Skip to main content

Managed Security Review for CIS Google Cloud Platform Foundation Benchmark v1.3.0

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews on CIS Google Cloud Platform Foundation Benchmark v1.3.0 provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleItem in StandardDefault SeverityID in Shisho Cloud
Ensure that Google Cloud permissions are granted only to principals in trusted identity sources1.1Highdecision.api.shisho.dev/v1beta:googlecloud_iam_principal_source
Ensure that each service account has only the minimum number of keys required1.4Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_key
Ensure Google Cloud service accounts have admin privileges only when truly required1.5Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_admin_role
Ensure a Cloud IAM principal can impersonate or attach only a limited set of service accounts1.6Mediumdecision.api.shisho.dev/v1beta:googlecloud_iam_service_account_project_impersonation_role
Ensure Cloud Audit Logging is configured to record API operations2.1Mediumdecision.api.shisho.dev/v1beta:googlecloud_logging_api_audit
Ensure a Google Cloud project is monitoring project ownership assignments/changes2.4Infodecision.api.shisho.dev/v1beta:googlecloud_monitoring_project_ownership
Ensure a Google Cloud project is monitoring audit configuration assignments/changes2.5Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_audit_configuration
Ensure a Google Cloud project is monitoring custom role changes2.6Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_custom_role
Ensure a Google Cloud project is monitoring firewall rule changes2.7Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_firewall_rule
Ensure a Google Cloud project is monitoring network route changes2.8Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_network_route
Ensure a Google Cloud project is monitoring network changes2.9Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_network
Ensure a Google Cloud project is monitoring Cloud Storage IAM changes2.10Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_storage_iam
Ensure a Google Cloud project is monitoring Cloud SQL configuration changes2.11Lowdecision.api.shisho.dev/v1beta:googlecloud_monitoring_sql_instance_configuration
Ensure Cloud DNS Logging is enabled for all VPC networks2.12Infodecision.api.shisho.dev/v1beta:googlecloud_networking_dns_log
Ensure Google Cloud assets and their changes are recorded2.13Infodecision.api.shisho.dev/v1beta:googlecloud_asset_management
Ensure Access Transparency is enabled2.14Infodecision.api.shisho.dev/v1beta:googlecloud_support_access_transparency
Ensure Access Approval is enabled2.15Infodecision.api.shisho.dev/v1beta:googlecloud_support_access_approval
Ensure the default network does not exist in Google Cloud projects3.1Infodecision.api.shisho.dev/v1beta:googlecloud_networking_default_network
Ensure DNSSEC is enabled for Cloud DNS zones3.3Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec
Ensure the Key-Signing Key in Cloud DNS uses a secure algorithm3.4Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_ksk_algorithm
Ensure the Zone-Signing Key in Cloud DNS uses a secure algorithm3.5Mediumdecision.api.shisho.dev/v1beta:googlecloud_dns_dnssec_zsk_algorithm
Ensure SSH access to Google Cloud resources is restricted from the Internet3.6Highdecision.api.shisho.dev/v1beta:googlecloud_networking_ssh_access
Ensure RDP access to Google Cloud resources is restricted from the Internet3.7Highdecision.api.shisho.dev/v1beta:googlecloud_networking_rdp_access
Ensure VPC Flow Logs feature is enabled for critical VPC networks and subnets3.8Mediumdecision.api.shisho.dev/v1beta:googlecloud_networking_vpc_flow_log
Ensure that Cloud Load Balancing uses TLS policies with strong cipher suites3.9Mediumdecision.api.shisho.dev/v1beta:googlecloud_networking_proxy_tls_policy
Ensure that Compute Engine instances do not use default service accounts4.1Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_service_account
Ensure that Compute Engine instances use appropriate OAuth2 scopes for Google APIs4.2Infodecision.api.shisho.dev/v1beta:googlecloud_compute_instance_oauth2_scope
Ensure Compute Engine instances block project-wide SSH keys4.3Lowdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_project_wide_key_management
Ensure OS Login is enabled for a project4.4Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_oslogin
Ensure connections to serial ports are disabled for Compute Engine instances4.5Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_serial_port
Ensure IP forwarding is disabled for Compute Engine instances4.6Highdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_ip_forwarding
Ensure critical Compute Engine disks use Customer-Supplied Encryption Keys (CSEK)4.7Infodecision.api.shisho.dev/v1beta:googlecloud_compute_disk_encryption_key
Ensure Compute Engine instances enable Shielded VM features4.8Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_shielded_vm
Ensure Compute Engine instances have only necessary public IP addresses4.9Mediumdecision.api.shisho.dev/v1beta:googlecloud_compute_instance_public_ip
Ensure App Engine applications enforce HTTPS connections4.10Mediumdecision.api.shisho.dev/v1beta:googlecloud_appengine_http
Ensure Cloud Storage buckets are public only if intended5.1Criticaldecision.api.shisho.dev/v1beta:googlecloud_storage_bucket_accessibility
Ensure Cloud Storage buckets enable uniform bucket level access5.2Mediumdecision.api.shisho.dev/v1beta:googlecloud_storage_bucket_uniform_bucket_level_access
Ensure Cloud SQL instances require TLS for all incoming connections6.4Mediumdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_connection
Ensure Cloud SQL instances are exposed only to specific IP addresses6.5Criticaldecision.api.shisho.dev/v1beta:googlecloud_sql_instance_accessibility
Ensure Cloud SQL instances have public IPs only if they need6.6Mediumdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_public_ip
Ensure Cloud SQL instances use automatic backups6.7Highdecision.api.shisho.dev/v1beta:googlecloud_sql_instance_backup
Ensure BigQuery dataset accessibility is restricted to a minimum level7.1Criticaldecision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_accessibility
Ensure BigQuery datasets have default Customer-Managed Encryption Keys (CMEK)7.2Infodecision.api.shisho.dev/v1beta:googlecloud_bigquery_table_encryption_cmek
Ensure BigQuery tables use Customer-Managed Encryption Keys (CMEK)7.3Infodecision.api.shisho.dev/v1beta:googlecloud_bigquery_dataset_encryption_cmek