CIS Google Cloud Platform v1.3.0 L1

Audit Details

Name: CIS Google Cloud Platform v1.3.0 L1

Updated: 1/4/2023

Authority: CIS

Plugin: GCP

Revision: 1.0

Estimated Item Count: 72

File Details

Filename: CIS_Google_Cloud_Platform_v1.3.0_L1.audit

Size: 261 kB

MD5: 355015893e9aec41138873f48cf5f8f6
SHA256: 4d9381fedec258a1e7faeec677e44defd75ea482563332d4ff90f92df5894e94

Audit Items

DescriptionCategories
1.1 Ensure that Corporate Login Credentials are Used

ACCESS CONTROL

1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts

IDENTIFICATION AND AUTHENTICATION

1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account

IDENTIFICATION AND AUTHENTICATION

1.5 Ensure That Service Account Has No Admin Privileges

ACCESS CONTROL

1.6 Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level

ACCESS CONTROL, MEDIA PROTECTION

1.7 Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer

IDENTIFICATION AND AUTHENTICATION

1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible

ACCESS CONTROL, MEDIA PROTECTION

1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.13 Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps

ACCESS CONTROL

1.14 Ensure API Keys Are Restricted to Only APIs That Application Needs Access

ACCESS CONTROL

1.15 Ensure API Keys Are Rotated Every 90 Days

ACCESS CONTROL

1.16 Ensure Essential Contacts is Configured for Organization

INCIDENT RESPONSE

1.18 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.1 Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project - allServices

AUDIT AND ACCOUNTABILITY

2.1 Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project - exemptedMembers

AUDIT AND ACCOUNTABILITY

2.2 Ensure That Sinks Are Configured for All Log Entries

AUDIT AND ACCOUNTABILITY

2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - alert

AUDIT AND ACCOUNTABILITY

2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - metric

AUDIT AND ACCOUNTABILITY

2.5 Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - alert

AUDIT AND ACCOUNTABILITY

2.5 Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - metric

AUDIT AND ACCOUNTABILITY

2.6 Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - alert

AUDIT AND ACCOUNTABILITY

2.6 Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - metric

AUDIT AND ACCOUNTABILITY

2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - alert

AUDIT AND ACCOUNTABILITY

2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - metric

AUDIT AND ACCOUNTABILITY

2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - alert

AUDIT AND ACCOUNTABILITY

2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - metric

AUDIT AND ACCOUNTABILITY

2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - alert

AUDIT AND ACCOUNTABILITY

2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - metric

AUDIT AND ACCOUNTABILITY

2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - alert

AUDIT AND ACCOUNTABILITY

2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - metric

AUDIT AND ACCOUNTABILITY

2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - alert

AUDIT AND ACCOUNTABILITY

2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - metric

AUDIT AND ACCOUNTABILITY

2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - dns policies

AUDIT AND ACCOUNTABILITY

2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - vpc networks

AUDIT AND ACCOUNTABILITY

2.13 Ensure Cloud Asset Inventory Is Enabled

CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT

2.14 Ensure 'Access Transparency' is 'Enabled'

AUDIT AND ACCOUNTABILITY

3.2 Ensure Legacy Networks Do Not Exist for Older Projects

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3 Ensure That DNSSEC Is Enabled for Cloud DNS

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.5 Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1 Ensure That Instances Are Not Configured To Use the Default Service Account

IDENTIFICATION AND AUTHENTICATION

4.2 Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs

IDENTIFICATION AND AUTHENTICATION

4.3 Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.4 Ensure Oslogin Is Enabled for a Project - instances

ACCESS CONTROL

4.4 Ensure Oslogin Is Enabled for a Project - project

ACCESS CONTROL

4.5 Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance

CONFIGURATION MANAGEMENT

4.6 Ensure That IP Forwarding Is Not Enabled on Instances

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible

ACCESS CONTROL, MEDIA PROTECTION