Managed Security Review for CIS Google Cloud Platform Foundation Benchmark v1.3.0
This page explains managed security reviews on CIS Google Cloud Platform Foundation Benchmark v1.3.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
| Title | Item in Standard | Default Severity | ID in Shisho Cloud |
|---|---|---|---|
| Ensure that Google Cloud permissions are granted only to principals in trusted identity sources | 1.1 | High | decision.api.shisho.dev/v1beta:googlecloud_iam_principal_source |
| Ensure that each service account has only the minimum number of keys required | 1.4 | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key |
| Ensure Google Cloud service accounts have admin privileges only when truly required | 1.5 | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_admin_role |
| Ensure a Cloud IAM principal can impersonate or attach only a limited set of service accounts | 1.6 | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_impersonation_role |
| Ensure user-managed/external keys for service accounts are rotated every 90 days or fewer | 1.7 | Medium | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key_rotation |
| Ensure that separation of duties is enforced for administration and usage of service accounts | 1.8 | Info | decision.api.shisho.dev/v1beta:googlecloud_iam_service_account_admin_separation |
| Ensure that Cloud KMS cryptokeys are exposed only to trusted principals | 1.9 | Medium | decision.api.shisho.dev/v1beta:googlecloud_kms_key_accessibility |
| Ensure Cloud KMS encryption keys are rotated within a period of 90 days | 1.10 | Low | decision.api.shisho.dev/v1beta:googlecloud_kms_key_rotation |
| Ensure that separation of duties is enforced for administration and usage of Cloud KMS | 1.11 | Info | decision.api.shisho.dev/v1beta:googlecloud_kms_admin_separation |
| Ensure API keys do not exist in Google Cloud projects | 1.12 | Medium | decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_usage |
| Ensure API Keys are restricted to usage by only specified hosts and apps | 1.13 | Medium | decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_restriction |
| Ensure scopes for Google Cloud API keys are limited | 1.13 | Medium | decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_scope |
| Ensure API keys are rotated within reasonable days | 1.15 | Medium | decision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_rotation |
| Ensure that Dataproc cluster is encrypted using customer-managed encryption key | 1.17 | Low | decision.api.shisho.dev/v1beta:googlecloud_dataproc_encryption_key |
| Ensure secrets are not stored in Cloud Functions environment variables | 1.18 | Low | decision.api.shisho.dev/v1beta:googlecloud_functions_environment_variables |
| Ensure Cloud Audit Logging is configured to record API operations | 2.1 | Medium | decision.api.shisho.dev/v1beta:googlecloud_logging_api_audit |
| Ensure that at least one sink is configured for all log entries | 2.2 | Info | decision.api.shisho.dev/v1beta:googlecloud_logging_full_export |
| Ensure that Cloud Storage buckets for storing logs are configured using bucket lock | 2.3 | Low | decision.api.shisho.dev/v1beta:googlecloud_logging_bucket_retention_policy |
| Ensure that the log metric filter and alerts exist for project ownership assignments/changes | 2.4 | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_project_ownership_changes |
| Ensure that the log metric filter and alerts exist for audit configuration changes | 2.5 | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_audit_config_changes |
| Ensure that the log metric filter and alerts exist for custom role changes | 2.6 | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_custom_role_changes |
| Ensure that the log metric filter and alerts exist for VPC network firewall rule changes | 2.7 | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_firewall_rule_changes |
| Ensure that the log metric filter and alerts exist for VPC network route changes | 2.8 | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_network_route_changes |
| Ensure that the log metric filter and alerts exist for VPC network changes | 2.9 | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_vpc_network_changes |
| Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes | 2.10 | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_storage_iam_changes |
| Ensure that the log metric filter and alerts exist for SQL instance configuration changes | 2.11 | Info | decision.api.shisho.dev/v1beta:googlecloud_logmetric_sql_config_changes |
| Ensure Cloud DNS Logging is enabled for all VPC networks | 2.12 | Low | decision.api.shisho.dev/v1beta:googlecloud_networking_dns_log |
| Ensure Google Cloud assets and their changes are recorded | 2.13 | Info | decision.api.shisho.dev/v1beta:googlecloud_asset_management |
| Ensure Access Transparency is enabled | 2.14 | Info | decision.api.shisho.dev/v1beta:googlecloud_support_access_transparency |
| Ensure Access Approval is enabled | 2.15 | Info | decision.api.shisho.dev/v1beta:googlecloud_support_access_approval |
| Ensure the default network does not exist in Google Cloud projects | 3.1 | Info | decision.api.shisho.dev/v1beta:googlecloud_networking_default_network |
| Ensure legacy networks do not exist for older Google Cloud projects | 3.2 | Low | decision.api.shisho.dev/v1beta:googlecloud_networking_legacy_network |
| Ensure DNSSEC is enabled for Cloud DNS zones | 3.3 | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec |
| Ensure the Key-Signing Key in Cloud DNS uses a secure algorithm | 3.4 | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_ksk_algorithm |
| Ensure the Zone-Signing Key in Cloud DNS uses a secure algorithm | 3.5 | Medium | decision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_zsk_algorithm |
| Ensure SSH access to Google Cloud resources is restricted from the Internet | 3.6 | High | decision.api.shisho.dev/v1beta:googlecloud_networking_ssh_access |
| Ensure RDP access to Google Cloud resources is restricted from the Internet | 3.7 | High | decision.api.shisho.dev/v1beta:googlecloud_networking_rdp_access |
| Ensure VPC Flow Logs feature is enabled for critical VPC networks and subnets | 3.8 | Medium | decision.api.shisho.dev/v1beta:googlecloud_networking_vpc_flow_log |
| Ensure that Cloud Load Balancing uses TLS policies with strong cipher suites | 3.9 | Medium | decision.api.shisho.dev/v1beta:googlecloud_networking_proxy_tls_policy |
| Ensure that VPC networks allow only traffic from Google IP addresses with Identity Aware Proxy (IAP) | 3.10 | Info | decision.api.shisho.dev/v1beta:googlecloud_networking_fw_rule_iap |
