Skip to main content

Managed Security Review for Google Cloud

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews for Google Cloud provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleRelated StandardsDefault SeverityID in Shisho Cloud
Ensure App Engine applications enforce HTTPS connections4.10 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_appengine_http
Ensure Google Cloud assets and their changes are recorded2.13 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_asset_management
Ensure BigQuery dataset accessibility is restricted to a minimum level7.1 (CIS GCP v1.3.0)Criticaldecision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_accessibility
Ensure BigQuery tables use Customer-Managed Encryption Keys (CMEK)7.3 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_encryption_cmek
Ensure BigQuery datasets have default Customer-Managed Encryption Keys (CMEK)7.2 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_bigquery_table_encryption_cmek
Ensure critical Compute Engine disks use Customer-Supplied Encryption Keys (CSEK)4.7 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_compute_disk_encryption_key
Ensure IP forwarding is disabled for Compute Engine instances4.6 (CIS GCP v1.3.0)Highdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_ip_forwarding
Ensure that Compute Engine instances use appropriate OAuth2 scopes for Google APIs4.2 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_compute_instance_oauth2_scope
Ensure OS Login is enabled for a project4.4 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_oslogin
Ensure Compute Engine instances block project-wide SSH keys4.3 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_project_wide_key_management
Ensure Compute Engine instances have only necessary public IP addresses4.9 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_public_ip
Ensure connections to serial ports are disabled for Compute Engine instances4.5 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_serial_port
Ensure that Compute Engine instances do not use default service accounts4.1 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_service_account
Ensure Compute Engine instances enable Shielded VM features4.8 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_shielded_vm
Ensure DNSSEC is enabled for Cloud DNS zones3.3 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec
Ensure the Key-Signing Key in Cloud DNS uses a secure algorithm3.4 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_ksk_algorithm
Ensure the Zone-Signing Key in Cloud DNS uses a secure algorithm3.5 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_zsk_algorithm
Ensure that Google Cloud permissions are granted only to principals in trusted identity sources1.1 (CIS GCP v1.3.0)Highdecision.api.shisho.dev/v1beta:googlecloud_iam_principal_source
Ensure that each service account has only the minimum number of keys required1.4 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key
Ensure Google Cloud service accounts have admin privileges only when truly required1.5 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_admin_role
Ensure a Cloud IAM principal can impersonate or attach only a limited set of service accounts1.6 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_impersonation_role
Ensure Cloud Audit Logging is configured to record API operations2.1 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_logging_api_audit
Ensure a Google Cloud project is monitoring audit configuration assignments/changes2.5 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_audit_configuration
Ensure a Google Cloud project is monitoring custom role changes2.6 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_custom_role
Ensure a Google Cloud project is monitoring firewall rule changes2.7 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_firewall_rule
Ensure a Google Cloud project is monitoring network changes2.9 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_network
Ensure a Google Cloud project is monitoring network route changes2.8 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_network_route
Ensure a Google Cloud project is monitoring project ownership assignments/changes2.4 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_monitoring_project_ownership
Ensure a Google Cloud project is monitoring Cloud SQL configuration changes2.11 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_sql_instance_configuration
Ensure a Google Cloud project is monitoring Cloud Storage IAM changes2.10 (CIS GCP v1.3.0)Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_storage_iam
Ensure the default network does not exist in Google Cloud projects3.1 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_networking_default_network
Ensure Cloud DNS Logging is enabled for all VPC networks2.12 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_networking_dns_log
Ensure that Cloud Load Balancing uses TLS policies with strong cipher suites3.9 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_networking_proxy_tls_policy
Ensure RDP access to Google Cloud resources is restricted from the Internet3.7 (CIS GCP v1.3.0)Highdecision.api.shisho.dev/v1beta:googlecloud_networking_rdp_access
Ensure SSH access to Google Cloud resources is restricted from the Internet3.6 (CIS GCP v1.3.0)Highdecision.api.shisho.dev/v1beta:googlecloud_networking_ssh_access
Ensure VPC Flow Logs feature is enabled for critical VPC networks and subnets3.8 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_networking_vpc_flow_log
Ensure Cloud SQL instances are exposed only to specific IP addresses6.5 (CIS GCP v1.3.0)Criticaldecision.api.shisho.dev/v1beta:googlecloud_sql_instance_accessibility
Ensure Cloud SQL instances use automatic backups6.7 (CIS GCP v1.3.0)Highdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_backup
Ensure Cloud SQL instances require TLS for all incoming connections6.4 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_connection
Ensure Cloud SQL instances have public IPs only if they need6.6 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_public_ip
Ensure Cloud Storage buckets are public only if intended5.1 (CIS GCP v1.3.0)Criticaldecision.api.shisho.dev/v1beta:googlecloud_storage_bucket_accessibility
Ensure Cloud Storage buckets enable uniform bucket level access5.2 (CIS GCP v1.3.0)Mediumdecision.api.shisho.dev/v1beta:googlecloud_storage_bucket_uniform_bucket_level_access
Ensure Access Approval is enabled2.15 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_support_access_approval
Ensure Access Transparency is enabled2.14 (CIS GCP v1.3.0)Infodecision.api.shisho.dev/v1beta:googlecloud_support_access_transparency