GCP Compute Engine
Overview
Critical
0High
20Medium
28Low
18Informational
0Security issues (66)
Severity | Non-Compliance | Region | Resource | Issue | Remediation | Read more | Action |
---|---|---|---|---|---|---|---|
High | CIS 4.3 | us-west4 | instance-1 | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
High | PCI DSS 4.2.1 | us-west4 | instance-1 | VM instance has no Two-Factor Authentication (2FA) enabled for OS Login. | To fulfill PCI compliance requirements for additional security features for any required service, ensure that VM instances have OS login feature enabled and configured with 2FA. | More info | |
Low | — | us-west4 | instance-1 | VM instance has no deletion protection. | To prevent accidental VM deletion, ensure that VM instances have deletion protection enabled. | More info | |
Low | CIS 4.9 PCI DSS 4.2.1 | us-west4 | instance-1 | VM instance has public access enabled. | In order to minimize exposure to the Internet, ensure your VM instances are not configured to have external IP addresses. | More info | |
Low | — | us-west4 | instance-1 | VM instance has Auto-Delete behavior rule enabled for the persistent disk: instance-1. | To protect the VM data from being deleted when the associated VM instance is deleted and to meet security and compliance requirements, that Auto-Delete is disabled for all persistent disks associated with your VM instances. | More info | |
High | PCI DSS 3.5 HIPAA (Encryption) | us-west4 | instance-1 | VM instance has no persistent disks encrypted with Customer-Managed Keys (CMKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, ensure that the persistent disks attached to your VM instances are encrypted with CMKs. | More info | |
Medium | — | us-west4 | instance-2 | VM instance has Automatic Restart disabled. | To allow Compute Engine restart the instance if it crashes or is stopped, Ensure automatic restart is enabled for all VM instances. | More info | |
High | CIS 4.3 | us-west4 | instance-2 | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
High | PCI DSS 4.2.1 | us-west4 | instance-2 | VM instance has no Two-Factor Authentication (2FA) enabled for OS Login. | To fulfill PCI compliance requirements for additional security features for any required service, ensure that VM instances have OS login feature enabled and configured with 2FA. | More info | |
Low | — | us-west4 | instance-2 | VM instance has no deletion protection. | To prevent accidental VM deletion, ensure that VM instances have deletion protection enabled. | More info | |
Low | CIS 4.9 PCI DSS 4.2.1 | us-west4 | instance-2 | VM instance has public access enabled. | In order to minimize exposure to the Internet, ensure your VM instances are not configured to have external IP addresses. | More info | |
Low | — | us-west4 | instance-2 | VM instance has Auto-Delete behavior rule enabled for the persistent disk: instance-2. | To protect the VM data from being deleted when the associated VM instance is deleted and to meet security and compliance requirements, that Auto-Delete is disabled for all persistent disks associated with your VM instances. | More info | |
High | PCI DSS 3.5 HIPAA (Encryption) | us-west4 | instance-2 | VM instance has no persistent disks encrypted with Customer-Managed Keys (CMKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, ensure that the persistent disks attached to your VM instances are encrypted with CMKs. | More info | |
Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-west4 | instance-1 | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
Medium | — | us-west4 | instance-1 | Disk has no snapshot schedule configured. | To periodically backup data from your persistent disks, ensure that Compute disks have scheduled snapshots configured. | More info | |
Medium | — | us-west4 | instance-1 | Disk has regional disk replication disabled. | For high availability in case of a zonal outage, ensure that Compute disks have regional disk replication feature enabled. | More info | |
Medium | — | us-west4 | instance-2 | Disk has no snapshot schedule configured. | To periodically backup data from your persistent disks, ensure that Compute disks have scheduled snapshots configured. | More info | |
Medium | — | us-west4 | instance-2 | Disk has regional disk replication disabled. | For high availability in case of a zonal outage, ensure that Compute disks have regional disk replication feature enabled. | More info | |
Medium | CIS 4.5 | us-central1 | instance-group-1-ptb0 | VM instance has serial port access enabled. | Due to security and compliance regulations, ensure the serial port access is disabled for all your VM instances. | More info | |
High | CIS 4.3 | us-central1 | instance-group-1-ptb0 | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
