Compliance Manager cloud controls

This document provides reference content for the built-in cloud controls that are included in Compliance Manager.

Google Cloud cloud controls

Activate Security Command Center

Activate Security Command Center to evaluate security and data attack surfaces and help mitigate and remediate risks related to misconfigurations, vulnerabilities, and threats.

Enforcement mode AUDIT
Finding category SCC_NOT_ACTIVATED

Remediation steps

To activate Security Command Center, see Overview of activating Security Command Center.

Activate Security Command Center for Continuous Monitoring

Use Security Command Center to define security policies and deploy and monitor them.

Enforcement mode AUDIT
Finding category SECURITY_COMMAND_CENTER_NOT_ACTIVATED

Remediation steps

Complete the following:

Allocate Audit Log Storage Capacity

Allocate sufficient audit log storage capacity to accommodate audit logs

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category INSUFFICIENT_AUDIT_LOG_STORAGE

Remediation steps

  • Verify that you can see audit logs.

  • Verify that logs are being exported to the Cloud Storage bucket.

  • Verify the retention period for your log buckets.

  • Verify log storage capacity. In the console, got to Logging > Metrics and enter the following: custom.googleapis.com/log_storage_capacity

  • Verify the alerting policy for low log storage in your bucket.

  • Verify that storage capacity is sufficient for the Cloud Storage bucket (the usage is less than 90%).

  • Review the bucket retention period to ensure that regular review and adjustment of log storage capacity is complete.

Apply Security Engineering Principles

Apply system security and privacy engineering principles in the specification, design, development, implementation, and modification of the system components.

Enforcement mode AUDIT
Finding category MISSING_SECURITY_ENGINEERING_PRINCIPLES

Remediation steps

Complete the following:

  • Address security requirements when building and applying security engineering principles to new development and operations of its data and information systems.

  • Include defense in depth at every phase of your system development life cycle, secure coding, security control tailoring, threat modeling, and risk management of your data and information system.

Assess Actions that Don't Require Identification or Authentication

Allow specific user actions without identification or authentication if they are deemed unnecessary, such as accessing public websites. The exception applies when identification and authentication have not occurred, not when they are simply not repeated.

Enforcement mode AUDIT
Finding category ACTIONS_WITHOUT_IDENTIFICATION_AUTHENTICATION

Remediation steps

  • Review permissions assigned to service accounts, users, and roles.

  • Monitor service accounts, especially those with elevated privileges.

  • Review IAM allow policies to ensure only authorized entities have necessary permissions.

  • Review external IP addresses and firewall rules to help prevent unauthorized access.

  • Identify the user actions that don't require identification or authentication.

  • Review system designs and use cases to understand the scenarios.

  • Evaluate potential risks and impact for exemption.

  • Document your rationale for exemptions.

  • Identify the security controls to mitigate potential risks.

  • Align exemptions with your organization's compliance requirements.

Assess the Availability of Compute and GKE Resources

Protect the availability of Compute VM instances and Google Kubernetes Engine (GKE) containers by allocating sufficient resources based on priority, quota, and security safeguards.

Enforcement mode AUDIT
Finding category MISSING_RESOURCE_ASSESSMENT

Remediation steps

Complete the following:

Assign Correct Bucket Label

Bucket labels let you create key:value pairs that are stored as part of the bucket's metadata. You can use these labels to help identify the purpose of the bucket to your organization.

Enforcement mode AUDIT
Finding category BUCKET_LABEL_INCORRECT

Remediation steps

Set correct label for Cloud Storage buckets. For more information, see Add, modify, or remove a bucket's labels.

Authorize and Monitor Privileged Remote Access

Authorize the use of privileged commands execution and access to security information through remote access.

Enforcement mode AUDIT
Finding category PRIVILEGED_REMOTE_ACCESS_NOT_AUTHORIZED_MONITORED

Remediation steps

Authorize Wireless Access to Production Systems

Authorize wireless access to applications in production environments.

Enforcement mode AUDIT
Finding category WIRELESS_ACCESS_PRODUCTION_SYSTEMS_NOT_AUTHORIZED

Remediation steps

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access to your systems. Authorize wireless access to your systems before you allow such connections.

Automate Account Management System

Ensure that you have IAM policy structures to automate IAM role assignments based on resources and context-specific conditions.

Enforcement mode AUDIT
Finding category ACCOUNT_MANAGEMENT_SYSTEMS_NOT_SUPPORTED

Remediation steps

To retrieve log entries, see List log entries.

To get a ServiceAccount, see Get a ServiceAccount.

To get the definition of a role, see Get Role Definition.

Automate Integrity Verification

Employ integrity verification tools to detect unauthorized changes to your software, firmware, and information.

Enforcement mode AUDIT
Finding category IMPROPER_INTEGRITY_VERIFICATION_MECHANISMS

Remediation steps

Complete the following:

Automate Near Real-time Event Analysis

Use automated tools to support near real-time analysis of events.

Enforcement mode AUDIT
Finding category REAL_TIME_EVENT_ANALYSIS_NOT_AUTOMATED

Remediation steps

Implement automated real-time event analysis:

Avoid RSASHA1 for DNSSEC Signing

Don't use the RSASHA1 algorithm for key signing when enabling DNSSEC for Cloud DNS zones.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category RSASHA1_FOR_SIGNING

Remediation steps

Replace the algorithm. For more information, see Using advanced signing options.

Block Access to RDP Port

Set up firewall rules to protect your RDP server. Only allow connections from trusted networks and block other traffic.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_RDP_PORT

Remediation steps

Remove public access from the RDP port. Go to the Firewall policies page in the Google Cloud console and edit the firewall rule. Under Source IP ranges; delete 0.0.0.0/0 and add specific IP addresses or IP ranges that you want to let connect to the instance. Select TCP and UDP, and enter port 3389 for both.

Block Access to SSH Port

Set up firewall rules to protect your SSH server. Only allow connections from trusted networks and block other traffic.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_SSH_PORT

Remediation steps

Remove public access from the SSH port. Go to the Firewall policies page in the Google Cloud console and edit the firewall rule. Under Source IP ranges; delete 0.0.0.0/0 and add specific IP addresses or IP ranges that you want to let connect to the instance. Select TCP and SCTP, and enter port 22 for both.

Block Administrator Roles from Service Accounts

A service account with Administrator, Owner, or Editor privileges has broad access to your Google Cloud environment, which can impact its security.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ADMIN_SERVICE_ACCOUNT

Remediation steps

Go to the IAM policy page in the Google Cloud console, click Edit principal, and remove the excessive role or roles.

Block Automatic IAM Grants to Default Service Accounts

Use the "Disable Automatic IAM Grants for Default Service Accounts" (iam.automaticIamGrantsForDefaultServiceAccounts) organization policy constraint to prevent automatic role grants to default service accounts.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORG_POLICY_AUTOMATIC_IAM_GRANTS_TO_DEFAULT_SERVICE_ACCOUNTS_ENABLED

Remediation steps

To disable the automatic role grant, see Disable automatic role grants to default service accounts.

Block Connections from All IP Addresses

Firewall rules that permit connections from all IP addresses, like 0.0.0.0/0, or from all ports expose resources to attacks from unintended sources.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_FIREWALL

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges instead. For more information, see Use VPC firewall rules.

Block Connections to Cassandra Ports from All IP Addresses

Block connections on TCP ports 7000, 70001, 7199, 8888, 9042, 9160, 61620, and 61621 from all IP addresses to help prevent unwanted traffic and attacks on Apache Cassandra services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_CASSANDRA_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to ports tcp:7000, tcp:70001, tcp:7199, tcp:8888, tcp:9042, tcp:9160, tcp:61620, and tcp:61621 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to CiscoSecure/WebSM Ports from All IP Addresses

Block connections on TCP port 9090 from all IP addresses to help prevent undesired traffic and attacks on CiscoSecure/WebSM services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_CISCOSECURE_WEBSM_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to ports tcp:9090 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to Directory Services Ports from All IP Addresses

Block connections on TCP port 445 or UDP port 445 from all IP addresses to help prevent undesired traffic and attacks on Directory Services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_DIRECTORY_SERVICES_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to ports tcp:445 and udp:445 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to DNS Ports from All IP Addresses

Block connections on TCP port 53 or UDP port 53 from all IP addresses to help prevent undesired traffic and attacks on DNS services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_DNS_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to ports tcp:53 and udp:53 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to Elasticsearch Ports from All IP Addresses

Block connections on TCP ports 9200 and 9300 from all IP addresses to help prevent undesired traffic and attacks on Elasticsearch services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_ELASTICSEARCH_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to ports tcp:9200 and tcp:9300 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to FTP Ports from All IP Addresses

Block connections on TCP port 21 from all IP addresses to help prevent undesired traffic and attacks on FTP services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_FTP_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to port tcp:21 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to HTTP Ports from All IP Addresses

Block connections on TCP port 80 from all IP addresses to help prevent undesired traffic and attacks on HTTP services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_HTTP_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to port tcp:80 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to LDAP Ports from All IP Addresses

Block connections on TCP ports 389 and 636 and UDP port 389 from all IP addresses to help prevent undesired traffic and attacks on LDAP services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_LDAP_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to ports tcp:389, tcp:636, and udp:389 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to Memcached Ports from All IP Addresses

Block connections on TCP ports 11211, 11214, and 11215 or UDP ports 11211, 11214, and 11215 from all IP addresses to help prevent undesired traffic and attacks on Memcached services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_MEMCACHED_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to ports tcp:11211, tcp:11214, tcp:11215, udp:11211, udp:11214, and udp:11215 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to MongoDB Ports from All IP Addresses

Block connections on TCP ports 27017, 27018, and 27019 from all IP addresses to help prevent undesired traffic and attacks on MongoDB services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_MONGODB_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to ports tcp:27017, tcp:27018 and tcp:27019 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to MySQL Ports from All IP Addresses

Block connections on TCP port 3306 from all IP addresses to help prevent undesired traffic and attacks on MySQL services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_MYSQL_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to port tcp:3306 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to NetBIOS Ports from All IP Addresses

Block connections from all IP addresses to TCP and UDP ports 137, 138, and 139 to help prevent undesired traffic and attacks on NetBIOS services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_NETBIOS_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to ports tcp:137-139 and udp:137-139 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to Oracle Database Ports from All IP Addresses

Block connections from all IP addresses to TCP ports 1521, 2483, and 2484 or UDP ports 2483 and 2484 to help prevent undesired traffic and attacks to Oracle databases.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_ORACLEDB_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to port tcp:1521, tcp:2483, tcp:2484, udp:2483, and udp:2484 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, see Use VPC firewall rules.

Block Connections to POP3 Server Ports from All IP Addresses

Block connections on TCP port 110 from all IP addresses to help prevent undesired traffic and attacks on POP3 services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_POP3_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to port tcp:110 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access this port instead. For more information, see Use VPC firewall rules.

Block Connections to PostgreSQL Server Ports from All IP Addresses

Block connections on TCP port 5432 from all IP addresses to help prevent undesired traffic and attacks on PostgreSQL services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_POSTGRESQL_PORT"

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to port tcp:5432 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access this port instead. For more information, see Use VPC firewall rules.

Block Connections to Redis Server Ports from All IP Addresses

Block connections on TCP port 6379 from all IP addresses to help prevent undesired traffic and attacks on Redis services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_REDIS_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to port tcp:6379 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access this port instead. For more information, see Use VPC firewall rules.

Block Connections to SMTP Server Ports from All IP Addresses

Block connections on TCP port 25 from all IP addresses to help prevent undesired traffic and attacks on SMTP services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_SMTP_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to port tcp:25 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access this port instead. For more information, see Use VPC firewall rules.

Block Connections to Telnet Server Ports from All IP Addresses

Block connections on TCP port 23 from all IP addresses to help prevent undesired traffic and attacks on Telnet services.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category OPEN_TELNET_PORT

Remediation steps

Go to the Firewall page in the Google Cloud console. Click the firewall rule name, then click Edit. Edit the firewall rule to deny access to port tcp:23 from the source IP range 0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access this port instead. For more information, see Use VPC firewall rules.

Block Default VPC Network for Vertex AI Workbench Instances

Don't create Workbench instances in the default VPC network to help prevent the use of its over-permissive default firewall rules.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_WORKBENCH_DEFAULT_VPC_NETWORK_USED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't change the network on a Workbench instance after it's created. Delete the existing Workbench instances, create another VPC network, and create new instances that use the new VPC network.

  1. Delete the instances. For instructions to shut down the instance before deleting it, see Shut down a Vertex AI Workbench instance.

  2. Create a VPC network and subnet for the project. For instructions, see Create and manage VPC networks. For information about Workbench networking requirements, see Network configuration options.

  3. Create the instances. For instructions, see Create a Vertex AI Workbench instance. In the Networking section, select the VPC network and subnet that you created.

Block External IP Address Access on Compute Engine VM Instances

Use the "Define allowed external IPs for VM instances" (compute.vmExternalIpAccess) organization policy constraint to block public access to your VMs.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category ORG_POLICY_EXTERNAL_IP_ACCESS_ALLOWED

Remediation steps

To block external IP addresses on Compute Engine VM instances, see Restrict external IP addresses to specific instances.

Block File Downloading in JupyterLab Console

Don't permit file downloading from the JupyterLab console in Workbench instances to reduce data exfiltration risks and help prevent malware distribution.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category VERTEX_AI_JUPYTERLAB_FILE_DOWNLOADING_ENABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

Turn off file downloading for the instance.

  1. In the Google Cloud console, go to the Instances page.

  2. Click the instance that you want to configure.

  3. In the Software and security tab, add the notebook-disable-downloads metadata key and set the value to TRUE.

For more information, see Update an instance's metadata.

Block Internet Access for Vertex AI Runtime Templates

Don't permit internet access in Colab Enterprise runtime templates to reduce the external attack surface and help prevent potential data exfiltration.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_RUNTIME_TEMPLATE_INTERNET_ACCESS_ENABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't change this setting after the runtime template is created. Delete the existing runtime template and create a new one with internet access turned off.

  1. Delete the runtime template. For instructions, see Delete a runtime template.

  2. Create a runtime template. For instructions, see Create a runtime template. To turn off internet access, in the Networking and security section, clear Enable public internet access.

Block Legacy Authorization on GKE Clusters

Disable Legacy Authorization to use role-based access control (RBAC). RBAC helps improve security by defining specific permissions at the cluster and namespace levels.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category LEGACY_AUTHORIZATION_ENABLED

Remediation steps

Go to the Kubernetes Engine > Clusters page in the Google Cloud console. Select the cluster, click Edit and select Disabled from the Legacy Authorization dropdown list.

Block Project-Wide SSH Keys on Compute Engine Instances

Project-wide SSH keys provide access to all VM instances within the project, which might lead to unauthorized access.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED

Remediation steps

Block SSH keys on the VM instance. Go to the Compute Engine > VM instances page in the Google Cloud console. Click the instance name in the finding. On the VM instance details page, click Edit. Under SSH Keys, select Block project-wide SSH keys.

Block Public Access to Cloud Storage Buckets with Sensitive Data

Data Security Posture Management (DSPM) system has detected publicly exposed sensitive data. This poses a data security risk and requires immediate attention.

Enforcement mode DETECTIVE
Severity CRITICAL
Finding category SENSITIVE_DATA_PUBLIC_BUCKET_ACL

Remediation steps

  1. Follow the remediation steps for the related findings -
    • Public Bucket ACL finding
    • High Sensitive Data finding
  2. Once any of the findings is resolved, this finding will automatically get resolved.

For more detailed information, view the user guide.

Block Public IP Address for Vertex AI Workbench Instances

Don't permit external IP addresses for Workbench instances to reduce exposure to the internet and minimize the risk of unauthorized access.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_WORKBENCH_PUBLIC_IP_ENABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't change this setting after the Workbench instance is created. Delete the existing instance and create instances with the appropriate IP configuration.

  1. Delete the instance. For instructions to shut down the instance before deleting it, see Shut down a Vertex AI Workbench instance.

  2. In the Google Cloud console, go to the Instances page.

  3. Create a new instance. In the Networking section, clear Assign external IP address.

  4. Consider setting the Define allowed external IPs for VM instances (constraints/compute.vmExternalIpAccess) organization policy constraint at the organization level to prevent VM instances from using external IP addresses. For more information, see Restrict external IP addresses to specific instances.

Block Public IP Addresses for AlloyDB Cluster Instances

AlloyDB for PostgreSQL database instances with private IP addresses help to reduce your organization's attack surface and improve network security.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ALLOYDB_PUBLIC_IP

Remediation steps

Go to the AlloyDB > Clusters in the Google Cloud console. Click the cluster from the Resource Name column, and edit the instance. Go to Connectivity, and clear Enable Public IP.

Block Public IP Addresses for Cloud SQL Instances

Don't assign public IP addresses to Cloud SQL database instances.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_PUBLIC_IP

Remediation steps

Go to the SQL > Instances page in the Google Cloud console. Click Connections > Networking, and clear the Public IP checkbox for the instance. Use a private IP address instead. For more information, see Configuring private IP for an existing instance.

Block Root Access on Vertex AI Workbench Instances

Don't permit root access on Workbench instances to help prevent unauthorized modification of critical system files or installation of malicious software.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category VERTEX_AI_WORKBENCH_ROOT_ACCESS_ENABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

Turn off root access on the Workbench instance.

  1. In the Google Cloud console, go to the Instances page.

  2. Click the instance that you want to configure.

  3. In the Software and security tab, clear the Root access to the instance setting.

  4. Click Submit.

Block Root Access on Vertex AI Workbench Instances

Use the "Disable root access on new Vertex AI Workbench user-managed notebooks and instances" ainotebooks.disableRootAccess organization policy constraint to help prevent newly created Vertex AI Workbench user-managed notebooks and instances from enabling root access.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORG_POLICY_ROOT_ACCESS_ON_VERTEXAI_ENABLED

Remediation steps

Set the Disable root access on new Vertex AI Workbench user-managed notebooks and instances (ainotebooks.disableRootAccess) organization policy constraint to true to block root access on new Vertex AI Workbench user-managed notebooks and instances. For more information, see Updating policies with boolean rules.

Block Serial Ports for Compute Engine Instances

Serial console support on an instance poses a security risk as clients might connect from any IP address. Disabling serial ports helps protect from such exposures.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category COMPUTE_SERIAL_PORTS_ENABLED

Remediation steps

Block serial ports. Go to the Compute Engine > VM instances page in the Google Cloud console. Click the VM instance name listed in the finding. On the VM instance details page, click Edit. Under Remote access, turn off Enable connecting to serial ports.

Block Service Account Key Creation

Use the "Disable service account key creation" (iam.disableServiceAccountKeyCreation) organization policy constraint to prevent the creation of service account external keys and Cloud Storage HMAC keys.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORG_POLICY_SERVICE_ACCOUNT_KEY_CREATION_ENABLED

Remediation steps

To enforce the organization policy, see Disable service account key creation.

Block Service Account Key Uploads

Use the "Disable Service Account Key Upload" (iam.disableServiceAccountKeyUpload) organization policy constraint to prevent the upload of public keys to service accounts.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORG_POLICY_SERVICE_ACCOUNT_KEY_UPLOAD_ENABLED

Remediation steps

To enforce the organization policy, see Disable service account key upload.

Block Terminal Access on Vertex AI Workbench Instances

Use the "Disable terminal on new Vertex AI Workbench instances" (ainotebooks.disableTerminal) organization policy constraint to help prevent the creation of Vertex AI Workbench instances with the terminal enabled.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category TERMINAL_ACCESS_ON_VERTEXAI_ENABLED

Remediation steps

Set the Disable terminal on new Vertex AI Workbench instances (ainotebooks.disableTerminal) organization policy constraint to true to block the terminal on new Vertex AI Workbench instances. For more information, see Updating policies with boolean rules.

Configure a Wireless Intrusion Detection Mechanism

Employ a wireless intrusion detection system to identify rogue wireless devices and detect attack attempts and potential system breaches.

Enforcement mode AUDIT
Finding category WIRELESS_INTRUSION_DETECTION_MECHANISM_NOT_CONFIGURED

Remediation steps

This control doesn't apply to Google Cloud as Google doesn't use or permit wireless networks in our production environment. Additionally, access to Google's data centers is highly restricted and all unused ports are disabled on switches. During the inspection process for unauthorized wireless devices, the Google Security Team walks through data centers to ensure connected devices are authorized and meet Google configuration management requirements. Verify that you have set up appropriate wireless intrusion detection systems in your environment, if applicable.

Configure Access Controls for the Network Boundary

Control external communication over the network using firewall rules.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category MISSING_ACCESS_CONTROLS_NETWORK_BOUNDARY

Remediation steps

  • Verify these ports are blocked:

Cassandra: TCP 7000, 7001, 7199, 8888, 9042, 9160, 61620, 61621

CiscoSecure/WebSM: TCP 9090

Directory Services: TCP 445; UDP 445

DNS services: TCP 53; UDP 53

Elasticsearch: TCP 9200, 9300

FTP: TCP 21

HTTP: TCP 80

LDAP: TCP 389, 636; UDP 389

Memcached: TCP 11211, 11214, 11215; UDP 11211, 11214, 11215

MongoDB: TCP 27017-27019

MySQL: TCP 3306

NetBIOS13: TCP 137-139; UDP 137-139

OracleDB: TCP 1521, 2483, 2484; UDP 2483, 2484

POP3: TCP 110

PostgreSQL: TCP 5432

RDP: TCP 3389; UDP 3389

Redis: TCP 6379

SMTP: TCP 25

SSH: TCP 22; SCTP 22

Telnet: TCP 23

  • Verify SSL.

  • Verify NAT to instances without public IPs.

  • Configure logging and VPC Flow Logs.

  • Verify GKE network policy and Dataplane V2.

  • Verify VMs don’t have public IPs. For stopped instances, ensure network doesn’t permit external access.

  • Verify Compute Engine default service account isn’t used.

Configure Log Metrics and Alerts for Audit Logging Changes

Configure log metrics and alerts to monitor changes to IAM allow policies. Log metrics and alerts configured to monitor IAM allow policy changes helps to identify over-privileged users or suspicious activity.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category AUDIT_CONFIG_NOT_MONITORED

Remediation steps

Go to Logs-based Metrics within the Logging page in the Google Cloud console. Click Create metric. In the User-defined metrics section, click inside the Filter box, select Filter, and paste the following text, replacing the existing text: resource.type=global AND protoPayload.methodName=SetIamPolicy AND protoPayload.serviceData.policyDelta.auditConfigDeltas:* Click Create metric and set the alert policy.

Configure Log Metrics and Alerts for Cloud SQL Configuration Changes

Configure log metrics and alerts to monitor configuration changes for Cloud SQL instances. Monitoring changes helps detect misconfigurations.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category SQL_INSTANCE_NOT_MONITORED

Remediation steps

Go to Logs-based Metrics within the Logging page in the Google Cloud console. Click Create metric. In the User-defined metrics section, click inside the Filter box, select Filter, and paste the following text, replacing the existing text: protoPayload.methodName=cloudsql.instances.update Click Create metric and set the alert policy.

Configure Log Metrics and Alerts for Cloud Storage IAM Policy Changes

Log metrics and alerts configured to monitor Cloud Storage IAM permission changes helps to identify over-privileged users or suspicious activity.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category BUCKET_IAM_NOT_MONITORED

Remediation steps

Go to the Log-based Metrics page within Logging in the Google Cloud console. Click Create metric in the User-defined metrics section. In the User-defined metrics section, click inside the Filter box, select Filter, and paste the following text, replacing the existing text: resource.type=gcs_bucket AND protoPayload.methodName=storage.setIamPermissions After you create the metric, go to the Actions menu and click Create alert from metric to set alert policies. For more information, see Log-based metrics overview.

Configure Log Metrics and Alerts for Custom Role Changes

Configure log metrics and alerts to monitor custom role changes. Monitoring role creation, deletion, and update activities helps to identify over-privileged roles at early stages.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category CUSTOM_ROLE_NOT_MONITORED

Remediation steps

Go to Logs-based Metrics within the Logging page in the Google Cloud console. Click Create metric. In the User-defined metrics section, click inside the Filter box, select Filter, and paste the following text, replacing the existing text: resource.type=iam_role AND protoPayload.methodName=google.iam.admin.v1.CreateRole OR protoPayload.methodName=google.iam.admin.v1.DeleteRole OR protoPayload.methodName=google.iam.admin.v1.UpdateRole Click Create metric and set the alert policy.

Configure Log Metrics and Alerts for VPC Network Changes

Configure log metrics and alerts to monitor VPC network changes. Monitoring network changes helps detect incorrect or unauthorized changes to your network setup.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category NETWORK_NOT_MONITORED

Remediation steps

Go to the Logs-based Metrics page within Logging in the Google Cloud console. Click Create metric. In the Metric type field, select Counter. In the Details section, set Units to 1. In the Builder filter box, copy and paste the following text, replacing the existing text: resource.type=\"gce_network\" AND (protoPayload.methodName:\"compute.networks.insert\" OR protoPayload.methodName:\"compute.networks.patch\" OR protoPayload.methodName:\"compute.networks.delete\" OR protoPayload.methodName:\"compute.networks.removePeering\" OR protoPayload.methodName:\"compute.networks.addPeering\")
Click Create metric and set the alert policy.

Configure Log Metrics and Alerts for VPC Network Firewall Changes

Configure log metrics and alerts to monitor VPC network firewall rule changes. Monitoring VPC network firewall rule changes helps detect suspicious activity and helps to provide better insight into network access changes.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category FIREWALL_NOT_MONITORED

Remediation steps

Go to Logs-based Metrics within the Logging page in the Google Cloud console. Click Create metric. In the Metric type field, select Counter. In the Details section, set Units to 1. In the Builder filter box, copy and paste the following text, replacing the existing text: resource.type=\"gce_firewall_rule\" AND (protoPayload.methodName:\"compute.firewalls.insert\" OR protoPayload.methodName:\"compute.firewalls.patch\" OR protoPayload.methodName:\"compute.firewalls.delete\") Click Create metric and set the alert policy.

Configure Log Metrics and Alerts for VPC Route Changes

Configure log metrics and alerts to monitor VPC network route changes. Monitoring VPC route changes is important for smooth VPC traffic flow.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category ROUTE_NOT_MONITORED

Remediation steps

Go to Logs-based Metrics within the Logging page in the Google Cloud console. Click Create metric. In the User-defined metrics section, click inside the Filter box, select Filter, and paste the following text, replacing the existing text: resource.type="gce_route" AND (protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert") Click Create metric and set the alert policy.

Configure Log Sinks

Configure log sinks and export the log entries to extend storage periods.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category LOG_NOT_EXPORTED

Remediation steps

See Overview of log exports and Create a log sink.

Configure Network Devices to Fail in a Secure State

Configure all your managed boundary protection devices and systems to fail in a secure state.

Enforcement mode AUDIT
Finding category NETWORK_DEVICES_NOT_CONFIGURED_SECURE_FAILURE

Remediation steps

Configure all boundary protection devices such as VPC Service Controls, VPCs, firewalls, load balancers, proxy servers, and other security mechanisms that control traffic to and from your cloud resources to fail in a secure state.

Configure Network Traffic Monitoring

To best monitor network traffic, use separate subnetworks with managed interfaces to physically separate security tools, mechanisms, and support components from other internal system components.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category SECURITY_TOOLS_MECHANISMA_NOT_SEPARATED_PHYSICALLY

Remediation steps

Complete the following:

  • Review firewall rules and allowed and denied ports.

  • Verify SSL certificates.

  • Verify NAT configurations are set to provide outbound connectivity to instances without public IPs.

  • Verify logging.

  • Verify VPC Flow Logs.

Configure Remote Access Inactivity Timeout

Set the inactivity timeout for remote access sessions to 15 minutes or less. You can use the HTTP Keep Alive Timeout configuration to disconnect or disable remote access to your system.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category REMOTE_ACCESS_INACTIVITY_TIMEOUT_NOT_CONFIGURED

Remediation steps

Set the httpKeepAliveTimeoutSec for Compute Engine instance's target HTTP proxies to less than or equal to 900 seconds. For more information, see Target proxies overview.

Configure Security Logging Policies for Google Cloud Services

Define and deploy a security logging policy.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category UNDEFINED_AUDIT_LOGGING_POLICY

Remediation steps

Complete the following:

  • Enable audit logging.

  • Create a security alerting policy file in YAML or JSON format. For example: logging: auditLog: LOGS_BUCKET_NAME retentionPeriod: 30d

  • Apply the policy using Deployment Manager. For example: gcloud deployment-manager deployments create POLICY_DEPLOYMENT_NAME --config=POLICY_FILE.yaml

  • Configure Cloud Storage bucket logging and retention policies.

  • Automate policy checks and enforcement using organization policy constraints.

Configure the Allowed Ingress Settings for Cloud Run Organization Policy Constraint

Configure the permitted ingress settings for Cloud Run using the "Allowed Ingress Settings (Cloud Run)" (constraints/run.allowedIngress) organization policy. When this constraint is enforced, services are required to have ingress settings that match one of the allowed values.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ALLOWED_INGRESS_ORG_POLICY

Remediation steps

Configure the the Allowed Ingress Settings (Cloud Run) constraint to ensure that Cloud Run services comply with the allowed ingress settings. For more information, see Constraints for specific services.

Configure the Allowed VPC Egress Settings for Cloud Run Organization Policy Constraint

Configure the permitted VPC egress settings for Cloud Run using the "Allowed VPC Egress Settings (Cloud Run)" (constraints/run.allowedVPCEgress) organization policy constraint. When this constraint is enforced, services are required to have VPC egress settings that match one of the allowed values.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ALLOWED_VPC_EGRESS_ORG_POLICY

Remediation steps

Configure the Allowed VPC Egress Settings (Cloud Run) constraint to ensure that Cloud Run services comply with the allowed VPC egress settings. For more information, see Constraints for specific services.

Configure the Disable VM Serial Port Logging to Stackdriver Organization Policy

Configure the Disable VM serial port logging to Stackdriver (constraints/compute.disableSerialPortLogging) organization policy to block serial port logging to Cloud Logging from Compute Engine VMs.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category DISABLED_SERIAL_PORT_ACCESS_ORG_POLICY

Remediation steps

Set the Disable VM serial port logging to Stackdriver organization policy to True and ensure that serial port logging to Cloud Logging from Compute Engine VMs is blocked. For more information, see Constraints for specific services.

Configure the Disable VPC External IPv6 Usage Organization Policy

Configure the Disable VPC External IPv6 usage (constraints/compute.disableVpcExternalIpv6) organization policy to block VPC subnetworks from using external IPv6 addresses.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category DISABLE_VPC_EXTERNAL_IP_V6_ORG_POLICY

Remediation steps

Set the Disable VPC External IPv6 Usage organization policy to True and ensure that all VPC subnetworks don't use external IPv6 addresses. For more information, see Constraints for specific services.

Configure the Disable VPC Internal IPv6 Usage Organization Policy

Configure the Disable VPC Internal IPv6 usage (constraints/compute.disableVpcInternalIpv6) organization policy to block VPC subnetworks from using internal IPv6 addresses. A subnetwork with an internal IPv6 address might be exposed to potential risks due to its current limited support.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category COMPUTE_INTERNAL_IP_V6_ORG_POLICY_ENABLED

Remediation steps

Set the Disable VPC Internal IPv6 Usage organization policy to True and ensure that all VPC subnetworks don't use internal IPv6 addresses. For more information, see Constraints for specific services.

Configure VPC Firewall Rules, Subnets, and VPN Gateway

Manage the flow of data by verifying VPC firewall rules, subnet configurations, and VPN gateway configuration.

Enforcement mode AUDIT
Finding category VPC_FIREWALL_SUBNET_VPNGATEWAY_NOT_SETUP

Remediation steps

  • Create isolated networks using VPC.

  • Define granular IPv4 subnet ranges and IPv6 subnet ranges.

  • Define routes and firewall rules.

  • Configure a VPN gateway to your on-premises network.

  • Configure a global load balancer for your Google-managed services.

  • Configure Cloud NAT to connect to your API backend servers and clients.

  • Tune Cloud NAT and the backend services for the load balancer to control the flow of traffic between your backend services and your users.

  • Configure VPC Network Peering or another inter-VPC communication method to enable communication between VPC networks and your projects.

Control Integrations with External Systems

Establish policies to integrate applications on your system with external products and services.

Enforcement mode AUDIT
Finding category INTEGRATIONS_EXTERNAL_SYSTEMS_NOT_CONTROLLED

Remediation steps

You must configure your applications to meet your compliance obligations.

Control Remote Device Connections

Prevent remote devices from simultaneously establishing non-remote connections with your system and accessing external networks through other connections.

Enforcement mode AUDIT
Finding category REMOTE_DEVICE_CONNECTION_CONTROL_MISSING

Remediation steps

Use firewall and border router ACLs to implement managed network interfaces and control inbound and outbound traffic. For more information, see VPC firewall rules.

Correlate Audit Records

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

Enforcement mode AUDIT
Finding category UNCORRELATED_AUDIT_LOG_RECORDS

Remediation steps

Complete the following:

Create Alerts for Monitoring Security Command Center Errors

Alerts about Security Command Center provide visibility into your organization and notify you about issues with Security Command Center so you can take appropriate action.

Enforcement mode AUDIT
Finding category SCC_MONITORING_ALERTS_NOT_SET

Remediation steps

Create an alerting policy in Cloud Logging to alert on errors related to the Security Command Center service agent. For instructions, see Configure alerts through Cloud Logging.

Create and Manage Asymmetric Keys

Manage asymmetric keys using NSA-approved key management, either through Public Key Infrastructure (PKI) or pre-positioned keying material protected by hardware security tokens.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category NONCOMPLIANT_ASYMMETRIC_KEY_MANAGEMENT

Remediation steps

Consider the Certificate Authority Service for hardware-protected private keys which are FIPS 140-2 Level 3 validated.

Create Artifact Registry Cleanup Policies

Artifact Registry cleanup policies define criteria for automatically deleting artifact versions that you no longer need or keeping artifacts that you want to store indefinitely.

Enforcement mode AUDIT
Finding category ARTIFACT_REGISTRY_CLEANUP_POLICY_MISSING

Remediation steps

Define clear policies to maintain specific versions of policies and implement a cleanup policy to clear other artifacts. For more information, see Configure cleanup policies and Enabling service.

Create GKE Clusters with Limited Service Account Access Scopes

Avoid broad access scopes for a Google Kubernetes Engine (GKE) node service account.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category OVER_PRIVILEGED_SCOPES

Remediation steps

Use least privilege Google service accounts for GKE nodes, and create Kubernetes clusters with limited service account access scopes for project access. For more information, see Use a least privileged service account.

Create Inventory of Security Data Assets

Ensure security-relevant information (sensitive data, APIs, services, databases, and infrastructure components) are clearly documented and classified.

Enforcement mode AUDIT
Finding category DATA_CLASSIFICATION_MISSING

Remediation steps

Complete the following:

  • Find and classify security-relevant data in Google Cloud, such as sensitive data and configuration data.

  • Create an inventory of the resources that aren’t publicly available. For example, APIs, services, databases, and infrastructure components.

Create Super Admin Login Alerts

Create alerts to receive notifications when a super administrator logs into their account.

Enforcement mode AUDIT
Finding category SUPERADMIN_LOGIN_ALERT_NOT_FOUND

Remediation steps

Create alerts when a super administrator logs into their account. For instructions, see Configure log-based alerting policies.

Data Access Governance

Restrict the access to the data to allowed users.

Enforcement mode DETECTIVE
Severity HIGH
Finding category DATA_SECURITY_POSTURE_ACCESS_VIOLATION
Category name in the API CC_CATEGORY_DATA_SECURITY

Parameters

allowedPrincipals

STRINGLIST

Optional. Restrict access to sensitive data to selected users and groups. If empty, all access will be flagged as data access governance violations. To add a user or group, prefix their email address with "principal://goog/subject/" for users and "principalSet://goog/group/" for groups.

Remediation steps

  1. Review the unauthorized access events to get more details on the principal(s) and also the resource.
  2. You may update the IAM policies to avoid future non-compliant events.
  3. Review and update the Data Access Governance policies from the Framework(s) if you don’t wish to mark these events as non-compliant in future.

Data Deletion

Govern the maximum retention period for sensitive data.

Enforcement mode DETECTIVE
Severity HIGH
Finding category DATA_SECURITY_POSTURE_DELETION_VIOLATION
Category name in the API CC_CATEGORY_DATA_SECURITY

Parameters

Required union field max_ttl.

Apply policies to detect the data that violates allowed maximum retention period.

max_ttl can be only one of the following:

max_ttl_from_creation_seconds

NUMBER

Set the maximum allowed age from the asset's creation time

max_ttl_from_last_modification_seconds

NUMBER

Set the maximum allowed age from the asset's last modification time

Data Flow Governance

Restrict the flow of the data across allowed jurisdictional (country) boundaries.

Enforcement mode DETECTIVE
Severity HIGH
Finding category DATA_SECURITY_POSTURE_FLOW_VIOLATION
Category name in the API CC_CATEGORY_DATA_SECURITY

Parameters

allowedRegions

STRINGLIST

Optional. Restrict access to certain data stores to clients within the allowed regions. If empty, all access will be flagged as data flow governance violations.

Remediation steps

  1. Review the unauthorized data flow events to get more details on the principal and timestamp.
  2. Implement measures to contain non-compliant data flow incidents, e.g. revoking access permission to involved individuals.
  3. Review and update the Data Flow Governance policies from the Framework(s) if you don’t wish to mark these events as non-compliant in future.

Define a Security Policy to Mitigate for DDoS Events

Create a security policy using Google Cloud Web Armor to mitigate DDoS risks to your applications.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category MISSING_SECURITY_POLICY_DDOS_EVENTS

Remediation steps

Complete the following:

*Verify the autoscaling policy for autoscalers.

Define Allowed Services for Service Perimeter

Define which services are available within the service perimeter to limit the set of services that are accessible from network endpoints inside your service perimeter.

Enforcement mode AUDIT
Finding category SERVICE_PERIMETER_ALLOWED_SERVICES_NOT_SET

Remediation steps

Add a list of services to your service perimeter. For more information, see Add a service to the VPC accessible services.

Define an Acquisition Contract

Define an acquisition contract for information systems, system components, or information system services.

Enforcement mode AUDIT
Finding category UNDEFINED_ACQUISITION_CONTRACT

Remediation steps

Meet all the requirements and criteria that apply to your regulatory frameworks when creating an acquisition contract. For example, outline comprehensive security and privacy requirements; and include functional needs, mechanism strength, necessary controls, and documentation. List needs for safeguarding documents, detailing system setups, and assigning security, privacy, and supply chain risk management duties. Specify acceptance criteria for the system in the contract.

Define Cloud Billing Budget Threshold

Budgets let you track your actual Google Cloud project costs against your planned costs. Set a budget amount and budget alert threshold rules that trigger email notifications.

Enforcement mode AUDIT
Finding category CLOUD_BILLING_BUDGET_THRESHOLD_NOT_SET

Remediation steps

Set alerts and thresholds on your cloud project bills. See Set budget threshold rules and actions.

Define Cloud KMS Crypto Keys Protection Level

Set the protection level for Cloud KMS keys to SOFTWARE, HSM, EXTERNAL, or EXTERNAL_VPC.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category CRYPTOKEY_PROTECTION_LEVEL_DENIED

Remediation steps

To set the protection level, see Protection levels.

Define Cloud KMS Crypto Keys Purpose

Set the purpose of Cloud KMS keys to ENCRYPT_DECRYPT. The key's purpose defines its allowed cryptographic operations.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category CRYPTOKEY_PURPOSE_RESTRICTED

Remediation steps

For information on the key purpose, see Key purposes and algorithms and CryptoKeyPurpose.

Define Essential Contacts

Essential Contacts are individuals or groups designated to receive crucial Google Cloud notifications, ensuring personnel who are informed about critical events like security attacks, vulnerabilities, and data incidents.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category ESSENTIAL_CONTACTS_NOT_CONFIGURED

Remediation steps

Go to the IAM & Admin > Essential Contacts page in the Google Cloud console. Click +Add contact and enter all the details of the contact to designate essential contacts.

Define External Build Integrations for Cloud Build

Use the "Allowed Integrations (Cloud Build)" (cloudbuild.allowedIntegrations) organization policy constraint to define the external services (for example, GitHub) that can invoke build triggers for Cloud Build.

Enforcement mode AUDIT
Finding category EXTERNAL_BUILD_INTEGRATION_NOT_DEFINED

Remediation steps

To configure allowed webhooks for Cloud Build integrations of the project, see Setting up organization policy for allowed integrations.

Define IsLive Attribute for Delete Action Lifestyle Rule on Bucket

A lifecycle rule defines actions based on object conditions. The isLive attribute is used with Object Versioning and applies to the live object version. Without versioning, all objects are live and match isLive:true.

Enforcement mode AUDIT
Finding category LIFESTYLE_CONDITION_MISSING_ON_LIFESTYLE_BUCKET_ACTION

Remediation steps

Set the isLive attribute to true for a lifecycle rule with a Delete action on Cloud Storage buckets. See isLive.

Define Mobile Code Policies and Controls

Establish and enforce policies for mobile code usage that align with your compliance obligations.

Enforcement mode AUDIT
Finding category UNDEFINED_MOBILE_CODE_POLICIES_CONTROLS

Remediation steps

Consider the following:

  • Create a mobile code policy that defines what technologies are acceptable and unacceptable.

  • Use IAM allow policies to control access to your mobile code resources.

  • Use organization policy constraints to restrict resource deployments. For example, create a custom constraint that restricts the use of specific programming languages or libraries.

  • Configure firewall rules that control communication. For example, restrict outbound traffic from mobile code to specific allowlisted destinations only.

Define Owner Labels for Cloud Storage Buckets

Verify the labels for the bucket owner and assign the right owner.

Enforcement mode AUDIT
Finding category BUCKET_LABEL_OWNER_NOT_SET

Remediation steps

Verify that the right owner is defined for the bucket and that the bucket has a label.

Define Retention Period for Cloud Storage Buckets

Set a bucket retention policy to ensure objects are deleted after 90 days.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category STORAGE_BUCKET_RETENTION_PERIOD_NOT_SET

Remediation steps

For Cloud Storage buckets, set the retention period greater than or equal to 90 days or 7776000.0 seconds. For more information, see Retention periods.

Define Rotation Period for Cloud KMS Keys

Rotate the keys regularly to enhance security. Set the rotation period for Cloud KMS keys to 90 days.

Enforcement mode AUDIT
Finding category KMS_KEY_NOT_ROTATED

Remediation steps

For instructions, see Configure automatic rotation.

Define Secret Manager Replication Policy

Configure an automated replication policy to ensure that you back up secrets without a restriction on location.

Enforcement mode AUDIT
Finding category SECRET_MANAGER_REPLICATION_POLICY_NOT_SET

Remediation steps

To set a replication policy, see Choose a replication policy.

Define Secret Manager Rotation Schedule

Secret Manager lets you schedule periodic rotations of your secrets by sending notifications to Pub/Sub topics associated with your secrets, based on the rotation frequency and time that you specify.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SECRET_MANAGER_ROTATION_SCHEDULE_NOT_SET

Remediation steps

For Secret Manager secrets, configure a rotation schedule. For more information, see Create rotation schedules in Secret Manager.

Define Service Perimeters in VPC Service Controls

Configure service perimeters at the organization level to help protect Google Cloud services and mitigate the risk of data exfiltration.

Enforcement mode AUDIT
Finding category SERVICE_PERIMETER_NOT_DEFINED

Remediation steps

You can't change the perimeter type after you create a service perimeter. Delete the existing perimeter, and create a new one with the perimeter type set to Regular. See Create a service perimeter.

Define Set Storage Class Lifestyle Action on Bucket

Use the SetStorageClass action to change the storage class of an object and update the object's modification time when the object meets all conditions specified in the lifecycle rule. This action helps you optimize your storage costs.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category SET_STORAGE_CLASS_LIFESTYLE_ACTION_NOT_CONFIGURED

Remediation steps

Set the lifecycle rule action type to SetStorageClass for Cloud Storage buckets. For more information, see SetStorageClass.

Define Storage Class Lifestyle Action

The lifecycle configuration defines the rules that change the storage class of an object depending on its age, current storage class, and name to protect your data.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category STORAGE_CLASS_TYPE_NOT_UPDATED

Remediation steps

For Cloud Storage buckets, set the storage class within the lifecycle rule action to STANDARD, NEARLINE, COLDLINE, or ARCHIVE. For more information, see Change an object's storage class.

Define the Maximum Number of Concurrent Sessions for System Accounts in Workforce Identity Pools

In the Workforce identity pools, define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof.

Enforcement mode AUDIT
Finding category MAXIMUM_NUMBER_OF_CONCURRENT_SESSIONS_LIMIT_MISSING

Remediation steps

  • Create separate Workforce identity pools for privileged and non-privileged accounts.

  • Set the concurrent session limits (3 for privileged access; 2 for non-privileged access).

  • Review and adjust session limits regularly.

  • Communicate to users the session limits for their account types.

  • Monitor concurrent sessions and ensure compliance with session limits. gcloud logging read "resource.type=global AND logName=projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity" --project=PROJECT_ID --format=json

  • Automate the closure of excess sessions and session limit enforcement.

  • Integrate session limits into your deployment pipelines..

  • Document the session limit policies.

  • Include session limits in access reviews and audits.

Define Vertex AI Access Mode

Use the "Define access mode for Vertex AI Workbench notebooks and instances" (ainotebooks.accessMode) organization policy constraint to define the modes of access allowed to Vertex AI Workbench notebooks and instances.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORG_POLICY_VERTEXAI_ACCESSMODE_NOT_DEFINED

Remediation steps

Define an allow or deny list using the Define access mode for Vertex AI Workbench notebooks and instances (ainotebooks.accessMode) constraint. The allow or deny list can specify multiple users with the service-account mode or single-user access with the single-user mode. For more information, see Updating policies with list rules.

Define VoIP Usage Policy

Establish usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies.

Enforcement mode AUDIT
Finding category UNDEFINED_VOIP_USAGE_POLICY

Remediation steps

  • Create a VoIP usage policy that defines acceptable use of VoIP technologies.

  • Use organization policy constraints to restrict resource deployments. For example, create a custom constraint that allows only authorized personnel to deploy and manage VoIP resources.

  • Configure firewall rules that control inbound and outbound traffic related to VoIP services.

  • Use IAM allow policies to control access to VoIP resources.

  • Enable audit logging.

  • Activate Security Command Center.

  • Create alerts for unusual or unauthorized activities.

  • Configure Cloud Monitoring to monitor network traffic.

  • Perform vulnerability scanning and penetration testing on VoIP resources.

  • Use TLS for VoIP communication.

  • Implement best practices to prevent eavesdropping.

  • Create an incident response plan for VoIP incidents.

Define VPC Connector Egress For Cloud Run Functions

Use the "Require VPC Connector (Cloud Functions)" (constraints/cloudfunctions.requireVPCConnector) organization policy constraint to require Cloud Function (1st gen) to use a VPC connector.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORG_POLICY_REQUIRE_VPC_CONNECTOR_NOT_SET

Remediation steps

Set the value for the Require VPC Connector (Cloud Functions) (constraints/cloudfunctions.requireVPCConnector) constraint to true. For instructions, see Creating and managing organization policies.

Define Worker Pools for Cloud Builds

Use the "Allowed Worker Pools (Cloud Build)" (cloudbuild.allowedWorkerPools) organization policy constraint to define allowed worker pools for builds in your project.

Enforcement mode AUDIT
Finding category CLOUD_BUILD_WORKER_POOL_NOT_DEFINED

Remediation steps

To create a private pool, see Creating a new private pool. For permitted values, see Allowed Worker Pools (Cloud Build).

Describe Design and Implementation Details of Security Controls

Ensure developers in your system provide the design and implementation details of the security controls employed.

Enforcement mode AUDIT
Finding category DESIGN_IMPLEMENTATION_DETAILS_SECURITY_CONTROLS_MISSING

Remediation steps

Describe design and implementation details of security controls with security-relevant external system interfaces, high-level design, low-level design, source code, or network and data flow diagrams.

Describe the Functional Properties of Security Controls

Ensure developers in your system document the functional properties of the security controls employed.

Enforcement mode AUDIT
Finding category FUNCTIONAL_DESCRIPTIONS_SECURITY_CONTROLS_MISSING

Remediation steps

Ensure developers document the functional properties of security controls such as capabilities, functions, or mechanisms that are visible at the interfaces of the controls. Developers do not need to document functionality and data structures that are internal to the operation of the controls.

Determine High-level Security and Privacy Needs

Determine high-level security and privacy requirements during the planning phase.

Enforcement mode AUDIT
Finding category SECURITY_PRIVACY_NEEDS_NOT_IDENTIFIED

Remediation steps

Complete the following:

  • Identify your high-level security and privacy requirements for the system or system service.

  • Determine, document, and allocate the resources that are required to protect the system or system service.

  • Budget for security and privacy.

Develop Documentation for System Security

Develop and maintain administrator documentation for the information system, system component, or information system services.

Enforcement mode AUDIT
Finding category SYSTEM_SECURITY_DOCUMENTATION_MISSING

Remediation steps

Create documentation that describes: • Secure configuration, installation, and operation of the system • Effective use and maintenance of security functions • Known vulnerabilities regarding configuration and use of administrative functions • User-accessible security functions and how to use those functions • How users can interact with the system • What users are responsible for In addition, protect documentation in accordance with your risk management strategy and distribute documentation appropriately.

Develop System and Communications Protection Policy and Procedures

Develop, document, and disseminate policies related to systems and communications.

Enforcement mode AUDIT
Finding category UNDEFINED_SYSTEM_COMMUNICATIONS_PROTECTION_POLICY_PROCEDURES

Remediation steps

Create your own policies to meet your compliance obligations.

Develop System and Services Acquisition Policy and Procedures

Develop, maintain, and disseminate a system and services acquisition policy and procedures.

Enforcement mode AUDIT
Finding category SYSTEM_SERVICES_ACQUISITION_POLICY_PROCEDURES_MISSING

Remediation steps

  • Develop, document, and disseminate to organization-defined personnel or roles:

    • A system and services acquisition policy that is defined at an organization-level, mission or business process-level, or at system-level. The policy must address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The policy must be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

    • Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls.

  • Designate an organization-defined official to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures.

  • Review and update the current system and services acquisition policies and procedures as per organization-defined frequencies and events.

Disable Alpha Features on GKE Clusters

Google Kubernetes Engine (GKE) Alpha clusters are used to experiment with workloads before they're released, and are auto-deleted after 30 days. For production workloads, create a cluster with alpha features disabled.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ALPHA_CLUSTER_ENABLED

Remediation steps

Go to the Kubernetes Engine > Clusters page in the Google Cloud console. Click Create and configure the new cluster. Under the Features tab, ensure Enable Kubernetes alpha features in this cluster is disabled. Proceed with migrating the workloads. Delete the cluster that has alpha features enabled.

Disable Client Certificate Authentication for GKE

When creating clusters, don't generate client certificates for legacy authentication to the Kubernetes API server.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category GKE_AUTH_CLIENT_CERTS_ENABLED

Remediation steps

Disable authentication using client certificates for your cluster. For more information, see Disable authentication with a client certificate.

Disable File Downloads on Vertex AI Workbench Instances

Enforce the "Disable file downloads on new Vertex AI Workbench instances" (ainotebooks.disableFileDownloads) organization policy constraint for projects and folders to help prevent the creation of Vertex AI Workbench instances with the file download option enabled.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORG_POLICYFILE_DOWNLOADS_ON_VERTEXAI_ENABLED

Remediation steps

Set the Disable file downloads on new Vertex AI Workbench instances (ainotebooks.disableFileDownloads) organization policy constraint to true to turn off file downloads on new Vertex AI Workbench user-managed notebooks and instances. For more information, see Updating policies with boolean rules.

Disable Legacy Metadata Server Endpoints on Compute Engine

Disable legacy metadata server endpoints for all VMs in your project. Disabling Legacy metadata helps to enforce Compute Engine's instance metadata query headers and makes it harder for attackers to access instance metadata.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category LEGACY_METADATA_ENABLED

Remediation steps

In the Google Cloud console, go the Metadata page. Set disable-legacy-endpoints to TRUE. For more information, see Set custom project metadata.

Don't Use Kubernetes Web UI

The Kubernetes web UI (dashboard) increases the attack surface. Instead, use the Google Cloud console.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category WEB_UI_ENABLED

Remediation steps

Disable the Kubernetes dashboard. Go to the Kubernetes clusters page in the Google Cloud console. Edit the cluster settings, click Add-ons, and then disable the Kubernetes dashboard add-on. For more information, see Disable the Kubernetes dashboard.

Don't Use Legacy Networks

Legacy networks are not recommended and can no longer be created. Instead, use VPC networks, which offer a software-defined structure that enhances control and helps improve operational efficiency.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category LEGACY_NETWORK

Remediation steps

Create a VPC network and delete the legacy network. Go to the VPC networks page in the Google Cloud console. Click Create Network to create a VPC network. Return to the VPC networks page, click legacy_network from the list of networks. Delete the legacy network.

Don't Use User Connections Flag for SQL Server

Don't configure the user connections flag for a SQL Server instance. SQL Server automatically adjusts user connections if you don't use this flag.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category SQL_USER_CONNECTIONS_CONFIGURED

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and delete the User connections database flag for the SQL Server instance.

Don't Use User Options Flag for SQL Server

Don't configure the user options flag for a SQL Server instance. Using the flag might cause unexpected results.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_USER_OPTIONS_CONFIGURED

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and delete the User options database flag for the SQL Server instance.

Employ Dynamic Code Analysis Tools

Employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

Enforcement mode AUDIT
Finding category MISSING_DYNAMIC_CODE_ANALYSIS

Remediation steps

Use a dynamic code analysis tool to identify common flaws and document the results of the analysis.

Employ Monthly Checks for Flaw Remediation Status

Employ monthly automated checks to determine the flaw remediation status of information system components.

Enforcement mode AUDIT
Finding category IMPROPER_FLAW_REMEDIATION_STATUS_CHECKS

Remediation steps

Implement and manage a flaw remediation system. You can use Security Command Center and Patch feature in VM Manager to implement certain malicious code protection mechanisms.

Employ Spam Protection Mechanisms

Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages.

Enforcement mode AUDIT
Finding category SPAM_PROTECTION_MECHANISMS_MISSING

Remediation steps

Implement spam protection mechanisms such as reCAPTCHA Enterprise, Cloud Armor, or Web Risk API to protect your systems from unsolicited messages.

Employ Static Code Analysis Tools

Employ static code analysis tools and web scanning tools to identify common flaws and document the results of the analysis.

Enforcement mode AUDIT
Finding category MISSING_STATIC_CODE_ANALYSIS_TOOLS

Remediation steps

Complete the following:

  • Use static code review tools and web security scanners that match your programming languages.

  • Use the Web Security Scanner to check vulnerabilities in App Engine, GKE, and Compute Engine web applications.

  • Activate Security Command Center for additional vulnerability and threat detection capabilities.

  • Use Cloud Build to manage build security.

Enable 3625 Trace Database Flag for SQL Server

Turn on the 3625 (trace flag) for SQL Server to control information returned to non-sysadmin users.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_TRACE_FLAG_3625

Remediation steps

Turn on the trace flag. Go to the SQL > Instances page in the Google Cloud console and set the 3625 (trace flag) flag to On for the SQL Server instance.

Enable Access Transparency

Access Transparency logs when Google Cloud employees access your projects for support. Enabling it logs who accesses your information, when, and why.

Enforcement mode AUDIT
Severity MEDIUM
Finding category ACCESS_TRANSPARENCY_DISABLED

Remediation steps

To enable access transparency, in the Google Cloud console, select your organization or a specific project. Go to IAM & Admin > Settings, and click Enable Access Transparency.

Enable Account Monitoring for Atypical Usage

Monitor accounts for atypical usage, such as accessing the Google Cloud console at unusual times or from inconsistent locations, and report these instances to designated personnel or roles.

Enforcement mode AUDIT
Finding category ATYPICAL_USAGE_ACCOUNT_MONITORING_DISABLED

Remediation steps

Enable audit logging. For instructions, see Enable Data Access audit logs. For more information on checking for atypical usage, see Monitor for credential compromise.

Enable AlloyDB Automated Backups on Cluster

Automatic backups help to prevent data loss. Enable them to start automated backups for the AlloyDB for PostgreSQL cluster.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ALLOYDB_AUTO_BACKUP_DISABLED

Remediation steps

To enable automated backup on AlloyDB for PostgreSQL clusters, see Enable and configure automated backups.

Enable AlloyDB Backups on Cluster

AlloyDB backups help to prevent data loss. Enable continuous backups for your AlloyDB for PostgreSQL cluster.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ALLOYDB_BACKUPS_DISABLED

Remediation steps

Go to the AlloyDB for PostgreSQL clusters page in the Google Cloud console. Click the cluster in the Resource Name column. Go to Data protection, and set up a backup policy. For more information, see Manage continuous backup and recovery.

Enable Artifact Analysis Vulnerability Scanning

Vulnerability scanning in Artifact Analysis helps to check your container images for known vulnerabilities.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ARTIFACT_ANALYSIS_VULNERABILITY_SCANNING_DISABLED

Remediation steps

To understand artifact analysis and enable vulnerability scanning, see Artifact analysis and vulnerability scanning and Scan OS packages automatically.

Enable Audit Logs Bucket Enumeration

Enable audit logs monitoring for enumeration of Cloud Storage buckets by service accounts to help investigate if a malicious actor has gained access to a service account.

Enforcement mode AUDIT
Finding category SERVICE_ACCOUNT_STORAGE_BUCKET_ENUMERATION

Remediation steps

Monitor Audit Logs and look for enumeration of Cloud Storage buckets by service accounts. See Configure Data Access audit logs with the Google Cloud console.

Enable Audit Logs for All Services

Enable Data Access audit logs with the DATA_READ, DATA_WRITE, and ADMIN_READ permissions for the services in use, or for all services.

Enforcement mode AUDIT
Finding category AUDIT_LOGS_ENABLEMENT_ALLSERVICES_DISABLED

Remediation steps

To configure all data access services, see Configure Data Access audit logs with the Google Cloud console.

Enable Audit Logs for Google Cloud Services

Enable audit logs for services such as Compute Engine and Cloud Storage.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category AUDIT_LOGS_NOT_ENABLED

Remediation steps

Complete the following:

  • Enable audit logging.

  • Define a retention period for your log buckets.

  • Use Cloud Logging libraries in your application code to create custom log entries.

  • Monitor logs using Cloud Monitoring or Cloud Logging dashboards.

  • Grant only necessary IAM roles to service accounts that are associated with applications.

  • Regularly review logs to detect and respond to suspicious activity.

Enable Auto Repair for GKE Clusters

The auto repair feature in Google Kubernetes Engine (GKE) clusters makes periodic checks on the health state of each node and helps to keep them in a healthy state.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category AUTO_REPAIR_DISABLED

Remediation steps

Enable the auto-repair option for the node pools. Go to the Kubernetes Engine > Clusters page in the Google Cloud console. Click the cluster name and go to the Nodes tab. For each node pool, click its name to access its details page and then select Edit. In the Management section, ensure the Enable auto-repair checkbox is selected.

Enable Auto Upgrade on GKE Clusters

The auto upgrade feature in Google Kubernetes Engine (GKE) clusters helps to keep clusters and node pools on the latest stable Kubernetes version.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category AUTO_UPGRADE_DISABLED

Remediation steps

Enable the auto-upgrade option for the node pools. Go to the Kubernetes Engine > Clusters page in the Google Cloud console. Click the cluster name and go to the Nodes tab. For each node pool, click its name to access its details page and then select Edit. In the Management section, select Enable auto-upgrade.

Enable Automatic Backups for Cloud SQL Databases

Turn on automatic backups for your Cloud SQL instances to help prevent data loss.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category AUTO_BACKUP_DISABLED

Remediation steps

Enable automatic backups on your Cloud SQL instances. For more information, see Create and manage on-demand and automatic backups.

Enable Automatic Upgrades for Vertex AI WorkBench Instances

Enable automatic upgrades for Workbench instances to ensure access to the latest features, framework updates, and security patches.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_WORKBENCH_AUTO_UPGRADE_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

Enable auto-upgrade for Workbench instances.

  1. In the Google Cloud console, go to the Instances page.

  2. Click the instance that you want to configure.

  3. On the Instance details page, select the Environment auto-upgrade setting. Choose whether to upgrade your instance weekly or monthly.

  4. Click Submit.

Enable Cloud Asset Inventory Service

Cloud Asset Inventory provides a comprehensive view of Google Cloud resources. It lets you view view, search, export, monitor, and analyze your Google Cloud asset metadata to enhance security analysis, resource change tracking, and compliance auditing.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category CLOUD_ASSET_API_DISABLED

Remediation steps

Enable Cloud Asset API in the Library page of APIs & Services in the Google Cloud console.

Enable Cloud DNS Logs Monitoring

Monitoring Cloud DNS logs provides visibility to DNS names within the VPC network and lets you monitor for anomalous domain names.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category DNS_LOGGING_DISABLED

Remediation steps

Go to the VPC Network > VPC networks page in the Google Cloud console. Select the VPC network, go to the DNS configuration tab, and either edit the existing DNS server policy to enable DNS logging or create a server policy if one doesn't exist.

Enable Cloud Logging on GKE Clusters

Cloud Logging on Google Kubernetes Engine (GKE) clusters gives you access logs for all requests made on a specific cluster and storage logs with information about the storage used by that cluster.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category CLUSTER_LOGGING_DISABLED

Remediation steps

Go to the Kubernetes Engine > Clusters page in the Google Cloud console. Click the cluster name. In the Features section, click the Edit icon against Logging. In the Components drop-down list, add the components for which you want to enable logging.

Enable Cloud Monitoring on GKE Clusters

Cloud Monitoring on Google Kubernetes Engine (GKE) clusters helps investigate security issues and track cluster usage by providing security and usage information.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category CLUSTER_MONITORING_DISABLED

Remediation steps

Go to the Kubernetes Engine > Clusters page in the Google Cloud console. Select the cluster. In the Features section, click the Edit icon against Cloud Monitoring. In the Components drop-down list, add the components for which you want to enable monitoring.

Enable CMEK for AlloyDB Clusters

Enabling customer-managed encryption keys (CMEK) in the AlloyDB cluster to gain more control over data encryption and key management.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ALLOYDB_CMEK_DISABLED

Remediation steps

You can't enable CMEK on a AlloyDB cluster after it's been created. Delete the cluster and create a new cluster with CMEK enabled. To enable AlloyDB CMEK, see Enable CMEK.

Enable CMEK for BigQuery Datasets

Require customer-managed encryption keys (CMEK) for BigQuery datasets to gain more control over data encryption and key management.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category DATASET_CMEK_DISABLED

Remediation steps

You can't enable CMEK on a dataset after it's been created. Go to the BigQuery page in the Google Cloud console and create a dataset. To enable CMEK on the new dataset, set a default CMEK key. Copy the original tables to your new CMEK-enabled dataset, and then delete the original datasets.

Enable CMEK for BigQuery Tables

The control provides the governance for the encryption key configuration for keys that protect the sensitive data for BigQuery tables. Using the control, you can detect when the data that is in scope is not protected by Customer Managed Encryption Key (CMEK). The CMEK gives you ownership and control of the keys that protect your sensitive data at rest in Google Cloud.

Enforcement mode DETECTIVE
Severity HIGH
Finding category BIGQUERY_TABLE_CMEK_DISABLED
Category name in the API CC_CATEGORY_DATA_SECURITY

Remediation steps

Ensure that the table is configured to use a default CMEK key. Please see https://cloud.google.com/bigquery/docs/customer-managed-encryption#switch-encryption.

Enable CMEK for BigQuery Tables

Require customer-managed encryption keys (CMEK) for BigQuery tables to gain more control over data encryption and key management.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category BIGQUERY_TABLE_CMEK_DISABLED

Remediation steps

You can't enable CMEK on a BigQuery table after it's been created. Create a new table with CMEK enabled, move the data over, and delete the original table. Go to the BigQuery page in the Google Cloud console and create a table. To enable CMEK on the new table, set a default CMEK key. Copy original data to your new CMEK-enabled table, and then delete the original table. For more information, see Create a table protected by Cloud KMS.

Enable CMEK for Cloud SQL Databases

Require customer-managed encryption keys (CMEK) for Cloud SQL database instances to gain more control over data encryption and key management.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_CMEK_DISABLED

Remediation steps

You can't enable CMEK on a Cloud SQL database after it's been created. Create a new database with CMEK enabled, move the data over, and delete the original database. For more information, see Cloud SQL for MySQL, Cloud SQL for PostgreSQL, and Cloud SQL for SQL Server.

Enable CMEK for Cloud Storage Buckets

Require customer-managed encryption keys (CMEK) for Cloud Storage buckets to gain more control over data encryption and key management.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category BUCKET_CMEK_DISABLED

Remediation steps

Go to the Cloud Storage > Buckets page in the Google Cloud console. In the list of buckets, click the name of the bucket and then click the Configuration tab. Edit Encryption type and enable CMEK for the bucket. For more information, see Use customer-managed encryption keys.

Enable CMEK for Vertex AI Custom Jobs

Require customer-managed encryption keys (CMEK) on Vertex AI custom training jobs to gain more control over the encryption of job inputs and outputs.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_CUSTOM_JOB_CMEK_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't enable CMEK on a Vertex AI custom training job after it's been created. Delete the job and create a new job with CMEK enabled.

  1. Delete the existing custom job on the Training pipelines page.

  2. Create a new custom job. For instructions, see (Create a custom training job)[https://cloud.google.com/vertex-ai/docs/training/create-custom-job]. When creating the custom job, enter the name of the Cloud KMS key in the *encryptionSpec field.

For more information about CMEK support in Vertex AI, see Customer-managed encryption keys (CMEK).

Enable CMEK for Vertex AI Datasets

Require customer-managed encryption keys (CMEK) for Vertex AI datasets to gain more control over data encryption and key management.

Enforcement mode DETECTIVE
Severity MEDIUM
Finding category VERTEX_AI_DATASET_CMEK_DISABLED
Category names in the API
  • CC_CATEGORY_ARTIFICIAL_INTELLIGENCE
  • CC_CATEGORY_DATA_SECURITY

Remediation steps

You can't enable CMEK on a Vertex AI dataset after it's been created. Delete the dataset and create a new dataset with CMEK enabled.

  1. Delete the existing dataset. For instructions, see Delete a dataset or annotation set.

  2. Create a new dataset. In the Google Cloud console, go to the Vertex AI Datasets page.

  3. Click Create dataset.

  4. In the dataset creation details, expand Advanced options.

  5. Select Cloud KMS key and provide your CMEK.

  6. Click Create.

For more information about CMEK support in Vertex AI, see Customer-managed encryption keys (CMEK).

Enable CMEK for Vertex AI Endpoints

Require customer-managed encryption keys (CMEK) for Vertex AI endpoints to gain more control over the encryption of deployed models and control data access.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_ENDPOINT_CMEK_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't enable CMEK on a Vertex AI endpoint after it's been created. Delete the endpoint and create a new endpoint with CMEK enabled.

  1. Delete the existing endpoint. For instructions, see Undeploy a model and delete the endpoint.

  2. Create a new endpoint. In the Google Cloud console, navigate to the Vertex AI Endpoints page.

  3. Click Create endpoint.

  4. In the Define Your Endpoint section, expand Advanced options.

  5. Select Cloud KMS key and provide your CMEK.

  6. Click Create.

For more information about CMEK support in Vertex AI, see Customer-managed encryption keys (CMEK).

Enable CMEK for Vertex AI Featurestore

Require customer-managed encryption keys (CMEK) for Vertex AI featurestore to gain more control over data encryption and access.

Enforcement mode DETECTIVE
Severity MEDIUM
Finding category VERTEX_AI_FEATURESTORE_CMEK_DISABLED
Category names in the API
  • CC_CATEGORY_ARTIFICIAL_INTELLIGENCE
  • CC_CATEGORY_DATA_SECURITY

Remediation steps

You can't enable CMEK on a Vertex AI featurestore after it's been created. Delete the featurestore and create a new featurestore with CMEK enabled.

  1. Delete the featurestore. For instructions, see (Delete a featurestore)[https://cloud.google.com/vertex-ai/docs/featurestore/managing-featurestores#delete_a_featurestore].

  2. Create a featurestore that uses CMEK. For instructions, see Create a featurestore that uses a CMEK.

For more information about CMEK support in Vertex AI, see Customer-managed encryption keys (CMEK).

Enable CMEK for Vertex AI Hyperparameter Tuning Jobs

Require customer-managed encryption keys (CMEK) on hyperparameter tuning jobs to gain more control over the encryption of model training data and job configuration.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_HYPERPARAMETER_TUNING_JOB_CMEK_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't enable CMEK on a Vertex AI hyperparameter tuning job after it's been created. Delete this job and create a new job with CMEK enabled.

  1. Delete the existing tuning job. For instructions, see (Delete a hyperparameter tuning job)[https://cloud.google.com/vertex-ai/docs/training/using-hyperparameter-tuning#delete_a_hyperparameter_tuning_job].

  2. Create a new hyperparameter tuning job. For instructions, see (Create a hyperparameter tuning job)[https://cloud.google.com/vertex-ai/docs/training/using-hyperparameter-tuning]. When creating the hyperparameter tuning job, enter the name of the Cloud KMS key in the encryptionSpec field.

For more information about CMEK support in Vertex AI, see Customer-managed encryption keys (CMEK).

Enable CMEK for Vertex AI Metadata Stores

Require customer-managed encryption keys (CMEK) for Vertex AI metadata stores to gain more control over the encryption of metadata and control access.

Enforcement mode DETECTIVE
Severity MEDIUM
Finding category VERTEX_AI_METADATA_STORE_CMEK_DISABLED
Category names in the API
  • CC_CATEGORY_ARTIFICIAL_INTELLIGENCE
  • CC_CATEGORY_DATA_SECURITY

Remediation steps

You can't enable CMEK on a Vertex AI metadata store after it's been created. Delete the store and create a new store with CMEK enabled.

  1. Delete the metadata store. For instructions, see Method: metadataStores.delete.

  2. Create a metadata store. For instructions, see Configure your project's metadata store. To enable CMEK, enter the Cloud KMS key name in the encryptionSpec field.

For more information about CMEK support in Vertex AI, see Customer-managed encryption keys (CMEK).

Enable CMEK for Vertex AI Models

Require customer-managed encryption keys (CMEK) for Vertex AI models to gain more control over data encryption and key management.

Enforcement mode DETECTIVE
Severity MEDIUM
Finding category VERTEX_AI_MODEL_CMEK_DISABLED
Category names in the API
  • CC_CATEGORY_ARTIFICIAL_INTELLIGENCE
  • CC_CATEGORY_DATA_SECURITY

Remediation steps

You can't enable CMEK on a Vertex AI model after it's been created. Delete the model and create a new model with CMEK enabled.

  1. Delete the existing model. For instructions, see Delete a model from Vertex AI Model Registry.

  2. Create a new model. In the Google Cloud console, go to the Vertex AI Models page.

  3. Click Create model.

  4. In the model details, expand Advanced options.

  5. Select Cloud KMS key and provide your CMEK.

  6. Click Create.

For more information about CMEK support in Vertex AI, see Customer-managed encryption keys (CMEK).

Enable CMEK for Vertex AI Notebook Runtime Templates

Require customer-managed encryption keys (CMEK) for Colab Enterprise runtime templates to help secure runtime environments and associated data.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_WORKBENCH_RUNTIME_TEMPLATE_CMEK_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't enable CMEK on a Colab Enterprise notebook runtime template after it's been created. Delete the runtime template and create a new runtime template with CMEK enabled.

  1. Delete the runtime template. For instructions, see Delete a runtime template.

  2. Create a runtime template. For instructions, see Create a runtime template. To enable CMEK, enter the Cloud KMS key name in the encryptionSpec field.

For more information about CMEK support in Vertex AI, see Customer-managed encryption keys (CMEK).

Enable CMEK for Vertex AI TensorBoard

Require customer-managed encryption keys (CMEK) for Vertex AI TensorBoard to gain more control over the encryption of experiment data and model visualizations.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_TENSORBOARD_CMEK_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't enable CMEK on a Vertex AI TensorBoard after it's been created. Delete the TensorBoard and create a new TensorBoard with CMEK enabled.

  1. Delete the TensorBoard. For instructions, see Delete a TensorBoard instance.

  2. Create a TensorBoard. For instructions, see Set up Vertex AI TensorBoard. To enable CMEK, enter the Cloud KMS key name in the encryptionSpec field.

For more information about CMEK support in Vertex AI, see Customer-managed encryption keys (CMEK).

Enable CMEK for Vertex AI Training Pipelines

Require customer-managed encryption keys (CMEK) on Vertex AI training pipelines to gain more control over the encryption of training data and resulting artifacts.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_TRAINING_PIPELINE_CMEK_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't enable CMEK on a Vertex AI training pipeline after it's been created. Delete the pipeline and create a new pipeline with CMEK enabled.

  1. Delete the existing training pipeline from the Vertex AI Training Pipelines page.

  2. Create a new training pipeline. In the Google Cloud console, go to the **Vertex AI Training Pipelines page.

  3. Click Create training pipeline.

  4. In the Model Details section, expand Advanced options.

  5. Select Cloud KMS key and provide your CMEK.

  6. Click Create.

For more information about CMEK support in Vertex AI, see Customer-managed encryption keys (CMEK).

