Skip to main content

Managed Security Review for CIS Google Cloud Platform Foundation Benchmark v1.3.0

This page explains managed security reviews on CIS Google Cloud Platform Foundation Benchmark v1.3.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleItem in StandardDefault SeverityID in Shisho Cloud
Ensure that Google Cloud permissions are granted only to principals in trusted identity sources1.1Highdecision.api.shisho.dev/v1beta:googlecloud_iam_principal_source
Ensure that each service account has only the minimum number of keys required1.4Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key
Ensure Google Cloud service accounts have admin privileges only when truly required1.5Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_admin_role
Ensure a Cloud IAM principal can impersonate or attach only a limited set of service accounts1.6Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_impersonation_role
Ensure user-managed/external keys for service accounts are rotated every 90 days or fewer1.7Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key_rotation
Ensure that separation of duties is enforced for administration and usage of service accounts1.8Infodecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_admin_separation
Ensure that Cloud KMS cryptokeys are exposed only to trusted principals1.9Mediumdecision.api.shisho.dev/v1beta:googlecloud_kms_key_accessibility
Ensure Cloud KMS encryption keys are rotated within a period of 90 days1.10Lowdecision.api.shisho.dev/v1beta:googlecloud_kms_key_rotation
Ensure that separation of duties is enforced for administration and usage of Cloud KMS1.11Infodecision.api.shisho.dev/v1beta:googlecloud_kms_admin_separation
Ensure API keys do not exist in Google Cloud projects1.12Mediumdecision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_usage
Ensure scopes for Google Cloud API keys are limited1.13Mediumdecision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_scope
Ensure API Keys are restricted to usage by only specified hosts and apps1.13Mediumdecision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_restriction
Ensure API keys are rotated within reasonable days1.15Mediumdecision.api.shisho.dev/v1beta:googlecloud_credential_api_keys_rotation
Ensure that Dataproc cluster is encrypted using customer-managed encryption key1.17Lowdecision.api.shisho.dev/v1beta:googlecloud_dataproc_encryption_key
Ensure secrets are not stored in Cloud Functions environment variables1.18Lowdecision.api.shisho.dev/v1beta:googlecloud_functions_environment_variables
Ensure Cloud Audit Logging is configured to record API operations2.1Mediumdecision.api.shisho.dev/v1beta:googlecloud_logging_api_audit
Ensure that at least one sink is configured for all log entries2.2Infodecision.api.shisho.dev/v1beta:googlecloud_logging_full_export
Ensure that Cloud Storage buckets for storing logs are configured using bucket lock2.3Lowdecision.api.shisho.dev/v1beta:googlecloud_logging_bucket_retention_policy
Ensure that the log metric filter and alerts exist for project ownership assignments/changes2.4Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_project_ownership_changes
Ensure that the log metric filter and alerts exist for audit configuration changes2.5Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_audit_config_changes
Ensure that the log metric filter and alerts exist for custom role changes2.6Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_custom_role_changes
Ensure that the log metric filter and alerts exist for VPC network firewall rule changes2.7Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_firewall_rule_changes
Ensure that the log metric filter and alerts exist for VPC network route changes2.8Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_network_route_changes
Ensure that the log metric filter and alerts exist for VPC network changes2.9Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_vpc_network_changes
Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes2.10Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_storage_iam_changes
Ensure that the log metric filter and alerts exist for SQL instance configuration changes2.11Infodecision.api.shisho.dev/v1beta:googlecloud_logmetric_sql_config_changes
Ensure Cloud DNS Logging is enabled for all VPC networks2.12Lowdecision.api.shisho.dev/v1beta:googlecloud_networking_dns_log
Ensure Google Cloud assets and their changes are recorded2.13Infodecision.api.shisho.dev/v1beta:googlecloud_asset_management
Ensure Access Transparency is enabled2.14Infodecision.api.shisho.dev/v1beta:googlecloud_support_access_transparency
Ensure Access Approval is enabled2.15Infodecision.api.shisho.dev/v1beta:googlecloud_support_access_approval
Ensure the default network does not exist in Google Cloud projects3.1Infodecision.api.shisho.dev/v1beta:googlecloud_networking_default_network
Ensure legacy networks do not exist for older Google Cloud projects3.2Lowdecision.api.shisho.dev/v1beta:googlecloud_networking_legacy_network
Ensure DNSSEC is enabled for Cloud DNS zones3.3Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec
Ensure the Key-Signing Key in Cloud DNS uses a secure algorithm3.4Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_ksk_algorithm
Ensure the Zone-Signing Key in Cloud DNS uses a secure algorithm3.5Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_zsk_algorithm
Ensure SSH access to Google Cloud resources is restricted from the Internet3.6Highdecision.api.shisho.dev/v1beta:googlecloud_networking_ssh_access
Ensure RDP access to Google Cloud resources is restricted from the Internet3.7Highdecision.api.shisho.dev/v1beta:googlecloud_networking_rdp_access
Ensure VPC Flow Logs feature is enabled for critical VPC networks and subnets3.8Mediumdecision.api.shisho.dev/v1beta:googlecloud_networking_vpc_flow_log
Ensure that Cloud Load Balancing uses TLS policies with strong cipher suites3.9Mediumdecision.api.shisho.dev/v1beta:googlecloud_networking_proxy_tls_policy
Ensure that VPC networks allow only traffic from Google IP addresses with Identity Aware Proxy (IAP)3.10Infodecision.api.shisho.dev/v1beta:googlecloud_networking_fw_rule_iap
