Managed Security Review for Google Cloud
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews for Google Cloud provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
| Title | Related Standards | Default Severity | ID in Shisho Cloud |
|---|---|---|---|
| Ensure App Engine applications enforce HTTPS connections | 4.10 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_appengine_http |
| Ensure Google Cloud assets and their changes are recorded | 2.13 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_asset_management |
| Ensure BigQuery dataset accessibility is restricted to a minimum level | 7.1 (CIS GCP v1.3.0) | Critical | decision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_accessibility |
| Ensure BigQuery tables use Customer-Managed Encryption Keys (CMEK) | 7.3 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_encryption_cmek |
| Ensure BigQuery datasets have default Customer-Managed Encryption Keys (CMEK) | 7.2 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_bigquery_table_encryption_cmek |
| Ensure critical Compute Engine disks use Customer-Supplied Encryption Keys (CSEK) | 4.7 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_compute_disk_encryption_key |
| Ensure that Confidential VM for Compute Engine instances is enabled | 4.11 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_confidential_computing |
| Ensure IP forwarding is disabled for Compute Engine instances | 4.6 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_ip_forwarding |
| Ensure that Compute Engine instances use appropriate OAuth2 scopes for Google APIs | 4.2 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_oauth2_scope |
| Ensure OS Login is enabled for a project | 4.4 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_oslogin |
| Ensure Compute Engine instances block project-wide SSH keys | 4.3 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_project_wide_key_management |
| Ensure Compute Engine instances have only necessary public IP addresses | 4.9 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_public_ip |
| Ensure connections to serial ports are disabled for Compute Engine instances | 4.5 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_serial_port |
| Ensure that Compute Engine instances do not use default service accounts | 4.1 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_service_account |
| Ensure Compute Engine instances enable Shielded VM features | 4.8 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_shielded_vm |
| Ensure API Keys are restricted to usage by only specified hosts and apps | 1.13 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_restriction |
| Ensure API keys are rotated within reasonable days | 1.15 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_rotation |
| Ensure scopes for Google Cloud API keys are limited | 1.13 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_scope |
| Ensure API keys do not exist in Google Cloud projects | 1.12 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_usage |
| Ensure that Dataproc cluster is encrypted using customer-managed encryption key | 1.17 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_dataproc_encryption_key |
| Ensure DNSSEC is enabled for Cloud DNS zones | 3.3 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec |
| Ensure the Key-Signing Key in Cloud DNS uses a secure algorithm | 3.4 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_ksk_algorithm |
| Ensure the Zone-Signing Key in Cloud DNS uses a secure algorithm | 3.5 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_zsk_algorithm |
| Ensure secrets are not stored in Cloud Functions environment variables | 1.18 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_functions_environment_variables |
| Ensure that Google Cloud permissions are granted only to principals in trusted identity sources | 1.1 (CIS GCP v1.3.0) | High | decision.api.shisho.dev/v1beta:googlecloud_iam_principal_source |
| Ensure that separation of duties is enforced for administration and usage of service accounts | 1.8 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_admin_separation |
| Ensure that each service account has only the minimum number of keys required | 1.4 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key |
| Ensure user-managed/external keys for service accounts are rotated every 90 days or fewer | 1.7 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key_rotation |
| Ensure Google Cloud service accounts have admin privileges only when truly required | 1.5 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_admin_role |
| Ensure a Cloud IAM principal can impersonate or attach only a limited set of service accounts | 1.6 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_impersonation_role |
| Ensure that separation of duties is enforced for administration and usage of Cloud KMS | 1.11 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_kms_admin_separation |
| Ensure that Cloud KMS cryptokeys are exposed only to trusted principals | 1.9 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_kms_key_accessibility |
| Ensure Cloud KMS encryption keys are rotated within a period of 90 days | 1.10 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_kms_key_rotation |
| Ensure Cloud Audit Logging is configured to record API operations | 2.1 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_logging_api_audit |
| Ensure that Cloud Storage buckets for storing logs are configured using bucket lock | 2.3 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_logging_bucket_retention_policy |
| Ensure that at least one sink is configured for all log entries | 2.2 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_logging_full_export |
| Ensure that the log metric filter and alerts exist for audit configuration changes | 2.5 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_audit_config_changes |
| Ensure that the log metric filter and alerts exist for custom role changes | 2.6 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_custom_role_changes |
| Ensure that the log metric filter and alerts exist for VPC network firewall rule changes | 2.7 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_firewall_rule_changes |
| Ensure that the log metric filter and alerts exist for VPC network route changes | 2.8 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_network_route_changes |
| Ensure that the log metric filter and alerts exist for project ownership assignments/changes | 2.4 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_project_ownership_changes |
| Ensure that the log metric filter and alerts exist for SQL instance configuration changes | 2.11 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_sql_config_changes |
| Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes | 2.10 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_storage_iam_changes |
| Ensure that the log metric filter and alerts exist for VPC network changes | 2.9 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_vpc_network_changes |
| Ensure the default network does not exist in Google Cloud projects | 3.1 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_networking_default_network |
| Ensure Cloud DNS Logging is enabled for all VPC networks | 2.12 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_networking_dns_log |
| Ensure that VPC networks allow only traffic from Google IP addresses with Identity Aware Proxy (IAP) | 3.10 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_networking_fw_rule_iap |
| Ensure legacy networks do not exist for older Google Cloud projects | 3.2 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_networking_legacy_network |
| Ensure that Cloud Load Balancing uses TLS policies with strong cipher suites | 3.9 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_networking_proxy_tls_policy |
| Ensure RDP access to Google Cloud resources is restricted from the Internet | 3.7 (CIS GCP v1.3.0) | High | decision.api.shisho.dev/v1beta:googlecloud_networking_rdp_access |
| Ensure SSH access to Google Cloud resources is restricted from the Internet | 3.6 (CIS GCP v1.3.0) | High | decision.api.shisho.dev/v1beta:googlecloud_networking_ssh_access |
| Ensure VPC Flow Logs feature is enabled for critical VPC networks and subnets | 3.8 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_networking_vpc_flow_log |
| Ensure Cloud SQL instances are exposed only to specific IP addresses | 6.5 (CIS GCP v1.3.0) | High | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_accessibility |
| Ensure Cloud SQL instances use automatic backups | 6.7 (CIS GCP v1.3.0) | High | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_backup |
| Ensure Cloud SQL instances require TLS for all incoming connections | 6.4 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_connection |
| Ensure that the local_infile database flag for a Cloud SQL for MySQL instance is set to off | 6.1.3 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_mysql_local_infile |
| Ensure that the skip_show_database database flag for Cloud SQL for MySQL instance is set to on | 6.1.2 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_mysql_show_database |
| Ensure that cloudsql.enable_pgaudit database flag for each Cloud SQL for PostgreSQL instance is set to on for centralized logging | 6.2.9 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_centralized_logging |
| Ensure that the log_connections database flag for Cloud SQL for PostgreSQL instance is set to On | 6.2.2 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_connections |
| Ensure that the log_disconnections database flag for Cloud SQL for PostgreSQL instance is set to On | 6.2.3 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_disconnections |
| Ensure log_error_verbosity database flag for Cloud SQL for PostgreSQL instance is set to DEFAULT or stricter | 6.2.1 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_error_verbosity |
| Ensure that the log_hostname database flag for Cloud SQL for PostgreSQL instance is set to on | 6.2.5 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_hostname |
| Ensure that the log_min_duration_statement database flag for Cloud SQL for PostgreSQL instance is set to -1 | 6.2.8 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_duration_statement |
| Ensure that the log_min_error_statement database flag for Cloud SQL for PostgreSQL instance is set to error or stricter | 6.2.7 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_error_statement |
| Ensure that the log_min_messages database flag for Cloud SQL for PostgreSQL instance is set to at least warning | 6.2.6 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_messages |
| Ensure that the log_statement database flag for Cloud SQL for PostgreSQL instance is set appropriately | 6.2.4 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_statement |
| Ensure Cloud SQL instances have public IPs only if they need | 6.6 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_public_ip |
| Ensure that the 3625 (trace flag) database flag for all Cloud SQL for SQL Server instances is set to off | 6.3.6 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_3625_trace_flag |
| Ensure that the contained_db_authentication_state database flag a Cloud SQL for SQL Server instance is set to off | 6.3.7 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_contained_db_authentication |
| Ensure that the cross_db_ownership_chaining_state database flag for a Cloud SQL for SQL Server instance is set to off | 6.3.2 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_cross_db_ownership_chaining |
| Ensure cross_db_ownership_chaining_state database flag for a Cloud SQL for SQL Server instance is set to off | 6.3.1 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_external_scripts |
| Ensure that the remote_access_state database flag for a Cloud SQL for SQL Server instance is set to off | 6.3.5 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_remote_access |
| Ensure maximum_user_connections database flag for a Cloud SQL for SQL Server instance is set to a non-limiting value | 6.3.3 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_user_connections |
| Ensure user_options_configured database flag for a Cloud SQL for SQL Server instance is not configured | 6.3.4 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_user_options |
| Ensure Cloud Storage buckets are public only if intended | 5.1 (CIS GCP v1.3.0) | Critical | decision.api.shisho.dev/v1beta:googlecloud_storage_bucket_accessibility |
| Ensure Cloud Storage buckets enable uniform bucket level access | 5.2 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_storage_bucket_uniform_bucket_level_access |
| Ensure Access Approval is enabled | 2.15 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_support_access_approval |
| Ensure Access Transparency is enabled | 2.14 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_support_access_transparency |