High | — | us-central1 | instance-group-1-ptb0 | VM instance maintenance behavior is not set to "Migrate". | To prevent your production applications from experiencing disruptions during maintenance events, ensure VM instances have "On Host Maintenance" configuration set to "Migrate". | More info | |
High | — | us-central1 | instance-group-1-ptb0 | VM instance is preemptible. | To prevent your instances from being terminated in case Compute Engine requires using their resources for other tasks, ensure VM instances are not preemptible. | More info | |
Medium | CIS 4.6 PCI DSS 4.2.1 | us-central1 | instance-group-1-ptb0 | VM instance has IP forwarding enabled. | For security and compliance reasons, as instances with IP Forwarding enabled act as routers/packet forwarders, delete the VM instances with IP forwarding enabled and redeploy them with IP forwarding disabled. | More info | |
Medium | CIS 4.8 | us-central1 | instance-group-1-ptb0 | VM instance has Shielded VM security feature disabled. | For protection against rootkits and bootkits, ensure that your VM instances are configured to use Shielded VM security feature. | More info | |
High | PCI DSS 4.2.1 | us-central1 | gke-cluster-1-default-pool-fc104738-2sxd | VM instance has no Two-Factor Authentication (2FA) enabled for OS Login. | To fulfill PCI compliance requirements for additional security features for any required service, ensure that VM instances have OS login feature enabled and configured with 2FA. | More info | |
Low | — | us-central1 | gke-cluster-1-default-pool-fc104738-2sxd | VM instance has no deletion protection. | To prevent accidental VM deletion, ensure that VM instances have deletion protection enabled. | More info | |
Low | — | us-central1 | gke-cluster-1-default-pool-fc104738-2sxd | VM instance has Auto-Delete behavior rule enabled for the persistent disk: persistent-disk-0. | To protect the VM data from being deleted when the associated VM instance is deleted and to meet security and compliance requirements, that Auto-Delete is disabled for all persistent disks associated with your VM instances. | More info | |
High | PCI DSS 3.5 HIPAA (Encryption) | us-central1 | gke-cluster-1-default-pool-fc104738-2sxd | VM instance has no persistent disks encrypted with Customer-Managed Keys (CMKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, ensure that the persistent disks attached to your VM instances are encrypted with CMKs. | More info | |
High | CIS 4.3 | us-central1 | gke-cluster-1-default-pool-fc104738-427b | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
High | PCI DSS 4.2.1 | us-central1 | gke-cluster-1-default-pool-fc104738-427b | VM instance has no Two-Factor Authentication (2FA) enabled for OS Login. | To fulfill PCI compliance requirements for additional security features for any required service, ensure that VM instances have OS login feature enabled and configured with 2FA. | More info | |
Low | — | us-central1 | gke-cluster-1-default-pool-fc104738-427b | VM instance has no deletion protection. | To prevent accidental VM deletion, ensure that VM instances have deletion protection enabled. | More info | |
Low | — | us-central1 | gke-cluster-1-default-pool-fc104738-427b | VM instance has Auto-Delete behavior rule enabled for the persistent disk: persistent-disk-0. | To protect the VM data from being deleted when the associated VM instance is deleted and to meet security and compliance requirements, that Auto-Delete is disabled for all persistent disks associated with your VM instances. | More info | |
High | PCI DSS 3.5 HIPAA (Encryption) | us-central1 | gke-cluster-1-default-pool-fc104738-427b | VM instance has no persistent disks encrypted with Customer-Managed Keys (CMKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, ensure that the persistent disks attached to your VM instances are encrypted with CMKs. | More info | |
High | CIS 4.3 | us-central1 | gke-cluster-1-default-pool-fc104738-dlsn | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
High | PCI DSS 4.2.1 | us-central1 | gke-cluster-1-default-pool-fc104738-dlsn | VM instance has no Two-Factor Authentication (2FA) enabled for OS Login. | To fulfill PCI compliance requirements for additional security features for any required service, ensure that VM instances have OS login feature enabled and configured with 2FA. | More info | |
Low | — | us-central1 | gke-cluster-1-default-pool-fc104738-dlsn | VM instance has no deletion protection. | To prevent accidental VM deletion, ensure that VM instances have deletion protection enabled. | More info | |
Low | — | us-central1 | gke-cluster-1-default-pool-fc104738-dlsn | VM instance has Auto-Delete behavior rule enabled for the persistent disk: persistent-disk-0. | To protect the VM data from being deleted when the associated VM instance is deleted and to meet security and compliance requirements, that Auto-Delete is disabled for all persistent disks associated with your VM instances. | More info | |
