AC_GCP_0001 | Ensure that Cloud SQL database instances are configured with automated backups | GCP | Resilience | MEDIUM |
AC_GCP_0002 | Ensure that the Cloud SQL database instance requires all incoming connections to use SSL | GCP | Infrastructure Security | HIGH |
AC_GCP_0003 | Ensure that Cloud SQL database instances are not open to the world | GCP | Infrastructure Security | HIGH |
AC_GCP_0004 | Ensure that there are only GCP-managed service account keys for each service account | GCP | Identity and Access Management | LOW |
AC_GCP_0005 | Ensure that Service Account has no Admin privileges | GCP | Identity and Access Management | HIGH |
AC_GCP_0006 | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | GCP | Identity and Access Management | HIGH |
AC_GCP_0007 | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | GCP | Identity and Access Management | HIGH |
AC_GCP_0008 | Ensure that corporate login credentials are used | GCP | Identity and Access Management | LOW |
AC_GCP_0009 | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | GCP | Logging and Monitoring | LOW |
AC_GCP_0010 | Ensure that the default network does not exist in a project | GCP | Infrastructure Security | LOW |
AC_GCP_0011 | Ensure KMS encryption keys are rotated within a period of 90 days | GCP | Security Best Practices | LOW |
AC_GCP_0012 | Ensure a key rotation mechanism within a 365 day period is implemented for Google KMS Crypto Key | GCP | Security Best Practices | LOW |
AC_GCP_0013 | Ensure '3625 (trace flag)' database flag for Cloud SQL Server instance is set to 'off' | GCP | Compliance Validation | LOW |
AC_GCP_0014 | Ensure that DNSSEC is enabled for Cloud DNS | GCP | Infrastructure Security | MEDIUM |
AC_GCP_0015 | Ensure Node Auto-Upgrade is enabled for GKE nodes | GCP | Security Best Practices | LOW |
AC_GCP_0016 | Ensure container-optimized OS (COS) is used for Google Container Node Pool | GCP | Compliance Validation | LOW |
AC_GCP_0017 | Ensure Node Auto-Upgrade is enabled for GKE nodes | GCP | Security Best Practices | LOW |
AC_GCP_0018 | Ensure that Alpha clusters are not used for production workloads | GCP | Security Best Practices | LOW |
AC_GCP_0019 | Ensure labels are configured for Google Container Cluster | GCP | Compliance Validation | LOW |
AC_GCP_0020 | Ensure private cluster is enabled for Google Container Cluster | GCP | Infrastructure Security | HIGH |
AC_GCP_0021 | Ensure basic authentication is disabled on Google Container Cluster | GCP | Identity and Access Management | HIGH |
AC_GCP_0022 | Ensure PodSecurityPolicy controller is enabled on Google Container Cluster | GCP | Compliance Validation | HIGH |
AC_GCP_0023 | Ensure control plane is not public for Google Container Cluster | GCP | Infrastructure Security | HIGH |
AC_GCP_0024 | Ensure authentication using Client Certificates is Disabled | GCP | Identity and Access Management | MEDIUM |
AC_GCP_0025 | Ensure use of VPC-native clusters | GCP | Compliance Validation | HIGH |
AC_GCP_0026 | Ensure network policy is enabled on Google Container Cluster | GCP | Infrastructure Security | HIGH |
AC_GCP_0027 | Ensure Master Authorized Networks is Enabled | GCP | Infrastructure Security | HIGH |
AC_GCP_0028 | Ensure Legacy Authorization (ABAC) is Disabled | GCP | Identity and Access Management | HIGH |
AC_GCP_0029 | Ensure stackdriver monitoring is enabled on Google Container Cluster | GCP | Logging and Monitoring | HIGH |
AC_GCP_0030 | Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled | GCP | Logging and Monitoring | HIGH |
AC_GCP_0031 | Ensure private google access is enabled for Google Compute Subnetwork | GCP | Infrastructure Security | MEDIUM |
AC_GCP_0032 | Ensure legacy networks do not exist for a project | GCP | Infrastructure Security | LOW |
AC_GCP_0033 | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | GCP | Logging and Monitoring | MEDIUM |
AC_GCP_0034 | Ensure latest TLS version is used for Google Compute SSL Policy | GCP | Infrastructure Security | MEDIUM |
AC_GCP_0035 | Ensure Compute instances are launched with Shielded VM enabled | GCP | Infrastructure Security | LOW |
AC_GCP_0036 | Ensure encryption with Customer Supplied Encryption Keys (CSEK) is enabled for Google Compute Instance | GCP | Data Protection | MEDIUM |
AC_GCP_0037 | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | GCP | Infrastructure Security | MEDIUM |
AC_GCP_0038 | Ensure default setting for OSLogin is not overridden by Google Compute Instance | GCP | Identity and Access Management | LOW |
AC_GCP_0039 | Ensure "Block Project-wide SSH keys" is enabled for VM instances | GCP | Infrastructure Security | LOW |
AC_GCP_0040 | Ensure that instances are not configured to use the default service account | GCP | Identity and Access Management | HIGH |
AC_GCP_0041 | Ensure default service accounts having complete cloud access are not used by Google Compute Instance | GCP | Infrastructure Security | HIGH |
AC_GCP_0042 | Ensure Cassandra OpsCenter agent (TCP:61621) is not exposed to more than 32 private hosts for Google Compute Firewall | GCP | Infrastructure Security | LOW |
AC_GCP_0043 | Ensure Cassandra OpsCenter agent (TCP:61621) is not exposed to public for Google Compute Firewall | GCP | Infrastructure Security | MEDIUM |
AC_GCP_0044 | Ensure Cassandra OpsCenter agent (TCP:61621) is not exposed to entire internet for Google Compute Firewall | GCP | Infrastructure Security | HIGH |
AC_GCP_0045 | Ensure Mongo Web Portal (TCP:27018) is not exposed to more than 32 private hosts for Google Compute Firewall | GCP | Infrastructure Security | LOW |
AC_GCP_0046 | Ensure Mongo Web Portal (TCP:27018) is not exposed to public for Google Compute Firewall | GCP | Infrastructure Security | MEDIUM |
AC_GCP_0047 | Ensure Mongo Web Portal (TCP:27018) is not exposed to entire internet for Google Compute Firewall | GCP | Infrastructure Security | HIGH |
AC_GCP_0048 | Ensure Puppet Master (TCP:8140) is not exposed to more than 32 private hosts for Google Compute Firewall | GCP | Infrastructure Security | LOW |
AC_GCP_0049 | Ensure Puppet Master (TCP:8140) is not exposed to public for Google Compute Firewall | GCP | Infrastructure Security | MEDIUM |
AC_GCP_0050 | Ensure Puppet Master (TCP:8140) is not exposed to entire internet for Google Compute Firewall | GCP | Infrastructure Security | HIGH |