CIS GCP Benchmark Checks in tfsec - crederauk/tfsec-custom-action GitHub Wiki
CIS Google Cloud Platform Foundation Benchmark (v1.2.0 - 05-01-2021)
Summary
🛑 Not terraform-related (rules cannot be checked by looking at Terraform code): 28
🛑 Not doable with tfsec custom checks (details): 21
☑️ Done by tfsec (already checked in the list of checks tfsec has): 31
✅ Done: 3
Just to visualize the above ratio:
🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑☑️☑️☑️☑️☑️☑️☑️☑️☑️☑️✅
1 Identity and Access Management
| CIS # | Policy | Status |
|---|---|---|
| 1.1 | Ensure that corporate login credentials are used | 🛑 Not terraform-related |
| 1.2 | Ensure that multi-factor authentication is enabled for all non-service accounts | 🛑 Not terraform-related |
| 1.3 | Ensure that Security Key Enforcement is enabled for all admin accounts | 🛑 Not terraform-related |
| 1.4 | Ensure that there are only GCP-managed service account keys for each service account | 🛑 Not terraform-related |
| 1.5 | Ensure that Service Account has no Admin privileges | 🛑 Not terraform-related |
| 1.6 | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | 🛑 Not terraform-related |
| 1.7 | Ensure user-managed/external keys for service accounts are rotated every 90 days or less | 🛑 Not doable with tfsec custom checks |
| 1.8 | Ensure that Separation of duties is enforced while assigning service account related roles to users | 🛑 Not terraform-related |
| 1.9 | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | 🛑 Not doable with tfsec custom checks |
| 1.10 | Ensure KMS encryption keys are rotated within a period of 90 days | ☑️ Done by tfsec |
| 1.11 | Ensure that Separation of duties is enforced while assigning KMS related roles to users | 🛑 Not terraform-related |
| 1.12 | Ensure API keys are not created for a project | 🛑 Not terraform-related |
| 1.13 | Ensure API keys are restricted to use by only specified Hosts and Apps | 🛑 Not terraform-related |
| 1.14 | Ensure API keys are restricted to only APIs that application needs access | 🛑 Not terraform-related |
| 1.15 | Ensure API keys are rotated every 90 days | 🛑 Not terraform-related |
2 Logging and Monitoring
| CIS # | Policy | Status |
|---|---|---|
| 2.1 | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | 🛑 Not doable with tfsec custom checks |
| 2.2 | Ensure that sinks are configured for all log entries | 🛑 Not terraform-related |
| 2.3 | Ensure that retention policies on log buckets are configured using Bucket Lock | 🛑 Not terraform-related |
| 2.4 | Ensure log metric filter and alerts exist for project ownership assignments/changes | 🛑 Not terraform-related |
| 2.5 | Ensure that the log metric filter and alerts exist for Audit Configuration changes | 🛑 Not terraform-related |
| 2.6 | Ensure that the log metric filter and alerts exist for Custom Role changes | 🛑 Not terraform-related |
| 2.7 | Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes | 🛑 Not terraform-related |
| 2.8 | Ensure that the log metric filter and alerts exist for VPC network route changes | 🛑 Not terraform-related |
| 2.9 | Ensure that the log metric filter and alerts exist for VPC network changes | 🛑 Not terraform-related |
| 2.10 | Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes | 🛑 Not terraform-related |
| 2.11 | Ensure that the log metric filter and alerts exist for SQL instance configuration changes | 🛑 Not terraform-related |
| 2.12 | Ensure that Cloud DNS logging is enabled for all VPC networks | 🛑 Not doable with tfsec custom checks |
3 Networking
| CIS # | Policy | Status |
|---|---|---|
| 3.1 | Ensure that the default network does not exist in a project | 🛑 Not terraform-related |
| 3.2 | Ensure legacy networks do not exist for a project | 🛑 Not terraform-related |
| 3.3 | Ensure that DNSSEC is enabled for Cloud DNS | ☑️ Done by tfsec |
| 3.4 | Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC | ☑️ Done by tfsec |
| 3.5 | Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC | ☑️ Done by tfsec |
| 3.6 | Ensure that SSH access is restricted from the internet | ☑️ Done by tfsec |
| 3.7 | Ensure that RDP access is restricted from the Internet | ☑️ Done by tfsec |
| 3.8 | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | ☑️ Done by tfsec |
| 3.9 | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | 🛑 Not terraform-related |
| 3.10 | Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses | 🛑 Not terraform-related |
4 Virtual Machines
| CIS # | Policy | Status |
|---|---|---|
| 4.1 | Ensure that instances are not configured to use the default service account | ☑️ Done by tfsec |
| 4.2 | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | ☑️ Done by tfsec |
