Skip to main content

Managed Security Review for Google Cloud

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews for Google Cloud provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleRelated StandardsDefault SeverityID in Shisho Cloud
Ensure App Engine applications enforce HTTPS connections4.10 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_appengine_http
Ensure Google Cloud assets and their changes are recorded2.13 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_asset_management
Ensure BigQuery dataset accessibility is restricted to a minimum level7.1 (CIS GCP v1.3.0)Criticaldecision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_accessibility
Ensure BigQuery tables use Customer-Managed Encryption Keys (CMEK)7.3 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_encryption_cmek
Ensure BigQuery datasets have default Customer-Managed Encryption Keys (CMEK)7.2 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_bigquery_table_encryption_cmek
Ensure critical Compute Engine disks use Customer-Supplied Encryption Keys (CSEK)4.7 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_compute_disk_encryption_key
Ensure that Confidential VM for Compute Engine instances is enabled4.11 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_confidential_computing
Ensure IP forwarding is disabled for Compute Engine instances4.6 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_ip_forwarding
Ensure that Compute Engine instances use appropriate OAuth2 scopes for Google APIs4.2 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_compute_instance_oauth2_scope
Ensure OS Login is enabled for a project4.4 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_oslogin
Ensure Compute Engine instances block project-wide SSH keys4.3 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_project_wide_key_management
Ensure Compute Engine instances have only necessary public IP addresses4.9 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_public_ip
Ensure connections to serial ports are disabled for Compute Engine instances4.5 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_serial_port
Ensure that Compute Engine instances do not use default service accounts4.1 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_service_account
Ensure Compute Engine instances enable Shielded VM features4.8 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_shielded_vm
Ensure API Keys are restricted to usage by only specified hosts and apps1.13 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_restriction
Ensure API keys are rotated within reasonable days1.15 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_rotation
Ensure scopes for Google Cloud API keys are limited1.13 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_scope
Ensure API keys do not exist in Google Cloud projects1.12 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_usage
Ensure that Dataproc cluster is encrypted using customer-managed encryption key1.17 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_dataproc_encryption_key
Ensure DNSSEC is enabled for Cloud DNS zones3.3 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec
Ensure the Key-Signing Key in Cloud DNS uses a secure algorithm3.4 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_ksk_algorithm
Ensure the Zone-Signing Key in Cloud DNS uses a secure algorithm3.5 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_zsk_algorithm
Ensure secrets are not stored in Cloud Functions environment variables1.18 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_functions_environment_variables
Ensure that Google Cloud permissions are granted only to principals in trusted identity sources1.1 (CIS GCP v1.3.0)Highdecision.api.shisho.dev/v1beta:googlecloud_iam_principal_source
Ensure that separation of duties is enforced for administration and usage of service accounts1.8 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_admin_separation
Ensure that each service account has only the minimum number of keys required1.4 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key
Ensure user-managed/external keys for service accounts are rotated every 90 days or fewer1.7 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key_rotation
Ensure Google Cloud service accounts have admin privileges only when truly required1.5 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_admin_role
Ensure a Cloud IAM principal can impersonate or attach only a limited set of service accounts1.6 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_impersonation_role
Ensure that separation of duties is enforced for administration and usage of Cloud KMS1.11 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_kms_admin_separation
Ensure that Cloud KMS cryptokeys are exposed only to trusted principals1.9 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_kms_key_accessibility
Ensure Cloud KMS encryption keys are rotated within a period of 90 days1.10 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_kms_key_rotation
Ensure Cloud Audit Logging is configured to record API operations2.1 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_logging_api_audit
Ensure that Cloud Storage buckets for storing logs are configured using bucket lock2.3 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_logging_bucket_retention_policy
Ensure that at least one sink is configured for all log entries2.2 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_logging_full_export
Ensure that the log metric filter and alerts exist for audit configuration changes2.5 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_audit_config_changes
Ensure that the log metric filter and alerts exist for custom role changes2.6 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_custom_role_changes
Ensure that the log metric filter and alerts exist for VPC network firewall rule changes2.7 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_firewall_rule_changes
Ensure that the log metric filter and alerts exist for VPC network route changes2.8 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_network_route_changes