High | PCI DSS 3.5 HIPAA (Encryption) | us-central1 | gke-cluster-1-default-pool-fc104738-dlsn | VM instance has no persistent disks encrypted with Customer-Managed Keys (CMKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, ensure that the persistent disks attached to your VM instances are encrypted with CMKs. | More info | |
High | CIS 4.3 | us-central1 | mysql-5-7-secured-by-sg-1-vm | VM instance does not block project-wide SSH keys. | To maintain the principle of least privilege and prevent potential privilege escalation, ensure VM instances are not configured to allow project-wide SSH keys and use instance-level SSH keys instead. | More info | |
High | PCI DSS 4.2.1 | us-central1 | mysql-5-7-secured-by-sg-1-vm | VM instance has no Two-Factor Authentication (2FA) enabled for OS Login. | To fulfill PCI compliance requirements for additional security features for any required service, ensure that VM instances have OS login feature enabled and configured with 2FA. | More info | |
Low | — | us-central1 | mysql-5-7-secured-by-sg-1-vm | VM instance has no deletion protection. | To prevent accidental VM deletion, ensure that VM instances have deletion protection enabled. | More info | |
Low | CIS 4.9 PCI DSS 4.2.1 | us-central1 | mysql-5-7-secured-by-sg-1-vm | VM instance has public access enabled. | In order to minimize exposure to the Internet, ensure your VM instances are not configured to have external IP addresses. | More info | |
Low | — | us-central1 | mysql-5-7-secured-by-sg-1-vm | VM instance has Auto-Delete behavior rule enabled for the persistent disks: mysql-5-7-secured-by-sg-1-vm-disk1, sg-tde-mysql-shielded-vm-tmpl-boot-disk. | To protect the VM data from being deleted when the associated VM instance is deleted and to meet security and compliance requirements, that Auto-Delete is disabled for all persistent disks associated with your VM instances. | More info | |
High | PCI DSS 3.5 HIPAA (Encryption) | us-central1 | mysql-5-7-secured-by-sg-1-vm | VM instance has no persistent disks encrypted with Customer-Managed Keys (CMKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, ensure that the persistent disks attached to your VM instances are encrypted with CMKs. | More info | |
Low | — | us-central1 | gke-cluster-1-default-pool-fc104738-grp | Instance group does not have autoscale enabled. | To increase efficiency and improve cost management for resources, ensures instance groups have autoscale enabled. | More info | |
Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | disk-1 | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
Medium | — | us-central1 | disk-1 | Disk is not in use. | To avoid unnecessary billing, ensure there are no unused Compute disks. | More info | |
Medium | — | us-central1 | instance-group-1-ptb0 | Disk has no snapshot schedule configured. | To periodically backup data from your persistent disks, ensure that Compute disks have scheduled snapshots configured. | More info | |
Medium | — | us-central1 | instance-group-1-ptb0 | Disk has regional disk replication disabled. | For high availability in case of a zonal outage, ensure that Compute disks have regional disk replication feature enabled. | More info | |
Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | gke-cluster-1-default-pool-fc104738-2sxd | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
Medium | — | us-central1 | gke-cluster-1-default-pool-fc104738-2sxd | Disk has no snapshot schedule configured. | To periodically backup data from your persistent disks, ensure that Compute disks have scheduled snapshots configured. | More info | |
Medium | — | us-central1 | gke-cluster-1-default-pool-fc104738-2sxd | Disk has regional disk replication disabled. | For high availability in case of a zonal outage, ensure that Compute disks have regional disk replication feature enabled. | More info | |
Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | gke-cluster-1-default-pool-fc104738-427b | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
Medium | — | us-central1 | gke-cluster-1-default-pool-fc104738-427b | Disk has no snapshot schedule configured. | To periodically backup data from your persistent disks, ensure that Compute disks have scheduled snapshots configured. | More info | |
Medium | — | us-central1 | gke-cluster-1-default-pool-fc104738-427b | Disk has regional disk replication disabled. | For high availability in case of a zonal outage, ensure that Compute disks have regional disk replication feature enabled. | More info | |
Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | gke-cluster-1-default-pool-fc104738-dlsn | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
Medium | — | us-central1 | gke-cluster-1-default-pool-fc104738-dlsn | Disk has no snapshot schedule configured. | To periodically backup data from your persistent disks, ensure that Compute disks have scheduled snapshots configured. | More info | |
