1.1.0 L1

Updated: 4/25/2022

Authority: CIS

Plugin: GCP

Revision: 1.2

Estimated Item Count: 72

File Details

Filename: CIS_Google_Cloud_Platform_v1.2.0_L1.audit

Size: 234 kB

MD5: 2c595013fc9c22ba38f65160660197fd
SHA256: 16feb2db334984cbbd457c40fc71138bb23fffce2d61fd6be42ac43c4751de36

Audit Items

DescriptionCategories
1.1 Ensure that corporate login credentials are used

IDENTIFICATION AND AUTHENTICATION

1.2 Ensure that multi-factor authentication is enabled for all non-service accounts
1.4 Ensure that there are only GCP-managed service account keys for each service account

ACCESS CONTROL

1.5 Ensure that Service Account has no Admin privileges

ACCESS CONTROL

1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

ACCESS CONTROL

1.7 Ensure user-managed/external keys for service accounts are rotated every 90 days or less

ACCESS CONTROL

1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible

ACCESS CONTROL

1.10 Ensure KMS encryption keys are rotated within a period of 90 days

ACCESS CONTROL

1.13 Ensure API keys are restricted to use by only specified Hosts and Apps

ACCESS CONTROL

1.14 Ensure API keys are restricted to only APIs that application needs access

ACCESS CONTROL

1.15 Ensure API keys are rotated every 90 days

ACCESS CONTROL

2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project - allServices

AUDIT AND ACCOUNTABILITY

2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project - exemptedMembers

AUDIT AND ACCOUNTABILITY

2.2 Ensure that sinks are configured for all log entries

AUDIT AND ACCOUNTABILITY

2.3 Ensure that retention policies on log buckets are configured using Bucket Lock

AUDIT AND ACCOUNTABILITY

2.4 Ensure log metric filter and alerts exist for project ownership assignments/changes - alert

AUDIT AND ACCOUNTABILITY

2.4 Ensure log metric filter and alerts exist for project ownership assignments/changes - metric

AUDIT AND ACCOUNTABILITY

2.5 Ensure that the log metric filter and alerts exist for Audit Configuration changes - alert

AUDIT AND ACCOUNTABILITY

2.5 Ensure that the log metric filter and alerts exist for Audit Configuration changes - metric

AUDIT AND ACCOUNTABILITY

2.6 Ensure that the log metric filter and alerts exist for Custom Role changes - alert

AUDIT AND ACCOUNTABILITY

2.6 Ensure that the log metric filter and alerts exist for Custom Role changes - metric

AUDIT AND ACCOUNTABILITY

2.7 Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes - alert

AUDIT AND ACCOUNTABILITY

2.7 Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes - metric

AUDIT AND ACCOUNTABILITY

2.8 Ensure that the log metric filter and alerts exist for VPC network route changes - alert

AUDIT AND ACCOUNTABILITY

2.8 Ensure that the log metric filter and alerts exist for VPC network route changes - metric

AUDIT AND ACCOUNTABILITY

2.9 Ensure that the log metric filter and alerts exist for VPC network changes - alert

AUDIT AND ACCOUNTABILITY

2.9 Ensure that the log metric filter and alerts exist for VPC network changes - metric

AUDIT AND ACCOUNTABILITY

2.10 Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes - alert

AUDIT AND ACCOUNTABILITY

2.10 Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes - metric

AUDIT AND ACCOUNTABILITY

2.11 Ensure that the log metric filter and alerts exist for SQL instance configuration changes - alert

AUDIT AND ACCOUNTABILITY

2.11 Ensure that the log metric filter and alerts exist for SQL instance configuration changes - metric

AUDIT AND ACCOUNTABILITY

2.12 Ensure that Cloud DNS logging is enabled for all VPC networks - dns policies

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

2.12 Ensure that Cloud DNS logging is enabled for all VPC networks - vpc networks

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.2 Ensure legacy networks do not exist for a project

CONFIGURATION MANAGEMENT

3.3 Ensure that DNSSEC is enabled for Cloud DNS

CONFIGURATION MANAGEMENT

3.4 Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC

CONFIGURATION MANAGEMENT

3.5 Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC

CONFIGURATION MANAGEMENT

3.8 Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.9 Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites

SYSTEM AND COMMUNICATIONS PROTECTION

4.1 Ensure that instances are not configured to use the default service account

ACCESS CONTROL

4.2 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs

ACCESS CONTROL

4.3 Ensure 'Block Project-wide SSH keys' is enabled for VM instances - Block Project-wide SSH keys is enabled for VM instances

ACCESS CONTROL

4.4 Ensure oslogin is enabled for a Project - instances

ACCESS CONTROL

4.4 Ensure oslogin is enabled for a Project - project

ACCESS CONTROL

4.5 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance

SYSTEM AND INFORMATION INTEGRITY

4.6 Ensure that IP forwarding is not enabled on Instances

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT

5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

6.1.1 Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges

IDENTIFICATION AND AUTHENTICATION

6.1.2 Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'

ACCESS CONTROL

6.1.3 Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'

SYSTEM AND COMMUNICATIONS PROTECTION