Managed Security Review for CIS Google Cloud Platform Foundation Benchmark v1.3.0
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews on CIS Google Cloud Platform Foundation Benchmark v1.3.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
Title | Item in Standard | Default Severity | ID in Shisho Cloud |
---|---|---|---|
Ensure that Google Cloud permissions are granted only to principals in trusted identity sources | 1.1 | High | decision.api.shisho.dev/v1beta:googlecloud_iam_principal_source |
Ensure that each service account has only the minimum number of keys required | 1.4 | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key |
Ensure Google Cloud service accounts have admin privileges only when truly required | 1.5 | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_admin_role |
Ensure a Cloud IAM principal can impersonate or attach only a limited set of service accounts | 1.6 | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_impersonation_role |
Ensure Cloud Audit Logging is configured to record API operations | 2.1 | Medium | decision.api.shisho.dev/v1beta:googlecloud_logging_api_audit |
Ensure a Google Cloud project is monitoring project ownership assignments/changes | 2.4 | Info | decision.api.shisho.dev/v1beta:googlecloud_monitoring_project_ownership |
Ensure a Google Cloud project is monitoring audit configuration assignments/changes | 2.5 | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_audit_configuration |
Ensure a Google Cloud project is monitoring custom role changes | 2.6 | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_custom_role |
Ensure a Google Cloud project is monitoring firewall rule changes | 2.7 | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_firewall_rule |
Ensure a Google Cloud project is monitoring network route changes | 2.8 | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_network_route |
Ensure a Google Cloud project is monitoring network changes | 2.9 | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_network |
Ensure a Google Cloud project is monitoring Cloud Storage IAM changes | 2.10 | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_storage_iam |
Ensure a Google Cloud project is monitoring Cloud SQL configuration changes | 2.11 | Low | decision.api.shisho.dev/v1beta:googlecloud_monitoring_sql_instance_configuration |
Ensure Cloud DNS Logging is enabled for all VPC networks | 2.12 | Info | decision.api.shisho.dev/v1beta:googlecloud_networking_dns_log |
Ensure Google Cloud assets and their changes are recorded | 2.13 | Info | decision.api.shisho.dev/v1beta:googlecloud_asset_management |
Ensure Access Transparency is enabled | 2.14 | Info | decision.api.shisho.dev/v1beta:googlecloud_support_access_transparency |
Ensure Access Approval is enabled | 2.15 | Info | decision.api.shisho.dev/v1beta:googlecloud_support_access_approval |
Ensure the default network does not exist in Google Cloud projects | 3.1 | Info | decision.api.shisho.dev/v1beta:googlecloud_networking_default_network |
Ensure DNSSEC is enabled for Cloud DNS zones | 3.3 | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec |
Ensure the Key-Signing Key in Cloud DNS uses a secure algorithm | 3.4 | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_ksk_algorithm |
Ensure the Zone-Signing Key in Cloud DNS uses a secure algorithm | 3.5 | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_zsk_algorithm |
Ensure SSH access to Google Cloud resources is restricted from the Internet | 3.6 | High | decision.api.shisho.dev/v1beta:googlecloud_networking_ssh_access |
Ensure RDP access to Google Cloud resources is restricted from the Internet | 3.7 | High | decision.api.shisho.dev/v1beta:googlecloud_networking_rdp_access |
Ensure VPC Flow Logs feature is enabled for critical VPC networks and subnets | 3.8 | Medium | decision.api.shisho.dev/v1beta:googlecloud_networking_vpc_flow_log |
Ensure that Cloud Load Balancing uses TLS policies with strong cipher suites | 3.9 | Medium | decision.api.shisho.dev/v1beta:googlecloud_networking_proxy_tls_policy |
Ensure that Compute Engine instances do not use default service accounts | 4.1 | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_service_account |
Ensure that Compute Engine instances use appropriate OAuth2 scopes for Google APIs | 4.2 | Info | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_oauth2_scope |
Ensure Compute Engine instances block project-wide SSH keys | 4.3 | Low | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_project_wide_key_management |
Ensure OS Login is enabled for a project | 4.4 | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_oslogin |
Ensure connections to serial ports are disabled for Compute Engine instances | 4.5 | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_serial_port |
Ensure IP forwarding is disabled for Compute Engine instances | 4.6 | High | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_ip_forwarding |
Ensure critical Compute Engine disks use Customer-Supplied Encryption Keys (CSEK) | 4.7 | Info | decision.api.shisho.dev/v1beta:googlecloud_compute_disk_encryption_key |
Ensure Compute Engine instances enable Shielded VM features | 4.8 | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_shielded_vm |
Ensure Compute Engine instances have only necessary public IP addresses | 4.9 | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_public_ip |
Ensure App Engine applications enforce HTTPS connections | 4.10 | Medium | decision.api.shisho.dev/v1beta:googlecloud_appengine_http |
Ensure Cloud Storage buckets are public only if intended | 5.1 | Critical | decision.api.shisho.dev/v1beta:googlecloud_storage_bucket_accessibility |
Ensure Cloud Storage buckets enable uniform bucket level access | 5.2 | Medium | decision.api.shisho.dev/v1beta:googlecloud_storage_bucket_uniform_bucket_level_access |
Ensure Cloud SQL instances require TLS for all incoming connections | 6.4 | Medium | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_connection |
Ensure Cloud SQL instances are exposed only to specific IP addresses | 6.5 | Critical | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_accessibility |
Ensure Cloud SQL instances have public IPs only if they need | 6.6 | Medium | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_public_ip |
Ensure Cloud SQL instances use automatic backups | 6.7 | High | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_backup |
Ensure BigQuery dataset accessibility is restricted to a minimum level | 7.1 | Critical | decision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_accessibility |
Ensure BigQuery datasets have default Customer-Managed Encryption Keys (CMEK) | 7.2 | Info | decision.api.shisho.dev/v1beta:googlecloud_bigquery_table_encryption_cmek |
Ensure BigQuery tables use Customer-Managed Encryption Keys (CMEK) | 7.3 | Info | decision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_encryption_cmek |