# Managed Security Review for Google Cloud This page explains _managed_ security reviews for Google Cloud provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans. ## To use managed security reviews By applying Shisho Cloud workflows to your organization, you'll see security review results soon: - [Workflows for CIS Google Cloud Platform Foundation Benchmark v1.3.0](https://github.com/flatt-security/shisho-cloud-managed-workflows/tree/main/workflows/cis-benchmark/googlecloud-v1.3.0) - [More Workflows for Google Cloud by Flatt Security](https://github.com/flatt-security/shisho-cloud-managed-workflows/tree/main/workflows/flatt/googlecloud) ## All managed review items | Title | Related Standards | Default Severity | ID in Shisho Cloud | | --------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | ---------------- | ----------------------------------------------------------------------------------------------- | | Ensure App Engine applications enforce HTTPS connections | 4.10 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_appengine_http` | | Ensure Google Cloud assets and their changes are recorded | 2.13 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_asset_management` | | Ensure BigQuery dataset accessibility is restricted to a minimum level | 7.1 (CIS GCP v1.3.0) | Critical | `decision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_accessibility` | | Ensure BigQuery tables use Customer-Managed Encryption Keys (CMEK) | 7.3 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_encryption_cmek` | | Ensure BigQuery datasets have default Customer-Managed Encryption Keys (CMEK) | 7.2 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_bigquery_table_encryption_cmek` | | Ensure critical Compute Engine disks use Customer-Supplied Encryption Keys (CSEK) | 4.7 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_compute_disk_encryption_key` | | Ensure that Confidential VM for Compute Engine instances is enabled | 4.11 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_compute_instance_confidential_computing` | | Ensure IP forwarding is disabled for Compute Engine instances | 4.6 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_compute_instance_ip_forwarding` | | Ensure that Compute Engine instances use appropriate OAuth2 scopes for Google APIs | 4.2 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_compute_instance_oauth2_scope` | | Ensure OS Login is enabled for a project | 4.4 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_compute_instance_oslogin` | | Ensure Compute Engine instances block project-wide SSH keys | 4.3 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_compute_instance_project_wide_key_management` | | Ensure Compute Engine instances have only necessary public IP addresses | 4.9 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_compute_instance_public_ip` | | Ensure connections to serial ports are disabled for Compute Engine instances | 4.5 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_compute_instance_serial_port` | | Ensure that Compute Engine instances do not use default service accounts | 4.1 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_compute_instance_service_account` | | Ensure Compute Engine instances enable Shielded VM features | 4.8 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_compute_instance_shielded_vm` | | Ensure API Keys are restricted to usage by only specified hosts and apps | 1.13 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_restriction` | | Ensure API keys are rotated within reasonable days | 1.15 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_rotation` | | Ensure scopes for Google Cloud API keys are limited | 1.13 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_scope` | | Ensure API keys do not exist in Google Cloud projects | 1.12 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_usage` | | Ensure that Dataproc cluster is encrypted using customer-managed encryption key | 1.17 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_dataproc_encryption_key` | | Ensure DNSSEC is enabled for Cloud DNS zones | 3.3 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec` | | Ensure the Key-Signing Key in Cloud DNS uses a secure algorithm | 3.4 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_ksk_algorithm` | | Ensure the Zone-Signing Key in Cloud DNS uses a secure algorithm | 3.5 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_zsk_algorithm` | | Ensure Allowing Self-Signup in Firebase Authentication Is Intentional, Not an Oversight | | Low | `decision.api.shisho.dev/v1beta:googlecloud_firebaseauth_account_creation` | | Ensure Firebase Authentication Self-Account Deletion Permission Is Intentional and Not a Mistake | | Info | `decision.api.shisho.dev/v1beta:googlecloud_firebaseauth_account_deletion` | | Ensure Firebase Authentication Anonymous Sign-In Is Intentional And Not Accidental | | Info | `decision.api.shisho.dev/v1beta:googlecloud_firebaseauth_anonymous_login` | | Ensure Email Enumeration Protection Is Enabled For Firebase Authentication | | Low | `decision.api.shisho.dev/v1beta:googlecloud_firebaseauth_email_listing_protection` | | Ensure Firebase Authentication Password Policy Is Enabled | | Low | `decision.api.shisho.dev/v1beta:googlecloud_firebaseauth_password_policy` | | Ensure Minimum Firebase Authentication Password Length Is Adequate | | Medium | `decision.api.shisho.dev/v1beta:googlecloud_firebaseauth_password_strength` | | Ensure Firebase Authentication User Activities Are Logged | | Medium | `decision.api.shisho.dev/v1beta:googlecloud_firebaseauth_user_activity_logging` | | Ensure secrets are not stored in Cloud Functions environment variables | 1.18 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_functions_environment_variables` | | Ensure that Google Cloud permissions are granted only to principals in trusted identity sources | 1.1 (CIS GCP v1.3.0) | High | `decision.api.shisho.dev/v1beta:googlecloud_iam_principal_source` | | Ensure that separation of duties is enforced for administration and usage of service accounts | 1.8 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_admin_separation` | | Ensure that each service account has only the minimum number of keys required | 1.4 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key` | | Ensure user-managed/external keys for service accounts are rotated every 90 days or fewer | 1.7 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key_rotation` | | Ensure Google Cloud service accounts have admin privileges only when truly required | 1.5 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_admin_role` | | Ensure a Cloud IAM principal can impersonate or attach only a limited set of service accounts | 1.6 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_impersonation_role` | | Ensure that separation of duties is enforced for administration and usage of Cloud KMS | 1.11 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_kms_admin_separation` | | Ensure that Cloud KMS cryptokeys are exposed only to trusted principals | 1.9 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_kms_key_accessibility` | | Ensure Cloud KMS encryption keys are rotated within a period of 90 days | 1.10 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_kms_key_rotation` | | Ensure Cloud Audit Logging is configured to record API operations | 2.1 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_logging_api_audit` | | Ensure that Cloud Storage buckets for storing logs are configured using bucket lock | 2.3 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_logging_bucket_retention_policy` | | Ensure that at least one sink is configured for all log entries | 2.2 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_logging_full_export` | | Ensure that the log metric filter and alerts exist for audit configuration changes | 2.5 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_logmetric_audit_config_changes` | | Ensure that the log metric filter and alerts exist for custom role changes | 2.6 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_logmetric_custom_role_changes` | | Ensure that the log metric filter and alerts exist for VPC network firewall rule changes | 2.7 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_logmetric_firewall_rule_changes` | | Ensure that the log metric filter and alerts exist for VPC network route changes | 2.8 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_logmetric_network_route_changes` | | Ensure that the log metric filter and alerts exist for project ownership assignments/changes | 2.4 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_logmetric_project_ownership_changes` | | Ensure that the log metric filter and alerts exist for SQL instance configuration changes | 2.11 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_logmetric_sql_config_changes` | | Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes | 2.10 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_logmetric_storage_iam_changes` | | Ensure that the log metric filter and alerts exist for VPC network changes | 2.9 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_logmetric_vpc_network_changes` | | Ensure the default network does not exist in Google Cloud projects | 3.1 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_networking_default_network` | | Ensure Cloud DNS Logging is enabled for all VPC networks | 2.12 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_networking_dns_log` | | Ensure that VPC networks allow only traffic from Google IP addresses with Identity Aware Proxy (IAP) | 3.10 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_networking_fw_rule_iap` | | Ensure legacy networks do not exist for older Google Cloud projects | 3.2 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_networking_legacy_network` | | Ensure that Cloud Load Balancing uses TLS policies with strong cipher suites | 3.9 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_networking_proxy_tls_policy` | | Ensure RDP access to Google Cloud resources is restricted from the Internet | 3.7 (CIS GCP v1.3.0) | High | `decision.api.shisho.dev/v1beta:googlecloud_networking_rdp_access` | | Ensure SSH access to Google Cloud resources is restricted from the Internet | 3.6 (CIS GCP v1.3.0) | High | `decision.api.shisho.dev/v1beta:googlecloud_networking_ssh_access` | | Ensure VPC Flow Logs feature is enabled for critical VPC networks and subnets | 3.8 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_networking_vpc_flow_log` | | Ensure Cloud SQL instances are exposed only to specific IP addresses | 6.5 (CIS GCP v1.3.0) | High | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_accessibility` | | Ensure Cloud SQL instances use automatic backups | 6.7 (CIS GCP v1.3.0) | High | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_backup` | | Ensure Cloud SQL instances require TLS for all incoming connections | 6.4 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_connection` | | Ensure that the local_infile database flag for a Cloud SQL for MySQL instance is set to off | 6.1.3 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_mysql_local_infile` | | Ensure that the skip_show_database database flag for Cloud SQL for MySQL instance is set to on | 6.1.2 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_mysql_show_database` | | Ensure that cloudsql.enable_pgaudit database flag for each Cloud SQL for PostgreSQL instance is set to on for centralized logging | 6.2.9 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_centralized_logging` | | Ensure that the log_connections database flag for Cloud SQL for PostgreSQL instance is set to On | 6.2.2 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_connections` | | Ensure that the log_disconnections database flag for Cloud SQL for PostgreSQL instance is set to On | 6.2.3 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_disconnections` | | Ensure log_error_verbosity database flag for Cloud SQL for PostgreSQL instance is set to DEFAULT or stricter | 6.2.1 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_error_verbosity` | | Ensure that the log_hostname database flag for Cloud SQL for PostgreSQL instance is set to on | 6.2.5 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_hostname` | | Ensure that the log_min_duration_statement database flag for Cloud SQL for PostgreSQL instance is set to -1 | 6.2.8 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_duration_statement` | | Ensure that the log_min_error_statement database flag for Cloud SQL for PostgreSQL instance is set to error or stricter | 6.2.7 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_error_statement` | | Ensure that the log_min_messages database flag for Cloud SQL for PostgreSQL instance is set to at least warning | 6.2.6 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_messages` | | Ensure that the log_statement database flag for Cloud SQL for PostgreSQL instance is set appropriately | 6.2.4 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_statement` | | Ensure Cloud SQL instances have public IPs only if they need | 6.6 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_public_ip` | | Ensure that the 3625 (trace flag) database flag for all Cloud SQL for SQL Server instances is set to off | 6.3.6 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_3625_trace_flag` | | Ensure that the contained_db_authentication_state database flag a Cloud SQL for SQL Server instance is set to off | 6.3.7 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_contained_db_authentication` | | Ensure that the cross_db_ownership_chaining_state database flag for a Cloud SQL for SQL Server instance is set to off | 6.3.2 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_cross_db_ownership_chaining` | | Ensure cross_db_ownership_chaining_state database flag for a Cloud SQL for SQL Server instance is set to off | 6.3.1 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_external_scripts` | | Ensure that the remote_access_state database flag for a Cloud SQL for SQL Server instance is set to off | 6.3.5 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_remote_access` | | Ensure maximum_user_connections database flag for a Cloud SQL for SQL Server instance is set to a non-limiting value | 6.3.3 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_user_connections` | | Ensure user_options_configured database flag for a Cloud SQL for SQL Server instance is not configured | 6.3.4 (CIS GCP v1.3.0) | Low | `decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_user_options` | | Ensure Cloud Storage buckets are public only if intended | 5.1 (CIS GCP v1.3.0) | Critical | `decision.api.shisho.dev/v1beta:googlecloud_storage_bucket_accessibility` | | Ensure Cloud Storage buckets enable uniform bucket level access | 5.2 (CIS GCP v1.3.0) | Medium | `decision.api.shisho.dev/v1beta:googlecloud_storage_bucket_uniform_bucket_level_access` | | Ensure Access Approval is enabled | 2.15 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_support_access_approval` | | Ensure Access Transparency is enabled | 2.14 (CIS GCP v1.3.0) | Info | `decision.api.shisho.dev/v1beta:googlecloud_support_access_transparency` |