AlgoSec Best Practices for Google Cloud Computing Platform provide a baseline for your cloud network configuration and security policy across all your GCP projects, assets, and security controls.
To read more about AlgoSec Best Practices, please visit AlgoSec home page .
AlgoSec Best Practices requirements (68)
| Severity | Requirement | Title | Description | Remediation | |
|---|---|---|---|---|---|
| O01-I-GCP | Critical | AlgoSec O01-I-GCP | Outbound "To Any allow Any service" rules to Public IPs | Outbound rules of the form "to Any with service Any" are usually more open than is necessary. Allowing all services allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access to all destinations may allow exfiltration of information. | Restrict the rules to refer to the destination IPs you really use, and to the the services your applications rely on by deploying a stateful firewall for outbound traffic. |
| O02-I-GCP | Critical | AlgoSec O02-I-GCP | Outbound "To Any allow all TCP" rules to Public IPs | Outbound rules of the form "to Any with all TCP" are usually more open than is necessary. Allowing all TCP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access to all destinations may allow exfiltration of information. | Restrict the rules to refer to the destination IPs you really use, and to the the services your applications rely on by deploying a stateful firewall for outbound traffic. |
| O03-I-GCP | Critical | AlgoSec O03-I-GCP | Outbound "To Any allow all UDP" rules to Public IPs | Outbound rules of the form "to Any with all UDP" are usually more open than is necessary. Allowing all UDP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access to all destinations may allow exfiltration of information. | Restrict the rules to refer to the destination IPs you really use, and to the the services your applications rely on by deploying a stateful firewall for outbound traffic. |
| O04-I-GCP | High | AlgoSec O04-I-GCP | TCP on all ports can exit your network to Public IPs | Allowing TCP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with TCP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O05-I-GCP | High | AlgoSec O05-I-GCP | "Any" service can exit your network to Public IPs | Allowing "Any" service to exit your network is extremely risky since the "Any" service includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with the service "Any" service, and limit them to those services you actually require. |
| O06-I-GCP | High | AlgoSec O06-I-GCP | UDP on all ports can exit your network to Public IPs | Allowing UDP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with UDP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O07-I-GCP | High | AlgoSec O07-I-GCP | Internal Data can be exposed from your network using Public IPs via FTP | Letting FTP (File Transfer Protocol) exit your network is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port to Public IPs. For file upload- use secure alternatives such as SFTP. |
| O08-I-GCP | Medium | AlgoSec O08-I-GCP | Risky TCP Microsoft services can exit your network to Public IPs | Allowing Microsoft's NetBIOS services (TCP/135, TCP/139, TCP/445, TCP/593) to exit your network is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port to public IPs. |
| O09-I-GCP | Medium | AlgoSec O09-I-GCP | Risky UDP Microsoft services can exit your network to Public IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138) to exit your network is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port to public IPs. |
| O10-I-GCP | Medium | AlgoSec O10-I-GCP | SMTP can exit your network to more than 256 Public IPs | Allowing outbound SMTP access on TCP port 25/465/587 from many internal machines is risky. Outbound SMTP (E-mail) should only originate from your public mail servers. E-mail is a vector for many viruses and worms. Computers that can send E-mail directly (not through your organization's designated mail servers) can bypass your network's E-mail filters, and spread viruses and worms to other networks. Therefore, outbound SMTP access should be limited to your properly hardened public mail servers. | Restrict the rules to refer to only the destination IPs you really use, and limit the number of public IP addresses that can be reached on this port. |
| I01-I-GCP | Critical | AlgoSec I01-I-GCP | Inbound "From Any allow Any service" rules from Public IPs | Inbound rules of the form "From Any with service Any : PASS" are usually more open than is necessary. Allowing all services allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access from all sources may allow access to from risky locations. This subnet is connected from internet, elevating the level of risk. | Restrict the rules to refer to only the source IPs and services you really use. |
| I02-I-GCP | Critical | AlgoSec I02-I-GCP | Inbound "From Any allow all TCP" rules from Public IPs | Inbound rules of the form "From Any with all TCP : PASS" are usually more open than is necessary. Allowing all TCP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access from all sources may allow access to from risky locations. This subnet is connected to the Internet, elevating the level of risk. | Restrict the rules to refer to only the source IPs and services you really use. |
| I03-I-GCP | Critical | AlgoSec I03-I-GCP | Inbound "From Any allow all UDP" rules from Public IPs | Inbound rules of the form "From Any with all UDP : PASS" are usually more open than is necessary. Allowing all UDP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access from all sources may allow access to from risky locations. This subnet is connected to the Internet, elevating the level of risk. | Restrict the rules to refer to only the source IPs and services you really use. |
| I04-I-GCP | High | AlgoSec I04-I-GCP | "Any" service can enter your network from Public IPs | Allowing the "Any" service to enter your network is extremely risky since the "Any" service includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs. | Review all the rules that allow inbound traffic with "Any" service, and limit them to those services you actually require. |