Medium | — | us-central1 | gke-cluster-1-default-pool-fc104738-dlsn | Disk has regional disk replication disabled. | For high availability in case of a zonal outage, ensure that Compute disks have regional disk replication feature enabled. | More info | |
Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | mysql-5-7-secured-by-sg-1-vm | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
Medium | — | us-central1 | mysql-5-7-secured-by-sg-1-vm | Disk has no snapshot schedule configured. | To periodically backup data from your persistent disks, ensure that Compute disks have scheduled snapshots configured. | More info | |
Medium | — | us-central1 | mysql-5-7-secured-by-sg-1-vm | Disk has regional disk replication disabled. | For high availability in case of a zonal outage, ensure that Compute disks have regional disk replication feature enabled. | More info | |
Medium | CIS 4.7 PCI DSS 3.5 HIPAA (Encryption) | us-central1 | mysql-5-7-secured-by-sg-1-vm-disk1 | Disk is not encrypted with Customer-Supplied Encryption Keys (CSEKs). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, re-deploy a new Compute disk with CSEKs enabled, then delete the old non-encrypted disk. | More info | |
Medium | — | us-central1 | mysql-5-7-secured-by-sg-1-vm-disk1 | Disk has no snapshot schedule configured. | To periodically backup data from your persistent disks, ensure that Compute disks have scheduled snapshots configured. | More info | |
Medium | — | us-central1 | mysql-5-7-secured-by-sg-1-vm-disk1 | Disk has regional disk replication disabled. | For high availability in case of a zonal outage, ensure that Compute disks have regional disk replication feature enabled. | More info | |
Low | — | global | disk-1-us-central1-20220214160418-0t1dqh9c | Disk snapshot is more than 59 days old. | In order to optimize storage costs, identify and remove old VM persistent disk snapshots. | More info | |
Low | — | global | snapshot-1 | Disk snapshot is more than 33 days old. | In order to optimize storage costs, identify and remove old VM persistent disk snapshots. | More info |
VM Instances (7)
VM Instance | Zone | Status | In use by | Internal IPs | External IPs | Security issues |
---|---|---|---|---|---|---|
instance-1 | us-west4-b | Running | — | 10.182.0.3 | 34.125.121.173 | 3 High + 3 others (details) |
instance-2 | us-west4-b | Running | — | 10.182.0.5 | 34.125.174.162 | 3 High + 4 others (details) |
instance-group-1-ptb0 | us-central1-a | Running | instance-group-1 | 10.128.0.5 | — | 3 High + 3 others (details) |
gke-cluster-1-default-pool-fc104738-2sxd | us-central1-c | Running | gke-cluster-1-default-pool-fc104738-grp | 10.128.0.20 | 34.133.212.100 | 2 High + 2 others (details) |
gke-cluster-1-default-pool-fc104738-427b | us-central1-c | Running | gke-cluster-1-default-pool-fc104738-grp | 10.128.0.19 | 34.132.115.236 | 3 High + 2 others (details) |
gke-cluster-1-default-pool-fc104738-dlsn | us-central1-c | Running | gke-cluster-1-default-pool-fc104738-grp | 10.128.0.18 | 34.123.164.160 | 3 High + 2 others (details) |
mysql-5-7-secured-by-sg-1-vm | us-central1-f | Running | — | 10.128.0.17 | 34.134.155.250 | 3 High + 3 others (details) |
Disks (9)
Disk | Zone | Status | Size | Disk type | In use by | Snapshot schedule | Security issues |
---|---|---|---|---|---|---|---|
instance-1 | us-west4-b | Ready | 10 GB | Balanced persistent disk | instance-1 | — | 3 Medium (details) |
instance-2 | us-west4-b | Ready | 10 GB | Balanced persistent disk | instance-2 | — | 2 Medium (details) |
disk-1 | — | Ready | 10 GB | Balanced persistent disk | — | schedule-1 | 2 Medium (details) |
instance-group-1-ptb0 | us-central1-a | Ready | 10 GB | Balanced persistent disk | instance-group-1-ptb0 | — | 2 Medium (details) |
gke-cluster-1-default-pool-fc104738-2sxd | us-central1-c | Ready | 100 GB | Standard persistent disk | gke-cluster-1-default-pool-fc104738-2sxd | — | 3 Medium (details) |
gke-cluster-1-default-pool-fc104738-427b | us-central1-c | Ready | 100 GB | Standard persistent disk | gke-cluster-1-default-pool-fc104738-427b | — | 3 Medium (details) |
gke-cluster-1-default-pool-fc104738-dlsn | us-central1-c | Ready | 100 GB | Standard persistent disk | gke-cluster-1-default-pool-fc104738-dlsn | — | 3 Medium (details) |
mysql-5-7-secured-by-sg-1-vm | us-central1-f | Ready | 10 GB | Standard persistent disk | mysql-5-7-secured-by-sg-1-vm | — | 3 Medium (details) |
mysql-5-7-secured-by-sg-1-vm-disk1 | us-central1-f | Ready | 10 GB | Standard persistent disk | mysql-5-7-secured-by-sg-1-vm | — | 3 Medium (details) |
Snapshots (3)
Images (1)
Image | Location | Status | Created | Disk size | Archive size | Security issues |
---|---|---|---|---|---|---|
nested-virt | us | Ready | 255 GB | 671.35 MB | — |
Instance Groups (2)
Instance Group | Zone | Created | Number of instances | Security issues |
---|---|---|---|---|
instance-group-1 | us-central1-a | 1 | — | |
gke-cluster-1-default-pool-fc104738-grp | us-central1-c | 3 | 1 Low (details) |