Managed Security Review for Google Cloud
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews for Google Cloud provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
Title | Related Standards | Default Severity | ID in Shisho Cloud |
---|---|---|---|
Ensure App Engine applications enforce HTTPS connections | 4.10 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_appengine_http |
Ensure Google Cloud assets and their changes are recorded | 2.13 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_asset_management |
Ensure BigQuery dataset accessibility is restricted to a minimum level | 7.1 (CIS GCP v1.3.0) | Critical | decision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_accessibility |
Ensure BigQuery tables use Customer-Managed Encryption Keys (CMEK) | 7.3 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_encryption_cmek |
Ensure BigQuery datasets have default Customer-Managed Encryption Keys (CMEK) | 7.2 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_bigquery_table_encryption_cmek |
Ensure critical Compute Engine disks use Customer-Supplied Encryption Keys (CSEK) | 4.7 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_compute_disk_encryption_key |
Ensure IP forwarding is disabled for Compute Engine instances | 4.6 (CIS GCP v1.3.0) | High | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_ip_forwarding |
Ensure that Compute Engine instances use appropriate OAuth2 scopes for Google APIs | 4.2 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_oauth2_scope |
Ensure OS Login is enabled for a project | 4.4 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_oslogin |
Ensure Compute Engine instances block project-wide SSH keys | 4.3 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_project_wide_key_management |
Ensure Compute Engine instances have only necessary public IP addresses | 4.9 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_public_ip |
Ensure connections to serial ports are disabled for Compute Engine instances | 4.5 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_serial_port |
Ensure that Compute Engine instances do not use default service accounts | 4.1 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_service_account |
Ensure Compute Engine instances enable Shielded VM features | 4.8 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_shielded_vm |
Ensure DNSSEC is enabled for Cloud DNS zones | 3.3 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec |
Ensure the Key-Signing Key in Cloud DNS uses a secure algorithm | 3.4 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_ksk_algorithm |
Ensure the Zone-Signing Key in Cloud DNS uses a secure algorithm | 3.5 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_zsk_algorithm |
Ensure that Google Cloud permissions are granted only to principals in trusted identity sources | 1.1 (CIS GCP v1.3.0) | High | decision.api.shisho.dev/v1beta:googlecloud_iam_principal_source |
Ensure that each service account has only the minimum number of keys required | 1.4 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key |
Ensure Google Cloud service accounts have admin privileges only when truly required | 1.5 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_admin_role |
Ensure a Cloud IAM principal can impersonate or attach only a limited set of service accounts | 1.6 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_impersonation_role |
Ensure Cloud Audit Logging is configured to record API operations | 2.1 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_logging_api_audit |
Ensure a Google Cloud project is monitoring audit configuration assignments/changes | 2.5 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_audit_configuration |
Ensure a Google Cloud project is monitoring custom role changes | 2.6 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_custom_role |
Ensure a Google Cloud project is monitoring firewall rule changes | 2.7 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_firewall_rule |
Ensure a Google Cloud project is monitoring network changes | 2.9 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_network |
Ensure a Google Cloud project is monitoring network route changes | 2.8 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_network_route |
Ensure a Google Cloud project is monitoring project ownership assignments/changes | 2.4 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_monitoring_project_ownership |
Ensure a Google Cloud project is monitoring Cloud SQL configuration changes | 2.11 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_sql_instance_configuration |
Ensure a Google Cloud project is monitoring Cloud Storage IAM changes | 2.10 (CIS GCP v1.3.0) | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_storage_iam |
Ensure the default network does not exist in Google Cloud projects | 3.1 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_networking_default_network |
Ensure Cloud DNS Logging is enabled for all VPC networks | 2.12 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_networking_dns_log |
Ensure that Cloud Load Balancing uses TLS policies with strong cipher suites | 3.9 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_networking_proxy_tls_policy |
Ensure RDP access to Google Cloud resources is restricted from the Internet | 3.7 (CIS GCP v1.3.0) | High | decision.api.shisho.dev/v1beta:googlecloud_networking_rdp_access |
Ensure SSH access to Google Cloud resources is restricted from the Internet | 3.6 (CIS GCP v1.3.0) | High | decision.api.shisho.dev/v1beta:googlecloud_networking_ssh_access |
Ensure VPC Flow Logs feature is enabled for critical VPC networks and subnets | 3.8 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_networking_vpc_flow_log |
Ensure Cloud SQL instances are exposed only to specific IP addresses | 6.5 (CIS GCP v1.3.0) | Critical | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_accessibility |
Ensure Cloud SQL instances use automatic backups | 6.7 (CIS GCP v1.3.0) | High | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_backup |
Ensure Cloud SQL instances require TLS for all incoming connections | 6.4 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_connection |
Ensure Cloud SQL instances have public IPs only if they need | 6.6 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_public_ip |
Ensure Cloud Storage buckets are public only if intended | 5.1 (CIS GCP v1.3.0) | Critical | decision.api.shisho.dev/v1beta:googlecloud_storage_bucket_accessibility |
Ensure Cloud Storage buckets enable uniform bucket level access | 5.2 (CIS GCP v1.3.0) | Medium | decision.api.shisho.dev/v1beta:googlecloud_storage_bucket_uniform_bucket_level_access |
Ensure Access Approval is enabled | 2.15 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_support_access_approval |
Ensure Access Transparency is enabled | 2.14 (CIS GCP v1.3.0) | Info | decision.api.shisho.dev/v1beta:googlecloud_support_access_transparency |