| I05-I-GCP | High | AlgoSec I05-I-GCP | TCP on all ports can enter your network from Public IPs | Allowing TCP on all ports to enter your network is extremely riskysince this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with TCP on all ports, and limit them to those services you actually require. |
| I06-I-GCP | High | AlgoSec I06-I-GCP | UDP on all ports can enter your network from Public IPs | Allowing UDP on all ports to enter your network is extremely risky since this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with UDP on all ports, and limit them to those services you actually require. |
| I07-I-GCP | High | AlgoSec I07-I-GCP | LDAP Port TCP/389, UDP/389 open from Public IPs | Your cloud LDAP server is accessible using the LDAP port (UDP/389, TCP/389). LDAP (Lightweight Directory Access Protocol) is a directory service for controling access to network capable devices. Allowing access to these ports from public IP addresses is risky. | Eliminate rules which allow access to this port from the Internet. |
| I08-I-GCP | High | AlgoSec I08-I-GCP | Applications using Public IPs can access your network via port 3020 | Your cloud estate is accessible using file sharing Protocol CIFS over port 3020. Allowing file sharing access from public IP addresses is risky. | Eliminate rules which allow access to this port from the Internet. |
| I09-I-GCP | High | AlgoSec I09-I-GCP | Applications using Public IPs can access your network via Database port TCP/9000 | Your cloud Hadoop database is accessible using administrative port TCP/9000. Hadoop is a framework for distributed data processing that allows access to the data and may act as database. Opening Hadoop port for public IPs is risky | Eliminate rules which allow access to this port from the Internet. |
| I10-I-GCP | High | AlgoSec I10-I-GCP | Administrative port TCP/1434 can enter your network from Public IPs | Your cloud database managment system is accessible using the MSSQL administrative port TCP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I11-I-GCP | High | AlgoSec I11-I-GCP | MSSQL(UDP/1434) can enter your network from Public IPs | Your cloud database managment system is accessible using the MSSQL port UDP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I12-I-GCP | High | AlgoSec I12-I-GCP | Database port TCP/27017-27019 can enter your network from Public IPs | Your cloud database managment system is accessible using the Mongo Web Portal port with TCP/27018. Mongo Web Portal is a "mongodb" named protocol that allows access to MongoDB API. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I13-I-GCP | High | AlgoSec I13-I-GCP | Database port TCP/3306 can enter your network from Public IPs | Your cloud database managment system is accessible using the MySQL debug port TCP/3306. MySQL is a database managment system (RDBMS). Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I14-I-GCP | High | AlgoSec I14-I-GCP | Administrative port UDP/161 can enter your network from Public IPs | Your cloud estate is accessible using the SNMP service (UDP/161). SNMP (Simple Network Management Protocol) is a protocol used to manage networking and edge devices. Allowing SNMP from public IP addresses is risky. | Eliminate rules which allow access to this port from the Internet. |
| I15-I-GCP | High | AlgoSec I15-I-GCP | Telnet can enter your network from Public IPs | Telnet is a remote-login service that is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. | Eliminate rules which allow access to this port from the Internet. |
| I16-I-GCP | High | AlgoSec I16-I-GCP | Risky TCP Microsoft services can enter your network from Public IPs | Allowing Microsoft's NetBIOS services (TCP/135, TCP/139, TCP/445, TCP/593) to cross into your network is extremely risky. These services provide file sharing Protocol SMB and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port from the Internet. |
| I17-I-GCP | High | AlgoSec I17-I-GCP | Database port TCP/1433 can enter your network from Public IPs | Your cloud database managment system is accessible using the MSSQL port TCP/1433. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I18-I-GCP | High | AlgoSec I18-I-GCP | Database port TCP/5432 can enter your network from Public IPs | Allowing inbound access using database-access protocol PostgreSQL (TCP/5432) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I19-I-GCP | High | AlgoSec I19-I-GCP | Database port TCP/523 can enter your network from Public IPs | Allowing inbound access using database-access protocol IBM DB2 (TCP/523) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I20-I-GCP | High | AlgoSec I20-I-GCP | Database port TCP/1521 can enter your network from Public IPs | Allowing inbound access using database-access protocol Oracle's sqlnet (TCP/1521) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I21-I-GCP | Medium | AlgoSec I21-I-GCP | RPC can enter your network from Public IPs | The Sunrpc service(TCP/UDP port 111) is used by the Unix "portmapper" daemon to support services like NFS. Allowing such traffic in could expose your data if you have Unix file servers. | Eliminate rules which allow access to this port from the Internet. |
| I22-I-GCP | High | AlgoSec I22-I-GCP | Internal Data can be exposed from your network using Public IPs via FTP | Letting FTP (File Transfer Protocol) reach internal servers is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port from the Internet. For file upload from the Internet - use secure alternatives such as SFTP. |
| I23-I-GCP | Low | AlgoSec I23-I-GCP | Version control services can enter your network from Public IPs | Allowing inbound access to version control systems like CVS (TCP/2401) or Subversion (TCP/3690) may be risky if you use these systems. Version control systems provide tools to manage different versions of documents or source code and facilitate multiple users to concurrently work on the same set of files. These systems have serious known vulnerabilities. | If you use either the CVS or the Subversion version control systems, eliminate rules which allow access to this port from the Internet. |
