CIS Google Cloud Platform v2.0.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Google Cloud Platform v2.0.0 L1

Updated: 6/17/2024

Authority: CIS

Plugin: GCP

Revision: 1.2

Estimated Item Count: 56

File Details

Filename: CIS_Google_Cloud_Platform_v2.0.0_L1.audit

Size: 175 kB

MD5: aad4d11165d0c647d4710bb0d6f9e1de
SHA256: 9335f31549c791fbfd4396b898e11f1a4221464dd5668d4005e505fb67df508d

Audit Items

DescriptionCategories
1.1 Ensure that Corporate Login Credentials are Used
1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
1.5 Ensure That Service Account Has No Admin Privileges
1.6 Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
1.7 Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
1.16 Ensure Essential Contacts is Configured for Organization
1.18 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
2.1 Ensure That Cloud Audit Logging Is Configured Properly - allServices
2.1 Ensure That Cloud Audit Logging Is Configured Properly - exemptedMembers
2.2 Ensure That Sinks Are Configured for All Log Entries
2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - alert
2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - metric
2.5 Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - alert
2.5 Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - metric
2.6 Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - alert
2.6 Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - metric
2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - dns policies
2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - vpc networks
2.13 Ensure Cloud Asset Inventory Is Enabled
3.2 Ensure Legacy Networks Do Not Exist for Older Projects
3.3 Ensure That DNSSEC Is Enabled for Cloud DNS
3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
3.5 Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
4.1 Ensure That Instances Are Not Configured To Use the Default Service Account
4.2 Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
4.3 Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances
4.4 Ensure Oslogin Is Enabled for a Project - instances
4.4 Ensure Oslogin Is Enabled for a Project - project
4.5 Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
4.6 Ensure That IP Forwarding Is Not Enabled on Instances
5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
6.1.2 Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
6.1.3 Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
6.2.2 Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
6.2.3 Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
6.2.5 Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
6.2.6 Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
6.2.7 Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled)
6.2.8 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
6.2.9 Ensure Instance IP assignment is set to private
6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
6.3.3 Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'