Detections
Analytics

CIS Google Cloud Platform v2.0.0 L2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Google Cloud Platform v2.0.0 L2

Updated: 6/17/2024

Authority: CIS

Plugin: GCP

Revision: 1.2

Estimated Item Count: 41

File Details

Filename: CIS_Google_Cloud_Platform_v2.0.0_L2.audit

Size: 127 kB

MD5: de1eba5304fade46cbb4fe1065a7d397
SHA256: 8a2f99d96e6b24ee93cbe649ec32b6a3fb8d52197dacbf508e08d06fca60c6f6

Audit Items

DescriptionCategories
1.3 Ensure that Security Key Enforcement is Enabled for All Admin Accounts
1.8 Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - Decrypter
1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - Encrypter
1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - Encrypter/Decrypter
1.12 Ensure API Keys Only Exist for Active Services
1.13 Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps
1.14 Ensure API Keys Are Restricted to Only APIs That Application Needs Access
1.15 Ensure API Keys Are Rotated Every 90 Days
1.17 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - alert
2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - metric
2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - alert
2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - metric
2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - alert
2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - metric
2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - alert
2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - metric
2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - alert
2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - metric
2.14 Ensure 'Access Transparency' is 'Enabled'
2.15 Ensure 'Access Approval' is 'Enabled'
2.16 Ensure Logging is enabled for HTTP(S) Load Balancer
3.1 Ensure That the Default Network Does Not Exist in a Project
3.6 Ensure That SSH Access Is Restricted From the Internet
3.7 Ensure That RDP Access Is Restricted From the Internet
3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
4.7 Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
4.8 Ensure Compute Instances Are Launched With Shielded VM Enabled
4.9 Ensure That Compute Instances Do Not Have Public IP Addresses
4.10 Ensure That App Engine Applications Enforce HTTPS Connections
4.11 Ensure That Compute Instances Have Confidential Computing Enabled
4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
5.2 Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
6.2.1 Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
6.2.4 Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs
7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
7.3 Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets