The Center for Internet Security (CIS) is a nonprofit that publishes a benchmark — a set of security configuration best practices for Google Cloud Computing Platform.
To read more about CIS GCP Foundations Benchmark, please visit CIS Google Cloud Computing Platform home page .
CIS GCP v1.5.0 non-compliance issues (97)
| Severity | Non-Compliance | Region | Resource | Issue | Remediation | Read more | Action | |
|---|---|---|---|---|---|---|---|---|
| IAM & Admin | Medium | CIS 1.1 | global | Service accounts | Non-corporate login credentials are in use: prevasio@gmail.com, peter@hotmail.com. | To follow cloud security best practices, make sure only corporate login credentials are used to access Google Cloud Platform (GCP) resources. | More info | |
| IAM & Admin | Medium | CIS 1.11 | global | Service accounts | User account prevasio@gmail.com has KMS admin role and a CryptoKey role at the same time. | Ensure that separation of duties is enforced for all service account roles. | More info | |
| IAM & Admin | Medium | CIS 1.11 | global | service-853160546542@gcp-sa-firestore.iam.gserviceaccount.com | Service account has KMS admin role and a CryptoKey role at the same time. | Ensure that separation of duties is enforced for all service account roles. | More info | |
| IAM & Admin | Medium | CIS 1.11 | global | service-853160546542@gcp-sa-firestore.iam.gserviceaccount.com | User account has both Service Account User and Service Account Admin roles attached. | Ensure that separation of duties is enforced for all service account roles. | More info | |
| IAM & Admin | Low | CIS 1.6 | global | service-853160546542@gcp-sa-firestore.iam.gserviceaccount.com | User account has a Service Account Token Creator role. | For best security practices, ensure that no IAM users have Service Account Token Creator role | More info | |
| IAM & Admin | Low | CIS 1.7 PCI DSS (Networking) HIPAA (Networking) | global | d7cdf0e28512f79b6b5ac175bea7285a266e984b | User-managed key has not been rotated in 224 days. | Ensure that the user-managed keys associated with your service accounts are rotated every 90 days or less. | More info | |
| IAM & Admin | Medium | CIS 1.4 | global | d7cdf0e28512f79b6b5ac175bea7285a266e984b | Service account key is not managed and rotated by Google. | Check the restrictions to the accessibility of the service account keys, and make sure they are managed and rotated by Google. | More info | |
| Network Services | Medium | global | my-dns-zone | Managed zone uses RSASHA1 algorithm for zone signing. | To prevent DNS hijacking or man in the middle attacks, ensure that your DNS managed zones have DNSSEC security feature enabled and are not using the RSASHA1 algorithm for zone signing. | More info | ||
| Compute Engine | High | CIS 4.3 | us-west4 | instance-1 | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
| Compute Engine | Low | CIS 4.9 PCI DSS 4.2.1 | us-west4 | instance-1 | VM instance has public access enabled. | In order to minimize exposure to the Internet, ensure your VM instances are not configured to have external IP addresses. | More info | |
| Compute Engine | High | CIS 4.3 | us-west4 | instance-2 | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
| Compute Engine | Low | CIS 4.9 PCI DSS 4.2.1 | us-west4 | instance-2 | VM instance has public access enabled. | In order to minimize exposure to the Internet, ensure your VM instances are not configured to have external IP addresses. | More info | |
| Compute Engine | Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-west4 | instance-1 | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
| Compute Engine | Medium | CIS 4.5 | us-central1 | instance-group-1-ptb0 | VM instance has serial port access enabled. | Due to security and compliance regulations, ensure the serial port access is disabled for all your VM instances. | More info | |
| Compute Engine | High | CIS 4.3 | us-central1 | instance-group-1-ptb0 | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
| Compute Engine | Medium | CIS 4.6 PCI DSS 4.2.1 | us-central1 | instance-group-1-ptb0 | VM instance has IP forwarding enabled. | For security and compliance reasons, as instances with IP Forwarding enabled act as routers/packet forwarders, delete the VM instances with IP forwarding enabled and redeploy them with IP forwarding disabled. | More info | |
| Compute Engine | Medium | CIS 4.8 | us-central1 | instance-group-1-ptb0 | VM instance has Shielded VM security feature disabled. | For protection against rootkits and bootkits, ensure that your VM instances are configured to use Shielded VM security feature. | More info | |
| Compute Engine | High | CIS 4.3 | us-central1 | gke-cluster-1-default-pool-fc104738-427b | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
| Compute Engine | High | CIS 4.3 | us-central1 | gke-cluster-1-default-pool-fc104738-dlsn | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
| Compute Engine | High | CIS 4.3 | us-central1 | mysql-5-7-secured-by-sg-1-vm | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
