CIS Google Cloud Platform v1.3.0 L2

Audit Details

Name: CIS Google Cloud Platform v1.3.0 L2

Updated: 1/4/2023

Authority: CIS

Plugin: GCP

Revision: 1.0

Estimated Item Count: 23

File Details

Filename: CIS_Google_Cloud_Platform_v1.3.0_L2.audit

Size: 80.7 kB

MD5: 24defa131f9199b6c9ae1465c816e3d5
SHA256: 27583f30526fc5635d0f23dd658820c1a3919942a77130e121fabf6267c0b5e1

Audit Items

DescriptionCategories
1.3 Ensure that Security Key Enforcement is Enabled for All Admin Accounts

IDENTIFICATION AND AUTHENTICATION

1.8 Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users

ACCESS CONTROL, MEDIA PROTECTION

1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users

ACCESS CONTROL, MEDIA PROTECTION

1.12 Ensure API Keys Are Not Created for a Project

ACCESS CONTROL

1.17 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock

ACCESS CONTROL, MEDIA PROTECTION

2.13 Ensure Cloud Asset Inventory Is Enabled

CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT

2.15 Ensure 'Access Approval' is 'Enabled'

ACCESS CONTROL, MEDIA PROTECTION

3.1 Ensure That the Default Network Does Not Exist in a Project

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.6 Ensure That SSH Access Is Restricted From the Internet

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.7 Ensure That RDP Access Is Restricted From the Internet

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'

ACCESS CONTROL

4.7 Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.8 Ensure Compute Instances Are Launched With Shielded VM Enabled

CONFIGURATION MANAGEMENT

4.9 Ensure That Compute Instances Do Not Have Public IP Addresses

ACCESS CONTROL, MEDIA PROTECTION

4.10 Ensure That App Engine Applications Enforce HTTPS Connections

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

4.11 Ensure That Compute Instances Have Confidential Computing Enabled

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects

SYSTEM AND SERVICES ACQUISITION

5.2 Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled

ACCESS CONTROL, MEDIA PROTECTION

6.2.1 Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter

AUDIT AND ACCOUNTABILITY

6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs

ACCESS CONTROL, MEDIA PROTECTION

7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.3 Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION