Skip to content

GCP Cloud Misconfiguration

Name Id Description
GCP BigQuery Anonymous Or Publicly Accessible gcp-bq-anon-or-public Ensure that BigQuery datasets are not anonymously or publicly accessible
GCP GCE Default Service Account gcp-gce-default-svcacct Ensure that instances are not configured to use the default service account
GCP GCE Firewall Unrestricted RDP Access gcp-gce-fw-public-rdp Ensure Google compute firewall ingress does not allow unrestricted rdp access
GCP GCE Firewall Public SSH Access gcp-gce-fw-public-ssh Ensure Google compute firewall ingress does not allow unrestricted ssh access
GCP GCE IP Forwarding On gcp-gce-ip-fwd-on Ensure that IP forwarding is not enabled on Instances
GCP GCE Instance Public IP gcp-gce-public-ip Ensure that Compute instances do not have public IP addresses
GCP GCE Serialport On gcp-gce-serialport-on Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
GCP GCS Anon Or Public Access gcp-gcs-anon-or-public Ensure that Cloud Storage bucket is not anonymously or publicly accessible
GCP GCS Access Logs Off gcp-gcs-logs-off Bucket should log access
GCP IAM Service Account Admin Role gcp-iam-svcacct-admin-role Ensure that Service Account has no Admin privileges
GCP IAM Service Account Allow Sudo gcp-iam-svcacct-allo-sudo Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
GCP K8S Basic Auth On gcp-k8s-basic-auth-on Ensure GKE basic auth is disabled
GCP K8S Legacy Instance Metadata On gcp-k8s-legacy-instance-metadata-on Ensure legacy Compute Engine instance metadata APIs are Disabled
GCP K8S Legacy RBAC On gcp-k8s-legacy-rbac-on Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
GCP K8S Metadata Server Off gcp-k8s-metadata-server-off Ensure the GKE Metadata Server is Enabled
GCP K8S Stackdriver Monitor Off gcp-k8s-stackdriver-monitor-off Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
GCP K8S Strackdriver Logs Off gcp-k8s-strackdriver-logs-off Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
GCP KMS Bad Key Rotation gcp-kms-bad-key-rotation Ensure KMS encryption keys are rotated within a period of 90 days
GCP Load Balancer Weak SSL Ciphers gcp-lb-ssl-weak-ciphers Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
GCP Default Service Account in Project gcp-res-man-default-svcacct Ensure Default Service account is not used at a project level
GCP Cloud SQL Backup Disabled gcp-sql-backup-off Ensure all Cloud SQL database instance have backup configuration enabled
GCP MySQL Local_Infile On gcp-sql-mysql-local_infile-on Ensure MySQL database 'local_infile' flag is set to 'off'
GCP Cloud SQL Public Access gcp-sql-public-access Ensure that Cloud SQL database Instances are not open to the world
GCP Cloud SQL Public IP gcp-sql-public-ip Ensure SQL database do not have public IP
GCP SQL SSL Disabled gcp-sql-ssl-off Ensure all Cloud SQL database instance requires all incoming connections to use SSL