| Ensure that Compute Engine instances do not use default service accounts | 4.1 | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_service_account |
| Ensure that Compute Engine instances use appropriate OAuth2 scopes for Google APIs | 4.2 | Info | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_oauth2_scope |
| Ensure Compute Engine instances block project-wide SSH keys | 4.3 | Low | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_project_wide_key_management |
| Ensure OS Login is enabled for a project | 4.4 | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_oslogin |
| Ensure connections to serial ports are disabled for Compute Engine instances | 4.5 | Low | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_serial_port |
| Ensure IP forwarding is disabled for Compute Engine instances | 4.6 | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_ip_forwarding |
| Ensure critical Compute Engine disks use Customer-Supplied Encryption Keys (CSEK) | 4.7 | Info | decision.api.shisho.dev/v1beta:googlecloud_compute_disk_encryption_key |
| Ensure Compute Engine instances enable Shielded VM features | 4.8 | Low | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_shielded_vm |
| Ensure Compute Engine instances have only necessary public IP addresses | 4.9 | Medium | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_public_ip |
| Ensure App Engine applications enforce HTTPS connections | 4.10 | Medium | decision.api.shisho.dev/v1beta:googlecloud_appengine_http |
| Ensure that Confidential VM for Compute Engine instances is enabled | 4.11 | Low | decision.api.shisho.dev/v1beta:googlecloud_compute_instance_confidential_computing |
| Ensure Cloud Storage buckets are public only if intended | 5.1 | Critical | decision.api.shisho.dev/v1beta:googlecloud_storage_bucket_accessibility |
| Ensure Cloud Storage buckets enable uniform bucket level access | 5.2 | Medium | decision.api.shisho.dev/v1beta:googlecloud_storage_bucket_uniform_bucket_level_access |
| Ensure that the skip_show_database database flag for Cloud SQL for MySQL instance is set to on | 6.1.2 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_mysql_show_database |
| Ensure that the local_infile database flag for a Cloud SQL for MySQL instance is set to off | 6.1.3 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_mysql_local_infile |
| Ensure log_error_verbosity database flag for Cloud SQL for PostgreSQL instance is set to DEFAULT or stricter | 6.2.1 | Medium | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_error_verbosity |
| Ensure that the log_connections database flag for Cloud SQL for PostgreSQL instance is set to On | 6.2.2 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_connections |
| Ensure that the log_disconnections database flag for Cloud SQL for PostgreSQL instance is set to On | 6.2.3 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_disconnections |
| Ensure that the log_statement database flag for Cloud SQL for PostgreSQL instance is set appropriately | 6.2.4 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_statement |
| Ensure that the log_hostname database flag for Cloud SQL for PostgreSQL instance is set to on | 6.2.5 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_hostname |
| Ensure that the log_min_messages database flag for Cloud SQL for PostgreSQL instance is set to at least warning | 6.2.6 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_messages |
| Ensure that the log_min_error_statement database flag for Cloud SQL for PostgreSQL instance is set to error or stricter | 6.2.7 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_error_statement |
| Ensure that the log_min_duration_statement database flag for Cloud SQL for PostgreSQL instance is set to -1 | 6.2.8 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_duration_statement |
| Ensure that cloudsql.enable_pgaudit database flag for each Cloud SQL for PostgreSQL instance is set to on for centralized logging | 6.2.9 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_centralized_logging |
| Ensure cross_db_ownership_chaining_state database flag for a Cloud SQL for SQL Server instance is set to off | 6.3.1 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_external_scripts |
| Ensure that the cross_db_ownership_chaining_state database flag for a Cloud SQL for SQL Server instance is set to off | 6.3.2 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_cross_db_ownership_chaining |
| Ensure maximum_user_connections database flag for a Cloud SQL for SQL Server instance is set to a non-limiting value | 6.3.3 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_user_connections |
| Ensure user_options_configured database flag for a Cloud SQL for SQL Server instance is not configured | 6.3.4 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_user_options |
| Ensure that the remote_access_state database flag for a Cloud SQL for SQL Server instance is set to off | 6.3.5 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_remote_access |
| Ensure that the 3625 (trace flag) database flag for all Cloud SQL for SQL Server instances is set to off | 6.3.6 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_3625_trace_flag |
| Ensure that the contained_db_authentication_state database flag a Cloud SQL for SQL Server instance is set to off | 6.3.7 | Low | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_contained_db_authentication |
| Ensure Cloud SQL instances require TLS for all incoming connections | 6.4 | Medium | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_connection |
| Ensure Cloud SQL instances are exposed only to specific IP addresses | 6.5 | High | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_accessibility |
| Ensure Cloud SQL instances have public IPs only if they need | 6.6 | Medium | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_public_ip |
| Ensure Cloud SQL instances use automatic backups | 6.7 | High | decision.api.shisho.dev/v1beta:googlecloud_sql_instance_backup |
| Ensure BigQuery dataset accessibility is restricted to a minimum level | 7.1 | Critical | decision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_accessibility |
| Ensure BigQuery datasets have default Customer-Managed Encryption Keys (CMEK) | 7.2 | Low | decision.api.shisho.dev/v1beta:googlecloud_bigquery_table_encryption_cmek |
| Ensure BigQuery tables use Customer-Managed Encryption Keys (CMEK) | 7.3 | Low | decision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_encryption_cmek |