| I24-I-GCP | High | AlgoSec I24-I-GCP | Administrative port 22 (ssh) can enter your network from more than 256 Public IPs | Allowing access from more than 256 Public IP addresses using the SSH service (TCP/22) is risky. SSH is a remote-login service that allows command-line access to Linux/Unix-based servers and is generally used for server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
| I25-I-GCP | High | AlgoSec I25-I-GCP | Administrative port 3389(RDP) can enter your network from more than 256 Public IPs | Allowing access from more than 256 Public IP addresses using the Microsoft RDP protocol over port 3389 is risky. RDP stands for Remote-Desktop and is a Windows service that allows remote-login to windows machines. RDP is used for Windows-based server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
| I26-I-GCP | High | AlgoSec I26-I-GCP | Risky UDP Microsoft services can enter your network from Public IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138) to cross into your network is extremely risky. These services provide file sharing Protocol SMB and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port from the Internet. |
| I27-I-GCP | High | AlgoSec I27-I-GCP | Inbound "From Any allow HTTP" rules from Public IPs | HTTP traffic is unencrypted and therefore insecure. All inbound web traffic should use HTTPS. | Restrict the rules to refer to only the source IPs you really use and change the application to use HTTPS. |
| I28-I-GCP | Medium | AlgoSec I28-I-GCP | Inbound "From Any allow HTTPS" rules from Public IPs | Allowing HTTPS from anywhere is risky unless it is to a public facing website. | Restrict the rules to refer to only the source IPs that need access to the protected site. |
| O01-NI-GCP | Medium | AlgoSec O01-NI-GCP | TCP on all ports can exit your network to Private IPs | Allowing TCP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with TCP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O02-NI-GCP | Medium | AlgoSec O02-NI-GCP | Internal Data can be exposed from your network using Public IPs via "Any" service | Allowing "Any" service to exit your network is extremely risky since the "Any" service includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with the service "Any" service, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O03-NI-GCP | Medium | AlgoSec O03-NI-GCP | UDP on all ports can exit your network to Private IPs | Allowing UDP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with UDP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O04-NI-GCP | Medium | AlgoSec O04-NI-GCP | Risky TCP Microsoft services can exit your network to Private IPs | Allowing Microsoft's NetBIOS services (TCP/135, TCP/139, TCP/445, TCP/593) to exit your network is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port to Private IPs. |
| O05-NI-GCP | Medium | AlgoSec O05-NI-GCP | Internal Data can be exposed from your network using Private IPs via FTP | Letting FTP (File Transfer Protocol) exit your network is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port to Private IPs. For file upload- use secure alternatives such as SFTP. |
| O06-NI-GCP | Low | AlgoSec O06-NI-GCP | SMTP can exit your network to more than 256 Private IPs | Allowing outbound SMTP access on TCP port 25/465/587 from many internal machines is risky. Outbound SMTP (E-mail) should only originate from your public mail servers. E-mail is a vector for many viruses and worms. Computers that can send E-mail directly (not through your organization's designated mail servers) can bypass your network's E-mail filters, and spread viruses and worms to other networks. Therefore, outbound SMTP access should be limited to your properly hardened public mail servers. | Restrict the rules to refer to only the destination IPs you really use, and limit the number of public IP addresses that can be reached on this port. |
| O07-NI-GCP | Medium | AlgoSec O07-NI-GCP | Risky UDP Microsoft services can exit your network to Private IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138) to exit your network is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port to Private IPs. |
| I01-NI-GCP | Medium | AlgoSec I01-NI-GCP | "Any" service can enter your network from Private IPs | Allowing the "Any" service to enter your network is extremely risky since the "Any" service includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs. | Review all the rules that allow inbound traffic with "Any" service, and limit them to those services you actually require. |
| I02-NI-GCP | Medium | AlgoSec I02-NI-GCP | TCP on all ports can enter your network from Private IPs | Allowing TCP on all ports to enter your network is extremely riskysince this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with TCP on all ports, and limit them to those services you actually require. |
| I03-NI-GCP | Medium | AlgoSec I03-NI-GCP | UDP on all ports can enter your network from Private IPs | Allowing UDP on all ports to enter your network is extremely risky since this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with UDP on all ports, and limit them to those services you actually require. |
| I04-NI-GCP | Medium | AlgoSec I04-NI-GCP | LDAP Port TCP/389, UDP/389 open from Private IPs | Your cloud LDAP server is accessible using the LDAP port (UDP/389, TCP/389). LDAP (Lightweight Directory Access Protocol) is a directory service for controling access to network capable devices. Allowing access to these ports is risky. | Eliminate rules which allow access to this port from private IPs. |
| I05-NI-GCP | Medium | AlgoSec I05-NI-GCP | Applications using Private IPs can access your network via port 3020 | Your cloud estate is accessible using file sharing Protocol CIFS over port 3020. Allowing file sharing accesson this port is risky. | Eliminate rules which allow access to this port from private IPs. |
