GCP BigQuery Anonymous Or Publicly Accessible |
gcp-bq-anon-or-public |
Ensure that BigQuery datasets are not anonymously or publicly accessible |
GCP GCE Default Service Account |
gcp-gce-default-svcacct |
Ensure that instances are not configured to use the default service account |
GCP GCE Firewall Unrestricted RDP Access |
gcp-gce-fw-public-rdp |
Ensure Google compute firewall ingress does not allow unrestricted rdp access |
GCP GCE Firewall Public SSH Access |
gcp-gce-fw-public-ssh |
Ensure Google compute firewall ingress does not allow unrestricted ssh access |
GCP GCE IP Forwarding On |
gcp-gce-ip-fwd-on |
Ensure that IP forwarding is not enabled on Instances |
GCP GCE Instance Public IP |
gcp-gce-public-ip |
Ensure that Compute instances do not have public IP addresses |
GCP GCE Serialport On |
gcp-gce-serialport-on |
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
GCP GCS Anon Or Public Access |
gcp-gcs-anon-or-public |
Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
GCP GCS Access Logs Off |
gcp-gcs-logs-off |
Bucket should log access |
GCP IAM Service Account Admin Role |
gcp-iam-svcacct-admin-role |
Ensure that Service Account has no Admin privileges |
GCP IAM Service Account Allow Sudo |
gcp-iam-svcacct-allo-sudo |
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level |
GCP K8S Basic Auth On |
gcp-k8s-basic-auth-on |
Ensure GKE basic auth is disabled |
GCP K8S Legacy Instance Metadata On |
gcp-k8s-legacy-instance-metadata-on |
Ensure legacy Compute Engine instance metadata APIs are Disabled |
GCP K8S Legacy RBAC On |
gcp-k8s-legacy-rbac-on |
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
GCP K8S Metadata Server Off |
gcp-k8s-metadata-server-off |
Ensure the GKE Metadata Server is Enabled |
GCP K8S Stackdriver Monitor Off |
gcp-k8s-stackdriver-monitor-off |
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
GCP K8S Strackdriver Logs Off |
gcp-k8s-strackdriver-logs-off |
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
GCP KMS Bad Key Rotation |
gcp-kms-bad-key-rotation |
Ensure KMS encryption keys are rotated within a period of 90 days |
GCP Load Balancer Weak SSL Ciphers |
gcp-lb-ssl-weak-ciphers |
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites |
GCP Default Service Account in Project |
gcp-res-man-default-svcacct |
Ensure Default Service account is not used at a project level |
GCP Cloud SQL Backup Disabled |
gcp-sql-backup-off |
Ensure all Cloud SQL database instance have backup configuration enabled |
GCP MySQL Local_Infile On |
gcp-sql-mysql-local_infile-on |
Ensure MySQL database 'local_infile' flag is set to 'off' |
GCP Cloud SQL Public Access |
gcp-sql-public-access |
Ensure that Cloud SQL database Instances are not open to the world |
GCP Cloud SQL Public IP |
gcp-sql-public-ip |
Ensure SQL database do not have public IP |
GCP SQL SSL Disabled |
gcp-sql-ssl-off |
Ensure all Cloud SQL database instance requires all incoming connections to use SSL |