| Compute Engine | Low | CIS 4.9 PCI DSS 4.2.1 | us-central1 | mysql-5-7-secured-by-sg-1-vm | VM instance has public access enabled. | In order to minimize exposure to the Internet, ensure your VM instances are not configured to have external IP addresses. | More info | |
| Compute Engine | Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | disk-1 | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
| Compute Engine | Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | gke-cluster-1-default-pool-fc104738-2sxd | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
| Compute Engine | Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | gke-cluster-1-default-pool-fc104738-427b | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
| Compute Engine | Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | gke-cluster-1-default-pool-fc104738-dlsn | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
| Compute Engine | Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | mysql-5-7-secured-by-sg-1-vm | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
| Compute Engine | Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | mysql-5-7-secured-by-sg-1-vm-disk1 | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
| Key Management | Critical | CIS 1.10 PCI DSS 3.7.4 HIPAA (Encryption) | global | my-keyring3-name | KMS cryptographic key has no rotation period set. | To fulfill HIPAA and PCI DSS key rotation requirements, ensure all cryptographic keys are set to rotate periodically. | More info | |
| Cloud Storage | Medium | CIS 2.3 | global | gcf-sources-853160546542-us-central1 | Storage bucket has no retention policy. | For security and compliance purposes, ensure that the objects stored within your storage buckets have a sufficient data retention period. | More info | |
| Cloud Storage | Medium | CIS 2.3 | global | prevasio-test-bucket | Storage bucket has no retention policy. | For security and compliance purposes, ensure that the objects stored within your storage buckets have a sufficient data retention period. | More info | |
| Cloud Storage | Medium | CIS 2.3 | global | staging.sylvan-surf-339107.appspot.com | Storage bucket has no retention policy. | For security and compliance purposes, ensure that the objects stored within your storage buckets have a sufficient data retention period. | More info | |
| Cloud Storage | Medium | CIS 5.2 | global | staging.sylvan-surf-339107.appspot.com | Storage bucket does not have uniform bucket-level access enabled. | To ensure uniform access to all the objects within a storage bucket. ensure that uniform bucket-level access is enabled for all your storage buckets. | More info | |
| Cloud Storage | Medium | CIS 2.3 | global | sylvan-surf-339107.appspot.com | Storage bucket has no retention policy. | For security and compliance purposes, ensure that the objects stored within your storage buckets have a sufficient data retention period. | More info | |
| Cloud Storage | Medium | CIS 5.2 | global | sylvan-surf-339107.appspot.com | Storage bucket does not have uniform bucket-level access enabled. | To ensure uniform access to all the objects within a storage bucket. ensure that uniform bucket-level access is enabled for all your storage buckets. | More info | |
| Cloud Storage | Medium | CIS 5.1 | global | us.artifacts.sylvan-surf-339107.appspot.com | Storage bucket has anonymous and/or public access. | To prevent access from anonymous and/or public users, make sure the allUsers and allAuthenticatedUsers are removed from IAM policy for all storage bucket. | More info | |
| Cloud Storage | Medium | CIS 2.3 | global | us.artifacts.sylvan-surf-339107.appspot.com | Storage bucket retention has expired 50 days ago. | For security and compliance purposes, ensure that the objects stored within your storage buckets have a sufficient data retention period. | More info | |
| Cloud Storage | Medium | CIS 5.2 | global | us.artifacts.sylvan-surf-339107.appspot.com | Storage bucket does not have uniform bucket-level access enabled. | To ensure uniform access to all the objects within a storage bucket. ensure that uniform bucket-level access is enabled for all your storage buckets. | More info | |
| SQL | Medium | CIS 6.1.1 | global | my-sql-instance | SQL database instance can be accessed by the root user from any host. | To ensure secure access, limit root access to SQL instances to allowed IPs only. | More info | |
| SQL | Medium | CIS 6.7 | global | my-sql-instance | SQL database instance does not have an automated backup enabled. | Ensure that automated backups are enabled for all SQL database instances. | More info | |
| SQL | Medium | CIS 6.4 PCI DSS 4.2 HIPAA (Encryption) | global | my-sql-instance | SQL database instance has SSL/TLS disabled. | To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, enforce all incoming connections to your SQL database instances to use SSL/TLS only. | More info | |
| SQL | Medium | CIS 6.1.3 | global | my-sql-instance | MySQL database instance has "local_infile" flag enabled. | To follow best practices on data security, ensure all your MySQL database instances have the "local_infile" flag disabled. | More info | |
| SQL | Medium | CIS 6.6 | global | my-sql-instance | SQL database instance has public IPs. | To reduce the application's attack surface, ensure your SQL database instances are configured to use private IP addresses instead of public IPs. | More info | |
| SQL | Medium | CIS 6.7 | global | my-sql-instance3 | SQL database instance does not have an automated backup enabled. | Ensure that automated backups are enabled for all SQL database instances. | More info | |
| SQL | Medium | CIS 6.4 PCI DSS 4.2 HIPAA (Encryption) | global | my-sql-instance3 | SQL database instance has SSL/TLS disabled. | To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, enforce all incoming connections to your SQL database instances to use SSL/TLS only. | More info | |
| SQL | Medium | CIS 6.2.2 | global | my-sql-instance3 | PostgreSQL database instance has "log_connections" flag disabled. | To ensure each attempted connection to the database instance to be logged, ensure all your PostgreSQL database instances have the "log_connections" flag enabled. | More info | |
| SQL | Medium | CIS 6.2.3 | global | my-sql-instance3 | PostgreSQL database instance has "log_disconnections" flag disabled. | To ensure the database logs the end of each session, ensure all your PostgreSQL database instances have the "log_disconnections" flag enabled. | More info | |
| SQL | Medium | CIS 6.2.8 | global | my-sql-instance3 | PostgreSQL database instance has "log_min_duration_statement" flag enabled. | To avoid logging statements with sensitive information, ensure all your PostgreSQL database instances have the "log_min_duration_statement" flag set to -1 (i.e. disabled). | More info | |
| SQL | Medium | CIS 6.2.7 | global | my-sql-instance3 | PostgreSQL database instance does not have "log_min_error_statement" flag set to Error. | As the best practice setting, ensure all your PostgreSQL database instances have the "log_min_error_statement" flag (the minimum message severity level considered an error statement) to be set to Error (or stricter). | More info | |
| SQL | Medium | CIS 6.6 | global | my-sql-instance3 | SQL database instance has public IPs. | To reduce the application's attack surface, ensure your SQL database instances are configured to use private IP addresses instead of public IPs. | More info | |
| SQL | Medium | CIS 6.7 | global | my-sql-instance4 | SQL database instance does not have an automated backup enabled. | Ensure that automated backups are enabled for all SQL database instances. | More info | |
| SQL | Medium | CIS 6.4 PCI DSS 4.2 HIPAA (Encryption) | global | my-sql-instance4 | SQL database instance has SSL/TLS disabled. | To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, enforce all incoming connections to your SQL database instances to use SSL/TLS only. | More info | |
| SQL | Medium | CIS 6.3.7 | global | my-sql-instance4 | SQL server database instance has "contained database authentication" flag enabled. | To prevent any databases on the server from being contained, ensure the "contained database authentication" SQL Server engine flag is set to Off. | More info | |
| SQL | Medium | CIS 6.3.2 | global | my-sql-instance4 | SQL server database instance has "cross db ownership chaining" flag enabled. | Unless all of the databases hosted by the SQL Server need to participate in cross-database ownership chaining, ensure the "cross db ownership chaining" SQL Server engine flag is disabled. | More info | |
| SQL | Medium | CIS 6.6 | global | my-sql-instance4 | SQL database instance has public IPs. | To reduce the application's attack surface, ensure your SQL database instances are configured to use private IP addresses instead of public IPs. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | us-east1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | us-east4 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | us-west1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | us-west2 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | us-west3 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | us-west4 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | us-central1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | northamerica-northeast1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | northamerica-northeast2 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | southamerica-east1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | southamerica-west1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | europe-west1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | europe-west2 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | europe-west3 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | europe-west4 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | europe-west6 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | europe-north1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | europe-central2 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | asia-south1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | asia-south2 