| I06-NI-GCP | Medium | AlgoSec I06-NI-GCP | Applications using Private IPs can access your network via Database port TCP/9000 | Your cloud Hadoop database is accessible using administrative port TCP/9000. Hadoop is a framework for distributed data processing that allows access to the data and may act as database. Opening Hadoop port is risky | Eliminate rules which allow access to this port private IPs. |
| I07-NI-GCP | Medium | AlgoSec I07-NI-GCP | Administrative port TCP/1434 can enter your network from Private IPs | Your cloud database managment system is accessible using the MSSQL administrative port TCP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port private IPs. |
| I08-NI-GCP | Medium | AlgoSec I08-NI-GCP | MSSQL(UDP/1434) can enter your network from Private IPs | Your cloud database managment system is accessible using the MSSQL port UDP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I09-NI-GCP | Medium | AlgoSec I09-NI-GCP | Database port TCP/27017-27019 can enter your network from Private IPs | Your cloud database managment system is accessible using the Mongo Web Portal port with TCP/27018. Mongo Web Portal is a "mongodb" named protocol that allows access to MongoDB API. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port private IPs. |
| I10-NI-GCP | Medium | AlgoSec I10-NI-GCP | Database port TCP/3306 can enter your network from Private IPs | Your cloud database managment system is accessible using the MySQL debug port TCP/3306. MySQL is a database managment system (RDBMS). Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port private IPs. |
| I11-NI-GCP | Medium | AlgoSec I11-NI-GCP | Administrative port UDP/161 can enter your network from Private IPs | Your cloud estate is accessible using the SNMP service (UDP/161). SNMP (Simple Network Management Protocol) is a protocol used to manage networking and edge devices. Allowing SNMP port UDP/161 is risky. | Eliminate rules which allow access to this port from private IPs. |
| I12-NI-GCP | Medium | AlgoSec I12-NI-GCP | Telnet can enter your network from Private IPs | Telnet is a remote-login service that is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. | Eliminate rules which allow access to this port from private IPs. |
| I13-NI-GCP | Medium | AlgoSec I13-NI-GCP | Risky TCP Microsoft services can enter your network from Private IPs | Allowing Microsoft's NetBIOS services (TCP/135, TCP/139, TCP/445, TCP/593) to cross into your network is extremely risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port from private IPs. |
| I14-NI-GCP | Medium | AlgoSec I14-NI-GCP | Database port TCP/1433 can enter your network from Private IPs | Your cloud database managment system is accessible using the MSSQL port TCP/1433. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I15-NI-GCP | Medium | AlgoSec I15-NI-GCP | Database port TCP/5432 can enter your network from Private IPs | Allowing inbound access using database-access protocol PostgreSQL (TCP/5432) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I16-NI-GCP | Medium | AlgoSec I16-NI-GCP | Database port TCP/523 can enter your network from Private IPs | Allowing inbound access using database-access protocol IBM DB2 (TCP/523) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I17-NI-GCP | Medium | AlgoSec I17-NI-GCP | Database port TCP/1521 can enter your network from Private IPs | Allowing inbound access using database-access protocol Oracle's sqlnet (TCP/1521) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I18-NI-GCP | Low | AlgoSec I18-NI-GCP | RPC can enter your network from Private IPs | The Sunrpc service(TCP/UDP port 111) is used by the Unix "portmapper" daemon to support services like NFS. Allowing such traffic in could expose your data if you have Unix file servers. | Eliminate rules which allow access to this port from private IPs. |
| I19-NI-GCP | Medium | AlgoSec I19-NI-GCP | Internal Data can be exposed from your network using Private IPs via FTP | Letting FTP (File Transfer Protocol) reach internal servers is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port from private IPs. For file upload- use secure alternatives such as SFTP. |
| I20-NI-GCP | Low | AlgoSec I20-NI-GCP | Version control services can enter your network from Private IPs | Allowing inbound access to Unix version control systems like CVS (TCP/2401) or Subversion (TCP/3690) may be risky if you use these systems. Version control systems provide tools to manage different versions of documents or source code and facilitate multiple users to concurrently work on the same set of files. These systems have serious known vulnerabilities. | If you use either the CVS or the Subversion version control systems, eliminate rules which allow access to this port from private IPs. |
| I21-NI-GCP | Medium | AlgoSec I21-NI-GCP | Administrative port 22 (ssh) can enter your network from more than 256 Private IPs | Allowing access from more than 256 Private IP addresses using the SSH service (TCP/22) is risky. SSH is a remote-login service that allows command-line access to Linux/Unix-based servers and is generally used for server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
| I22-NI-GCP | Medium | AlgoSec I22-NI-GCP | Administrative port 3389(RDP) can enter your network from more than 256 Private IPs | Allowing access from from more than 256 Private IP addresses using the Microsoft RDP protocol over port 3389 is risky. RDP stands for Remote-Desktop and is a Windows service that allows remote-login to windows machines. RDP is used for Windows-based server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
| I23-NI-GCP | Medium | AlgoSec I23-NI-GCP | Risky UDP Microsoft services can enter your network from Private IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138) to cross into your network is extremely risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port from private IPs. |
The Center for Internet Security (CIS) is a nonprofit that publishes a benchmark — a set of security configuration best practices for Google Cloud Computing Platform.
To read more about CIS GCP Foundations Benchmark, please visit CIS Google Cloud Computing Platform home page .