| 4.3 | Ensure "Block Project-wide SSH keys" is enabled for VM instances | ☑️ Done by tfsec |
| 4.4 | Ensure oslogin is enabled for a Project | ☑️ Done by tfsec |
| 4.5 | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | ☑️ Done by tfsec |
| 4.6 | Ensure that IP forwarding is not enabled on Instances | ☑️ Done by tfsec |
| 4.7 | Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) | ☑️ Done by tfsec |
| 4.8 | Ensure Compute instances are launched with Shielded VM enabled | ☑️ Done by tfsec |
| 4.9 | Ensure that Compute instances do not have public IP addresses | ☑️ Done by tfsec |
| 4.10 | Ensure that App Engine applications enforce HTTPS connections | 🛑 Not terraform-related |
| 4.11 | Ensure that Compute instances have Confidential Computing enabled | ✅ Done |
5 Storage
| CIS # | Policy | Status |
|---|---|---|
| 5.1 | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | ☑️ Done by tfsec |
| 5.2 | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | ☑️ Done by tfsec |
6 Cloud SQL Database Services
6.1 MySQL Database
| CIS # | Policy | Status |
|---|---|---|
| 6.1.1 | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | 🛑 Not terraform-related |
| 6.1.2 | Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on' | 🛑 Not doable with tfsec custom checks |
| 6.1.3 | Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off' | ☑️ Done by tfsec |
6.2 PostgreSQL Database
| CIS # | Policy | Status |
|---|---|---|
| 6.2.1 | Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on' | ☑️ Done by tfsec |
| 6.2.2 | Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter | 🛑 Not doable with tfsec custom checks |
| 6.2.3 | Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on' | ☑️ Done by tfsec |
| 6.2.4 | Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on' | ☑️ Done by tfsec |
| 6.2.5 | Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on' | 🛑 Not doable with tfsec custom checks |
| 6.2.6 | Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on' | ☑️ Done by tfsec |
| 6.2.7 | Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately | 🛑 Not doable with tfsec custom checks |
| 6.2.8 | Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately | 🛑 Not doable with tfsec custom checks |
| 6.2.9 | Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' | 🛑 Not doable with tfsec custom checks |
| 6.2.10 | Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' | 🛑 Not doable with tfsec custom checks |
| 6.2.11 | Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' | 🛑 Not doable with tfsec custom checks |
| 6.2.12 | Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' | 🛑 Not doable with tfsec custom checks |
| 6.2.13 | Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately | ☑️ Done by tfsec |
| 6.2.14 | Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter | 🛑 Not doable with tfsec custom checks |
| 6.2.15 | Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on) | 🛑 Not doable with tfsec custom checks |
| 6.2.16 | Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled) | ☑️ Done by tfsec |
6.3 SQL Server
| CIS # | Policy | Status |
|---|---|---|
| 6.3.1 | Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' | 🛑 Not doable with tfsec custom checks |
| 6.3.2 | Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' | ☑️ Done by tfsec |
| 6.3.3 | Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate | 🛑 Not doable with tfsec custom checks |
| 6.3.4 | Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured | 🛑 Not doable with tfsec custom checks |
| 6.3.5 | Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' | 🛑 Not doable with tfsec custom checks |
| 6.3.6 | Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off' | 🛑 Not doable with tfsec custom checks |
| 6.3.7 | Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' | ☑️ Done by tfsec |
Others
| CIS # | Policy | Status |
|---|---|---|
| 6.4 | Ensure that the Cloud SQL database instance requires all incoming connections to use SSL | ☑️ Done by tfsec |
| 6.5 | Ensure that Cloud SQL database instances are not open to the world | ☑️ Done by tfsec |
| 6.6 | Ensure that Cloud SQL database instances do not have public IPs | 🛑 Not doable with tfsec custom checks |
| 6.7 | Ensure that Cloud SQL database instances are configured with automated backups | ☑️ Done by tfsec |
7 BigQuery
| CIS # | Policy | Status |
|---|---|---|
| 7.1 | Ensure that BigQuery datasets are not anonymously or publicly accessible | ☑️ Done by tfsec |
| 7.2 | Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK) | ✅ Done |
| 7.3 | Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets | ✅ Done |