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | asia-southeast1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | asia-southeast2 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | asia-east1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | asia-east2 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | asia-northeast1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | asia-northeast2 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | asia-northeast3 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | australia-southeast1 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.8 PCI DSS 10.2 HIPAA (Audit) | australia-southeast2 | default | VPC subnet has VPC flow logs disabled. | To fulfill HIPAA and PCI DSS compliance requirements for logging of all network access to environments containing sensitive data, ensure that VPC Flow Logs is enabled for every subnet created within your VPC network. | More info | |
| VPC Network | Medium | CIS 3.1 | global | default | Default VPC network is in use by 7 compute VM instances. | To follow best security practices and networking requirements, make sure your projects are not using the default Virtual Private Cloud (VPC) network. | More info | |
| VPC Network | Low | CIS 2.12 | global | default | VPC network does not have DNS logging enabled. | To follow best security practices and networking requirements, make sure your VPC Networks use DNS Server Policy with logging enabled. | More info | |
| VPC Network | Low | CIS 2.12 | global | vpc-network-test | VPC network does not have DNS logging enabled. | To follow best security practices and networking requirements, make sure your VPC Networks use DNS Server Policy with logging enabled. | More info | |
| VPC Network | High | CIS 3.7 | global | default-allow-rdp | VPC firewall rules allow unrestricted inbound/ingress access on TCP port 3389 (RDP). | To reduce the attack surface for the VM instances associated with the firewall rules, ensure that your VPC network firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 (RDP). | More info | |
| VPC Network | High | CIS 3.6 | global | default-allow-ssh | VPC firewall rules allow unrestricted inbound/ingress access on TCP port 22 (SSH). | To reduce the attack surface for the VM instances associated with the firewall rules, ensure that your VPC network firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 22 (SSH). | More info | |
| VPC Network | Critical | CIS 3.6 CIS 3.7 | global | gke-cluster-1-9c94fdab-vms | VPC firewall rules define all ports open to the public. | To protect VM instances against DoS or brute-force attacks, ensure that your VPC network firewall rules don't have all ports open to the public. | More info | |
| VPC Network | Critical | CIS 3.6 CIS 3.7 | global | gke-cluster-1-9c94fdab-vms | VPC firewall rules define all ports open to the public. | To protect VM instances against DoS or brute-force attacks, ensure that your VPC network firewall rules don't have all ports open to the public. | More info | |
| VPC Network | High | CIS 3.6 | global | vpc-network-test-allow-ssh | VPC firewall rules allow unrestricted inbound/ingress access on TCP port 22 (SSH). | To reduce the attack surface for the VM instances associated with the firewall rules, ensure that your VPC network firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 22 (SSH). | More info | |
| VPC Network | Critical | CIS 3.6 CIS 3.7 | global | vpc-network-open | VPC firewall rules define all ports open to the public. | To protect VM instances against DoS or brute-force attacks, ensure that your VPC network firewall rules don't have all ports open to the public. | More info | |
| VPC Network | Critical | CIS 3.6 CIS 3.7 | global | vpc-network-open | VPC firewall rules define all ports open to the public. | To protect VM instances against DoS or brute-force attacks, ensure that your VPC network firewall rules don't have all ports open to the public. | More info | |
| Logging | Low | CIS 2.2 | global | my-test-7 | Log bucket "prevasio-test-bucket" versioning is disabled. | Ensure the log sink is configured properly; in case of using a storage bucket, make sure it has a destination and an empty filter. | More info | |
| BigQuery | High | CIS 7.3 PCI DSS 3.5 HIPAA (Encryption) | global | sylvan-surf-339107:my_dataset | BigQuery dataset is not encrypted using Customer-Managed Keys (CMK). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, make sure your BigQuery datasets are encrypted using CMK. | More info | |
| BigQuery | High | CIS 7.1 | global | sylvan-surf-339107:my_dataset2 | BigQuery dataset has Writer access granted to allUsers, Reader access granted to allAuthenticatedUsers. | To prevent access from anonymous and/or public users, make sure the allUsers and allAuthenticatedUsers are removed from IAM policy for all datasets. | More info | |
| BigQuery | High | CIS 7.3 PCI DSS 3.5 HIPAA (Encryption) | global | sylvan-surf-339107:my_dataset2 | BigQuery dataset is not encrypted using Customer-Managed Keys (CMK). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, make sure your BigQuery datasets are encrypted using CMK. | More info |