CIS GCP v1.5.0 requirements (75)
| Requirement | Title | Description | |
|---|---|---|---|
| CIS_GCP_IAM_CORPORATE_LOGIN | CIS 1.1 | 1.1 Ensure that Corporate Login Credentials are Used | Use corporate login credentials instead of personal accounts, such as Gmail accounts. |
| CIS_GCP_IAM_SERVICE_ACCOUNT_USER_MANAGED_KEYS | CIS 1.4 | 1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account | User managed service accounts should not have user-managed keys. |
| CIS_GCP_IAM_SERVICE_ACCOUNT_NO_ADMIN_PRIVILEGES | CIS 1.5 | 1.5 Ensure That Service Account Has No Admin Privileges | A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount. |
| CIS_GCP_IAM_SERVICE_ACCOUNT_TOKEN_CREATOR | CIS 1.6 | 1.6 Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level | It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level. |
| CIS_GCP_IAM_SERVICE_ACCOUNT_KEYS_ROTATION | CIS 1.7 | 1.7 Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer | Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account. It is recommended that all Service Account keys are regularly rotated. |
| CIS_GCP_IAM_SERVICE_ACCOUNT_RELATED_ROLES | CIS 1.8 | 1.8 Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. |
| CIS_GCP_SECURITY_KEY_ANONYMOUSLY_OR_PUBLICLY_ACCESSIBLE | CIS 1.9 | 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible | It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access. |
| CIS_GCP_KMS_ROTATE | CIS 1.10 | 1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days | The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d). |
| CIS_GCP_IAM_KMS_USER_SEPARATION | CIS 1.11 | 1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. |
| CIS_GCP_SECURITY_PROJECT_HAS_API_KEY | CIS 1.12 | 1.12 Ensure API Keys Are Not Created for a Project | Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead. |
| CIS_GCP_SECURITY_PROJECT_HAS_API_KEY_NO_RESTRICTIONS | CIS 1.13 | 1.13 Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps | Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps. |
| CIS_GCP_SECURITY_PROJECT_OLD_API_KEY | CIS 1.15 | 1.15 Ensure API Keys Are Rotated Every 90 Days | It is recommended to rotate API keys every 90 days. |
| CIS_GCP_IAM_ORG_NO_ESSENTIAL_CONTACT | CIS 1.16 | 1.16 Ensure Essential Contacts is Configured for Organization | It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information. |
| CIS_GCP_DATAPROC_CLUSTER_NOT_ENCRYPTED | CIS 1.17 | 1.17 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK). |
| CIS_GCP_IAM_NO_AUDIT_LOGS | CIS 2.1 | 2.1 Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project | It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data. |
| CIS_GCP_LOGGING_NO_LOG_SINK | CIS 2.2 | 2.2 Ensure That Sinks Are Configured for All Log Entries | It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM). |
| CIS_GCP_STORAGE_BUCKET_NO_RETENTION | CIS 2.3 | 2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks. |
| CIS_GCP_LOGGING_METRIC_NO_LOG_ALERT_PROJ_OWNERSHIP | CIS 2.4 | 2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes | In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all roles/Owner assignments should be monitored. |
| CIS_GCP_LOGGING_METRIC_NO_LOG_ALERT_AUDIT_CONF_CHANGE | CIS 2.5 | 2.5 Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes | Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, 'who did what, where, and when?' within GCP projects. Cloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services. |
| CIS_GCP_LOGGING_METRIC_NO_LOG_ALERT_CUSTOM_ROLE | CIS 2.6 | 2.6 Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes | It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities. |
| CIS_GCP_LOGGING_METRIC_NO_LOG_ALERT_FW_CONF_CHANGE | CIS 2.7 | 2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes | It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes. |
| CIS_GCP_LOGGING_METRIC_NO_LOG_ALERT_VPC_NETWORK_ROUTE_CONF_CHANGE | CIS 2.8 | 2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes | It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network route changes. |
| CIS_GCP_LOGGING_METRIC_NO_LOG_ALERT_VPC_NETWORK_CONF_CHANGE | CIS 2.9 | 2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes | It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network changes. |
| CIS_GCP_LOGGING_METRIC_NO_LOG_ALERT_STORAGE_CONF_CHANGE | CIS 2.10 | 2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. |
| CIS_GCP_LOGGING_METRIC_NO_LOG_ALERT_SQL_CONF_CHANGE | CIS 2.11 | 2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes | It is recommended that a metric filter and alarm be established for SQL instance configuration changes. |
| CIS_GCP_VPC_NETWORK_DNS_LOGGING | CIS 2.12 | 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks | Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC. |
| CIS_GCP_LOGGING_NO_ASSET_INVENTORY | CIS 2.13 | 2.13 Ensure Cloud Asset Inventory Is Enabled | GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource. |
| CIS_GCP_LOGGING_NO_ASSET_APPROVAL | CIS 2.15 | 2.15 Ensure 'Access Approval' is 'Enabled' | GCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects. You can then select users within your organization who can approve these requests through giving them a security role in IAM. All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve. This adds an additional control and logging of who in your organization approved/denied these requests. |
| CIS_GCP_NETWORK_NO_DEFAULT_NETWORK | CIS 3.1 | 3.1 Ensure That the Default Network Does Not Exist in a Project | To prevent use of default network, a project should not have a default network. |
| CIS_GCP_VPC_NETWORK_NETWORK_LEGACY | CIS 3.2 | 3.2 Ensure Legacy Networks Do Not Exist for Older Projects | In order to prevent use of legacy networks, a project should not have a legacy network configured. As of now, Legacy Networks are gradually being phased out, and you can no longer create projects with them. This recommendation is to check older projects to ensure that they are not using Legacy Networks. |
| CIS_GCP_NETWORK_DNSSEC_ENABLED | CIS 3.3 | 3.3 Ensure That DNSSEC Is Enabled for Cloud DNS | Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks. |
| CIS_GCP_NETWORK_SERVICES_MANAGED_ZONE_RSASHA1_FOR_KEY | CIS 3.4 | 3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong. |
| CIS_GCP_NETWORK_SERVICES_MANAGED_ZONE_RSASHA1_FOR_ZONE | CIS 3.5 | 3.5 Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC | DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong. |
| CIS_GCP_VPC_NETWORK_FIREWALL_UNRESTRICTED_SSH | CIS 3.6 | 3.6 Ensure That SSH Access Is Restricted From the Internet | GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using SSH on Port 22 can be avoided. |
| CIS_GCP_VPC_NETWORK_FIREWALL_UNRESTRICTED_RDP | CIS 3.7 | 3.7 Ensure That RDP Access Is Restricted From the Internet | Generic (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP on Port 3389 can be avoided. |
| CIS_GCP_VPC_NETWORK_SUBNET_FLOWLOGS | CIS 3.8 | 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet. |
| CIS_GCP_NETWORK_SERVICES_INSECURE_PROXY | CIS 3.9 | 3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites | Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers. To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile; or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or (3) a CUSTOM profile that does not support any of the following features: TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA. |
| CIS_GCP_VM_INSTANCE_NO_DEFAULT_SERVICE_ACCOUNT | CIS 4.1 | 4.1 Ensure That Instances Are Not Configured To Use the Default Service Account | It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project. |
| CIS_GCP_VM_INSTANCE_SERVICE_ACCOUNT_NO_FULL_ACCESS | CIS 4.2 | 4.2 Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. |
| CIS_GCP_VM_INSTANCE_BLOCK_PROJECT_SSH_KEYS | CIS 4.3 | 4.3 Ensure “Block Project-Wide SSH Keys” Is Enabled for VM Instances | It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances. |
| CIS_GCP_INSTANCE_NO_OSLOGIN | CIS 4.4 | 4.4 Ensure Oslogin Is Enabled for a Project | Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management. |
| CIS_GCP_COMPUTE_INSTANCE_SERIAL_PORT_ENABLED | CIS 4.5 | 4.5 Ensure ‘Enable Connecting to Serial Ports’ Is Not Enabled for VM Instance | Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled. |
| CIS_GCP_COMPUTE_INSTANCE_CAN_IP_FORWARD | CIS 4.6 | 4.6 Ensure That IP Forwarding Is Not Enabled on Instances | Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. |
| CIS_GCP_VM_INSTANCE_DISKS_CSEK_ENCRYPTED | CIS 4.7 | 4.7 Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys. |
| CIS_GCP_VM_INSTANCE_SHIELDED_VM | CIS 4.8 | 4.8 Ensure Compute Instances Are Launched With Shielded VM Enabled | To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled. |
| CIS_GCP_COMPUTE_INSTANCE_HAS_PUBLIC_ACCESS | CIS 4.9 | 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses | Compute instances should not be configured to have external IP addresses. |
| CIS_GCP_COMPUTE_INSTANCE_CONFIDENTIAL_COMPUTING_DISABLED | CIS 4.11 | 4.11 Ensure That Compute Instances Have Confidential Computing Enabled | Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU). |
| CIS_GCP_STORAGE_NOT_ANON_PUBLIC_ACCESS | CIS 5.1 | 5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible | It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access. |
| CIS_GCP_STORAGE_UNIFORM | CIS 5.2 | 5.2 Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled | It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets. |
| CIS_GCP_SQL_INSTANCE_ANY_HOST_ROOT_ACCESS | CIS 6.1.1 | 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges | It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database instances. This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console. |
| CIS_GCP_SQL_INSTANCE_MYSQL_DOES_NOT_HAVE_SKIP_SHOW_DB_FLAG | CIS 6.1.2 | 6.1.2 Ensure ‘Skip_show_database’ Database Flag for Cloud SQL MySQL Instance Is Set to ‘On’ | It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on |
| CIS_GCP_MYSQL_DATABASE_INSTANCE_LOCAL_INFILE | CIS 6.1.3 | 6.1.3 Ensure That the ‘Local_infile’ Database Flag for a Cloud SQL MySQL Instance Is Set to ‘Off’ | It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off. |