Ensure that the log metric filter and alerts exist for project ownership assignments/changes2.4 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_project_ownership_changes
Ensure that the log metric filter and alerts exist for SQL instance configuration changes2.11 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_sql_config_changes
Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes2.10 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_storage_iam_changes
Ensure that the log metric filter and alerts exist for VPC network changes2.9 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_vpc_network_changes
Ensure the default network does not exist in Google Cloud projects3.1 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_networking_default_network
Ensure Cloud DNS Logging is enabled for all VPC networks2.12 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_networking_dns_log
Ensure that VPC networks allow only traffic from Google IP addresses with Identity Aware Proxy (IAP)3.10 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_networking_fw_rule_iap
Ensure legacy networks do not exist for older Google Cloud projects3.2 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_networking_legacy_network
Ensure that Cloud Load Balancing uses TLS policies with strong cipher suites3.9 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_networking_proxy_tls_policy
Ensure RDP access to Google Cloud resources is restricted from the Internet3.7 (CIS GCP v1.3.0)Highdecision.api.shisho.dev/v1beta:googlecloud_networking_rdp_access
Ensure SSH access to Google Cloud resources is restricted from the Internet3.6 (CIS GCP v1.3.0)Highdecision.api.shisho.dev/v1beta:googlecloud_networking_ssh_access
Ensure VPC Flow Logs feature is enabled for critical VPC networks and subnets3.8 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_networking_vpc_flow_log
Ensure Cloud SQL instances are exposed only to specific IP addresses6.5 (CIS GCP v1.3.0)Highdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_accessibility
Ensure Cloud SQL instances use automatic backups6.7 (CIS GCP v1.3.0)Highdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_backup
Ensure Cloud SQL instances require TLS for all incoming connections6.4 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_connection
Ensure that the local_infile database flag for a Cloud SQL for MySQL instance is set to off6.1.3 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_mysql_local_infile
Ensure that the skip_show_database database flag for Cloud SQL for MySQL instance is set to on6.1.2 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_mysql_show_database
Ensure that cloudsql.enable_pgaudit database flag for each Cloud SQL for PostgreSQL instance is set to on for centralized logging6.2.9 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_centralized_logging
Ensure that the log_connections database flag for Cloud SQL for PostgreSQL instance is set to On6.2.2 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_connections
Ensure that the log_disconnections database flag for Cloud SQL for PostgreSQL instance is set to On6.2.3 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_disconnections
Ensure log_error_verbosity database flag for Cloud SQL for PostgreSQL instance is set to DEFAULT or stricter6.2.1 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_error_verbosity
Ensure that the log_hostname database flag for Cloud SQL for PostgreSQL instance is set to on6.2.5 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_hostname
Ensure that the log_min_duration_statement database flag for Cloud SQL for PostgreSQL instance is set to -16.2.8 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_duration_statement
Ensure that the log_min_error_statement database flag for Cloud SQL for PostgreSQL instance is set to error or stricter6.2.7 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_error_statement
Ensure that the log_min_messages database flag for Cloud SQL for PostgreSQL instance is set to at least warning6.2.6 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_messages
Ensure that the log_statement database flag for Cloud SQL for PostgreSQL instance is set appropriately6.2.4 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_statement
Ensure Cloud SQL instances have public IPs only if they need6.6 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_public_ip
Ensure that the 3625 (trace flag) database flag for all Cloud SQL for SQL Server instances is set to off6.3.6 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_3625_trace_flag
Ensure that the contained_db_authentication_state database flag a Cloud SQL for SQL Server instance is set to off6.3.7 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_contained_db_authentication
Ensure that the cross_db_ownership_chaining_state database flag for a Cloud SQL for SQL Server instance is set to off6.3.2 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_cross_db_ownership_chaining
Ensure cross_db_ownership_chaining_state database flag for a Cloud SQL for SQL Server instance is set to off6.3.1 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_external_scripts
Ensure that the remote_access_state database flag for a Cloud SQL for SQL Server instance is set to off6.3.5 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_remote_access
Ensure maximum_user_connections database flag for a Cloud SQL for SQL Server instance is set to a non-limiting value6.3.3 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_user_connections
Ensure user_options_configured database flag for a Cloud SQL for SQL Server instance is not configured6.3.4 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_user_options
Ensure Cloud Storage buckets are public only if intended5.1 (CIS GCP v1.3.0)Criticaldecision.api.shisho.dev/v1beta:googlecloud_storage_bucket_accessibility
Ensure Cloud Storage buckets enable uniform bucket level access5.2 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_storage_bucket_uniform_bucket_level_access
Ensure Access Approval is enabled2.15 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_support_access_approval
Ensure Access Transparency is enabled2.14 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_support_access_transparency