Ensure that Compute Engine instances do not use default service accounts4.1Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_service_account
Ensure that Compute Engine instances use appropriate OAuth2 scopes for Google APIs4.2Infodecision.api.shisho.dev/v1beta:googlecloud_compute_instance_oauth2_scope
Ensure Compute Engine instances block project-wide SSH keys4.3Lowdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_project_wide_key_management
Ensure OS Login is enabled for a project4.4Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_oslogin
Ensure connections to serial ports are disabled for Compute Engine instances4.5Lowdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_serial_port
Ensure IP forwarding is disabled for Compute Engine instances4.6Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_ip_forwarding
Ensure critical Compute Engine disks use Customer-Supplied Encryption Keys (CSEK)4.7Infodecision.api.shisho.dev/v1beta:googlecloud_compute_disk_encryption_key
Ensure Compute Engine instances enable Shielded VM features4.8Lowdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_shielded_vm
Ensure Compute Engine instances have only necessary public IP addresses4.9Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_public_ip
Ensure App Engine applications enforce HTTPS connections4.10Mediumdecision.api.shisho.dev/v1beta:googlecloud_appengine_http
Ensure that Confidential VM for Compute Engine instances is enabled4.11Lowdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_confidential_computing
Ensure Cloud Storage buckets are public only if intended5.1Criticaldecision.api.shisho.dev/v1beta:googlecloud_storage_bucket_accessibility
Ensure Cloud Storage buckets enable uniform bucket level access5.2Mediumdecision.api.shisho.dev/v1beta:googlecloud_storage_bucket_uniform_bucket_level_access
Ensure that the skip_show_database database flag for Cloud SQL for MySQL instance is set to on6.1.2Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_mysql_show_database
Ensure that the local_infile database flag for a Cloud SQL for MySQL instance is set to off6.1.3Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_mysql_local_infile
Ensure log_error_verbosity database flag for Cloud SQL for PostgreSQL instance is set to DEFAULT or stricter6.2.1Mediumdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_error_verbosity
Ensure that the log_connections database flag for Cloud SQL for PostgreSQL instance is set to On6.2.2Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_connections
Ensure that the log_disconnections database flag for Cloud SQL for PostgreSQL instance is set to On6.2.3Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_disconnections
Ensure that the log_statement database flag for Cloud SQL for PostgreSQL instance is set appropriately6.2.4Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_statement
Ensure that the log_hostname database flag for Cloud SQL for PostgreSQL instance is set to on6.2.5Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_hostname
Ensure that the log_min_messages database flag for Cloud SQL for PostgreSQL instance is set to at least warning6.2.6Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_messages
Ensure that the log_min_error_statement database flag for Cloud SQL for PostgreSQL instance is set to error or stricter6.2.7Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_error_statement
Ensure that the log_min_duration_statement database flag for Cloud SQL for PostgreSQL instance is set to -16.2.8Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_log_min_duration_statement
Ensure that cloudsql.enable_pgaudit database flag for each Cloud SQL for PostgreSQL instance is set to on for centralized logging6.2.9Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_postgresql_centralized_logging
Ensure cross_db_ownership_chaining_state database flag for a Cloud SQL for SQL Server instance is set to off6.3.1Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_external_scripts
Ensure that the cross_db_ownership_chaining_state database flag for a Cloud SQL for SQL Server instance is set to off6.3.2Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_cross_db_ownership_chaining
Ensure maximum_user_connections database flag for a Cloud SQL for SQL Server instance is set to a non-limiting value6.3.3Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_user_connections
Ensure user_options_configured database flag for a Cloud SQL for SQL Server instance is not configured6.3.4Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_user_options
Ensure that the remote_access_state database flag for a Cloud SQL for SQL Server instance is set to off6.3.5Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_remote_access
Ensure that the 3625 (trace flag) database flag for all Cloud SQL for SQL Server instances is set to off6.3.6Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_3625_trace_flag
Ensure that the contained_db_authentication_state database flag a Cloud SQL for SQL Server instance is set to off6.3.7Lowdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_sqlserver_contained_db_authentication
Ensure Cloud SQL instances require TLS for all incoming connections6.4Mediumdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_connection
Ensure Cloud SQL instances are exposed only to specific IP addresses6.5Highdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_accessibility
Ensure Cloud SQL instances have public IPs only if they need6.6Mediumdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_public_ip
Ensure Cloud SQL instances use automatic backups6.7Highdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_backup
Ensure BigQuery dataset accessibility is restricted to a minimum level7.1Criticaldecision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_accessibility
Ensure BigQuery datasets have default Customer-Managed Encryption Keys (CMEK)7.2Lowdecision.api.shisho.dev/v1beta:googlecloud_bigquery_table_encryption_cmek
Ensure BigQuery tables use Customer-Managed Encryption Keys (CMEK)7.3Lowdecision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_encryption_cmek