| CIS_GCP_SQL_INSTANCE_POSTGRES_NO_LOG_ERROR_VERBOSITY | CIS 6.2.1 | 6.2.1 Ensure ‘Log_error_verbosity’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘DEFAULT’ or Stricter | The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are: TERSE, DEFAULT, VERBOSE. |
| CIS_GCP_POSTGRESQL_LOG_CONNECTIONS_FLAG_ON | CIS 6.2.2 | 6.2.2 Ensure That the ‘Log_connections’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘On’ | Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts. |
| CIS_GCP_POSTGRESQL_LOG_DISCONNECTIONS_FLAG_ON | CIS 6.2.3 | 6.2.3 Ensure That the ‘Log_disconnections’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘On’ | Enabling the log_disconnections setting logs the end of each session, including the session duration. |
| CIS_GCP_SQL_INSTANCE_POSTGRES_NO_LOG_STATEMENT | CIS 6.2.4 | 6.2.4 Ensure ‘Log_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately | The value of log_statement flag determined the SQL statements that are logged. Valid values are: none, ddl, mod, all. |
| CIS_GCP_SQL_INSTANCE_POSTGRES_NO_LOG_HOSTNAME | CIS 6.2.5 | 6.2.5 Ensure ‘Log_hostname’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on' | PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. This parameter can only be set in the postgresql.conf file or on the server command line. |
| CIS_GCP_SQL_INSTANCE_POSTGRES_NO_LOG_MIN_MESSAGES | CIS 6.2.6 | 6.2.6 Ensure That the ‘Log_min_messages’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning' | The log_min_messages flag defines the minimum message severity level that is considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy. |
| CIS_GCP_POSTGRESQL_LOG_MIN_ERROR | CIS 6.2.7 | 6.2.7 Ensure ‘Log_min_error_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘Error’ or Stricter | The log_min_error_statement flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. Ensure a value of ERROR or stricter is set. |
| CIS_GCP_POSTGRESQL_LOG_MIN_DURATION_OFF | CIS 6.2.8 | 6.2.8 Ensure That the ‘Log_min_duration_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘-1′ (Disabled) | The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set. |
| CIS_GCP_SQL_INSTANCE_POSTGRES_PGAUDIT_FLAG_DISABLED | CIS 6.2.9 | 6.2.9 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging | Ensure cloudsql.enable_pgaudit database flag for Cloud SQL PostgreSQL instance is set to on to allow for centralized logging. |
| CIS_GCP_SQL_INSTANCE_HAS_EXTERNAL_SCRIPTS | CIS 6.3.1 | 6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' | It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off |
| CIS_GCP_SQL_SERVER_INSTANCE_CROSS_DB_OWNERSHIP_OFF | CIS 6.3.2 | 6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' | It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off. |
| CIS_GCP_SQL_INSTANCE_USER_CONNECTION_LIMIT_NOT_CONFIGURED | CIS 6.3.3 | 6.3.3 Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value | It is recommended to check the user connections for a Cloud SQL SQL Server instance to ensure that it is not artificially limiting connections. |
| CIS_GCP_SQL_INSTANCE_HAS_USER_OPTIONS | CIS 6.3.4 | 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured | It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured. |
| CIS_GCP_SQL_INSTANCE_HAS_REMOTE_ACCESS | CIS 6.3.5 | 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' | It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off. |
| CIS_GCP_SQL_INSTANCE_HAS_3625_TRACE_FLAG | CIS 6.3.6 | 6.3.6 Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'off' | It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off. |
| CIS_GCP_SQL_SERVER_INSTANCE_CONTAINED_DB_AUTH_OFF | CIS 6.3.7 | 6.3.7 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' | It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off. |
| CIS_GCP_SQL_SERVER_INSTANCE_SSL | CIS 6.4 | 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL | It is recommended to enforce all incoming connections to SQL database instance to use SSL. |
| CIS_GCP_SQL_SERVER_INSTANCE_NO_PUBLIC_ACCESS | CIS 6.5 | 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses | Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses. |
| CIS_GCP_SQL_SERVER_INSTANCE_NO_PUBLIC_IP | CIS 6.6 | 6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs | It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs. |
| CIS_GCP_SQL_SERVER_INSTANCE_BACKUP | CIS 6.7 | 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups | It is recommended to have all SQL database instances set to enable automated backups. |
| CIS_GCP_BIGQUERY_ALL_USER_ACCESS | CIS 7.1 | 7.1 Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible | It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access. |
| CIS_GCP_BIGQUERY_TABLE_NO_CMEK | CIS 7.2 | 7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys. |
| CIS_GCP_BIGQUERY_DATASET_CMEK | CIS 7.3 | 7.3 Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets | Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. |
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designed to protect account data.
To read more about PCI DSS Requirements, please visit PCI home page .
PCI DSS v4.0 requirements (12)
| Requirement | Title | Description | |
|---|---|---|---|
| PCI_ENCR_AT_REST | PCI DSS 3.5 | 3.5 Primary account number (PAN) is secured wherever it is stored. | If an intruder circumvents other security controls and gains access to encrypted account data, the data is unreadable without the proper cryptographic keys and is unusable to that intruder. This requirement applies to PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception, or troubleshooting logs) must all be protected. |
| PCI_PASS_ROTATE | PCI DSS 3.7.4 | 3.7.4 Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod. | Changing encryption keys when they reach the end of their cryptoperiod is imperative to minimize the risk of someone obtaining the encryption keys and using them to decrypt data. |
| PCI_ENCR_IN_TRANSIT | PCI DSS 4.2 | 4.2 Primary account number (PAN) is protected with strong cryptography during transmission. | Sensitive information must be encrypted during transmission over public networks because it is easy and common for a malicious individual to intercept and/or divert data while in transit. It is considered a good practice for entities to also encrypt PAN over their internal networks, and for entities to establish any new network implementations with encrypted communications. |
| PCI_CERT_EXPIRY | PCI DSS 4.2.1 | 4.2.1 Certificates used to safeguard primary account number (PAN) during transmission over open, public networks are confirmed as valid and are not expired or revoked. | Confirming that certificates used to safeguard PAN during transmission over open, public networks are valid and are not expired or revoked is a best practice until 31 March 2025, after which it will be required as part of Requirement 4.2.1 and must be fully considered during a PCI DSS assessment. |
| PCI_INACTIVE_ACCOUNT | PCI DSS 8.2.6 | 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity. | Examine user accounts and last logon information, and interview personnel to verify that any inactive user accounts are removed or disabled within 90 days of inactivity. |
| PCI_PASS_COMPLEX | PCI DSS 8.3.6 | 8.3.6 Passwords/passphrases used as authentication factors must meet the following minimum level of complexity: a minimum length of 12 characters (if the system does not support 12 characters, a minimum length of eight characters), and contain both numeric and alphabetic characters. | Examine system configuration settings to verify that user password/passphrase complexity parameters are set in accordance with all elements specified in this requirement. |
| PCI_PASS_CHANGE | PCI DSS 8.3.9 | 8.3.9 If passwords/passphrases are used as the only authentication factor for user access, then passwords/passphrases are changed at least once every 90 days. | If passwords/passphrases are used as the only authentication factor for user access, inspect system configuration settings to verify that passwords/passphrases are managed in accordance with the specified requirement. |
| PCI_PASS_NOREUSE | PCI DSS 8.3.7 | 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. | Examine system configuration settings to verify that password parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases. |
| PCI_MFA | PCI DSS 8.4 | 8.4 Multi-factor authentication (MFA) is implemented to secure access into the cardholder data environment (CDE). | Examine network and/or system configurations to verify MFA is implemented for all access into the CDE. |
| PCI_AUDIT_LOGS | PCI DSS 10.2 | 10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. | Audit logs must exist for all system components. Audit logs send alerts the system administrator, provides data to other monitoring mechanisms, such as intrusion-detection systems (IDS) and security information and event monitoring systems (SIEM) tools, and provide a history trail for post-incident investigation. Logging and analyzing security-relevant events enable an organization to identify and trace potentially malicious activities. |
| PCI_NET_SEGMENT | PCI DSS (Networking) | Guidance for PCI DSS Scoping and Network Segmentation. | Segmentation (or isolation) of the cardholder data environment (CDE) from the remainder of an entity's network is strongly recommended as a method that may reduce the risk to an organization relative to payment card account data. |
| PCI_NO_TLS1 | PCI DSS (Old Protocols) | Guidance on PCI DSS Requirement 4.2: SSL and TLS 1.0 are not permitted. | Some protocol implementations (such as SSL, SSH v1.0, and TLS 1.0) have known vulnerabilities that an attacker can use to gain access to the cleartext data. It is critical that entities maintain awareness of industry-defined deprecation dates for the cipher suites they are using and are prepared to migrate to newer versions or protocols when older ones are no longer deemed secure. |
The HIPAA Security Rule ensures patients and their Protected Health Information (ePHI) are protected, as well as healthcare facilities and health insurance providers.
To read more about HIPAA security rule, please visit HIPAA home page .
HIPAA requirements (4)
| Requirement | Title | Description | |
|---|---|---|---|
| HIPAA_ENCRYPT | HIPAA (Encryption) | Access Control (§ 164.312(a)(1)(iv)) — Encryption of Data In Transit or At Rest | HIPAA Security Rule requires encryption of electronic Protected Health Information (ePHI) of patients when the data is in transit or at rest. 'At rest' includes the cloud storage service where ePHI has been saved (storage bucket, database, file system) and in transit relates to any electronic communication of that information. The security of ePHI in transit or at rest should be established by the use of data encryption. ePHI should be rendered 'unreadable, undecipherable or unusable' so any 'acquired' healthcare or payment information is of no use to an unauthorized third party. |
| HIPAA_NETWORK | HIPAA (Networking) | Access Control (§ 164.312(a)(1)) — Network Segmentation | Firewalls, network segmentation, and network access control solutions can be effective means of limiting access to electronic information systems containing electronic Protected Health Information (ePHI). Properly implemented, network-based solutions can limit the ability of a hacker to gain access to an organization's network or impede the ability of a hacker already in the network from accessing other information systems — especially systems containing sensitive data. By building and implementing a network segmentation strategy, networks can be broken down into multiple segments and made safer against potential breaches by dangerous cybercriminals and hackers. |
| HIPAA_AUDIT | HIPAA (Audit) | Audit Controls (§ 164.312(b)) | Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic Protected Health Information (ePHI). Audit logs and trails assist companies with reducing risk associated with reviewing inappropriate access, tracking unauthorized disclosures of ePHI, detecting performance problems and flaws in applications, detecting potential intrusions and other malicious activity, and providing forensic evidence during investigation of security incidents and breaches. |
| HIPAA_BACKUP | HIPAA (Backup) | Contingency Plan 164.308(a)(7) — Data Backup Plan | A contingency plan is the only way to protect the availability, integrity, and security of data during unexpected negative events. Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. The data backup plan should define exactly what information is needed to be retrievable to allow the entity to continue business 'as usual' in the face of damage or destruction of data, hardware, or software. |