Enable CMEK for Vertex AI Workbench Instances

Require customer-managed encryption keys (CMEK) for Vertex AI Workbench instances to gain more control over data encryption.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_INSTANCE_DISK_CMEK_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't enable CMEK on a Vertex AI Workbench instance disk after it's been created. Delete the existing instance and create a new instance with CMEK enabled.

  1. Delete the instance. For instructions to shut down the instance before deleting it, see Shut down a Vertex AI Workbench instance.

  2. Create an instance. For instructions, see Create a Vertex AI Workbench instance with CMEK. To enable CMEK, enter the Cloud KMS key name in the diskEncryption field.

For more information about CMEK support in Vertex AI, see Customer-managed encryption keys (CMEK).

Enable CMEK on Compute Engine Persistent Disks

Require customer-managed encryption keys (CMEK) for Persistent Disks to encrypt your data on the VM, providing enhanced control over data encryption and key management.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category DISK_CMEK_DISABLED

Remediation steps

You can't enable CMEK on a Persistent Disk after it's been created. Delete the disk and create a new disk with CMEK enabled. Go to Disks within the Compute Engine page in the Google Cloud console. From the Manage disk page, delete the disk, and create a CMEK-enabled Persistent Disk. For more information, see Encrypt a new persistent disk with your own keys.

Enable CMEK on GKE Node Pool Boot Disks

Require customer-managed encryption keys (CMEK) for the boot disks for GKE node pools to gain more control over data encryption and key management.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category NODEPOOL_BOOT_CMEK_DISABLED

Remediation steps

You cannot enable CMEKs for node boot disks on an existing cluster. Create a new node pool with CMEK enabled, migrate your workloads, and delete the older node pool. Go to the Kubernetes Engine > Clusters page in the Google Cloud console. Click the cluster name. In the Nodes tab, create new node pools with CMEK enabled. Migrate your workloads from the existing non-conforming node pool to the new node pools and then remove the old node pool. For more information, see Create a node pool with CMEK-protected node boot disks.

Enable Confidential Computing for Compute Engine Instances

Confidential Computing is the protection of data in use. It uses a hardware-based Trusted Execution Environment (TEE) to create secure and isolated environments that help prevent unauthorized access.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category CONFIDENTIAL_COMPUTING_DISABLED

Remediation steps

You can't enable Confidential Computing on a VM instance after it's been created. Delete the current VM instance and create a Confidential VM from the VM instances page of Compute Engine. For more information, see Create a Confidential VM instance.

Enable Control Plane Authorized Networks on GKE Clusters

Use authorized networks to help improve cluster security by blocking unauthorized IP addresses from accessing your cluster's control plane.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category MASTER_AUTHORIZED_NETWORKS_DISABLED

Remediation steps

Configure authorized networks for the cluster. Go to the Clusters > Kubernetes Engine in the Google Cloud console. Select the cluster and click Edit. Select Enabled on the Control Plane Authorized Networks drop-down list. Click Add authorized network and specify the authorized networks.

Enable CSEK On Compute Engine Persistent Disks

Require customer-supplied encryption keys (CSEK) to use your own encryption keys with Compute Engine. Only users who provide the correct key can access resources protected by a CSEK.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category DISK_CSEK_DISABLED

Remediation steps

You can't enable CSEK on a Persistent Disk after it's been created. Delete the disk and create a new disk with CSEK enabled. Go to Disks within the Compute Engine page in the Google Cloud console. From the Manage disk page, delete the disk, and create a CSEK-enabled disk. For more information, see Encrypt disks with customer-supplied encryption keys.

Enable Data Write Audit Logs for Organization Policy

Ensure that Organization Policy Service audit logs for the DATA_WRITE permission type are enabled for all users.

Enforcement mode AUDIT
Finding category ORGPOLICY_AUDIT_LOGS_DATA_WRITE_DISABLED

Remediation steps

Ensure that you can monitor Data Access logs for organization policy constraint changes. To enable the DATA_WRITE permission, see Configure Data Access audit logs with the Google Cloud console.

Enable Delete to Trash Feature for Vertex AI Workbench Instances

Enable the Delete to Trash metadata feature for Workbench instances to provide a crucial recovery safety net and help prevent accidental data loss.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_WORKBENCH_DELETE_TO_TRASH_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

Enable delete to trash for the existing instance.

  1. In the Google Cloud console, go to the Instances page.

  2. Click the instance that you want to configure.

  3. In the Software and security tab, add the notebook-enable-delete-to-trash metadata key and set the value to TRUE.

For more information, see Update an instance's metadata.

Enable DNSSEC for Cloud DNS

Domain Name System Security Extensions (DNSSEC) helps prevent attackers from signing in to DNS records in your Cloud DNS zones.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category DNSSEC_DISABLED

Remediation steps

Enable DNSSEC for Cloud DNS zones. Go to the Network Services > Cloud DNS page in the Google Cloud console and enable DNSSEC for the Cloud DNS zones. For more information, see Enable DNSSEC for existing managed public zones.

Enable Encryption for Mobile Devices

Configure full-device encryption or container encryption to protect the confidentiality and integrity of information stored on mobile devices.

Enforcement mode AUDIT
Finding category MOBILE_DEVICES_ENCRYPTION_NOT_ENABLED

Remediation steps

Complete the following:

  • Enable full-device encryption. For Android devices, use device settings. On iOS devices, full-device encryption is enabled by default when a passcode is set.

  • Implement a mobile device management solution that enforces encryption. Consider advanced mobile management.

  • To encrypt containers for BYOD or work profiles, use a mobile device management solution.

  • On Google Cloud, Grant IAM roles to mobile device users.

Enable Encryption on GKE Clusters

Enable application-layer secrets encryption on a Google Kubernetes Engine (GKE) cluster to create an additional layer of security for sensitive workloads.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category CLUSTER_SECRETS_ENCRYPTION_DISABLED

Remediation steps

Determine whether to use an existing Cloud KMS key or create a new key. For more information, see Creating a Cloud KMS key. Next, enable application-layer secrets encryption.

Enable Enhanced IAM Audit Logging

Enable audit logs for the IAM API, Security Token Service API, and Service Account Credentials API. Include the ADMIN_READ, DATA_READ, and DATA_WRITE types.

Enforcement mode AUDIT
Finding category IAM_AUDITLOG_PRIVILEGED_ACCESS_MANAGEMENT_VIOLATION

Remediation steps

Enable DATA_READ, DATA_WRITE, and ADMIN_READ for the following APIs: iam.googleapis.com, iamcredentials.googleapis.com, and sts.googleapis.com. For more information, see the following:

Enable Firewall Rule Logging

Firewall rules logging lets you audit, verify, and analyze the effects of your firewall rules, and provide an early warning that the network is being used in an unapproved manner.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category FIREWALL_RULE_LOGGING_DISABLED

Remediation steps

Go to the VPC Network > Firewall page in the Google Cloud console. For more information, see Enable firewall rules logging.

Enable Flow Logs for VPC Subnet

VPC Flow Logs provides information that you can use for network monitoring, forensics, real-time security analysis, and expense optimization.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED

Remediation steps

Enable flow logs for the VPC network. Go to the VPC Network > VPC networks page in the Google Cloud console. Click the network name. On the VPC network details page, click the Subnets tab. Click the subnet name and edit it to enable Flow logs.

Enable Idle Shutdown for Vertex AI Runtime Templates

Enable automatic idle shutdown in Colab Enterprise runtime templates to optimize cloud costs, improve resource management, and enhance security.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_RUNTIME_TEMPLATE_IDLE_SHUTDOWN_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't change this setting after the runtime template is created. Delete the existing runtime template and create a new one with idle shutdown turned on.

  1. Delete the runtime template. For instructions, see Delete a runtime template.

  2. Create a runtime template. For instructions, see Create a runtime template. To turn on idle shutdown, in the Configure compute section, select Enable idle shutdown.

For more information, see Idle shutdown.

Enable Integrity Monitoring for Vertex AI Workbench Instances

Enable integrity monitoring on Workbench instances to continuously attest the boot integrity of your VMs against a trusted baseline.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_WORKBENCH_INTEGRITY_MONITORING_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

Enable integrity monitoring for the Workbench instance.

  1. Stop your WorkBench instance:

gcloud workbenck instances stop INSTANCE_NAME --location=LOCATION --format="yaml(state)"

  1. Enable the vTPM feature:

gcloud workbench instances update INSTANCE_NAME --location=LOCATION --shielded-vtpm true --format="yaml(gceSetup.shieldedInstanceConfig.enableVtpm)"

  1. Enable integrity monitoring:

gcloud workbench instances update INSTANCE_NAME --location=LOCATION --shielded-integrity-monitoring true --format="yaml(gceSetup.shieldedInstanceConfig.enableIntegrityMonitoring)"

  1. Restart the instance:

gcloud workbench instances start INSTANCE_NAME --location=LOCATION --format="yaml(state)"

Enable Integrity Monitoring on GKE Clusters

Integrity monitoring lets you respond to integrity failures and help prevent compromised nodes from being deployed into the cluster.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category INTEGRITY_MONITORING_DISABLED

Remediation steps

You can't enable integrity monitoring on a GKE node pool after it's been created. Create a new node pool with integrity monitoring enabled, migrate your workloads, and delete the older node pool. Go to the Kubernetes Engine > Clusters page in the Google Cloud console. Click the cluster name. Click Add Node Pool. In the Security tab, select Enable integrity monitoring and click Create. Migrate your workloads from the existing non-conforming node pool to the new node pools and then remove the old node pool.

Enable integrity verification of software and firmware components

Enforce software and firmware integrity verification to detect unauthorized changes using developer-provided tools, techniques, and mechanisms.

Enforcement mode AUDIT
Finding category MISSING_FIRMWARE_INTEGRITY_VERIFICATION_CONTROLS

Remediation steps

Mandate integrity verification of software and firmware components for critical risk information systems, system components, or information system services. Examples of critical risk systems, system components, or information system services include validating the integrity of the BIOS and other firmware updates.

Enable Intranode Visibility for GKE Clusters

Intranode visibility makes Pod-to-Pod traffic visible for monitoring and lets you use VPC flow logging or other VPC features to monitor or control intranode traffic.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category INTRANODE_VISIBILITY_DISABLED

Remediation steps

Go to the Kubernetes Engine > Clusters page in the Google Cloud console. In the Networking section, click Edit intranode visibility in the Intranode visibility row, and select Enable Intranode visibility.

Enable IP Alias Range for GKE Clusters

Google Cloud alias IP ranges let you assign ranges of internal IP addresses as aliases, so your cluster is scalable and interacts better with Google Cloud products and entities.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category IP_ALIAS_DISABLED

Remediation steps

For instructions on how to create a cluster enabled with alias IP range, see Create a VPC-native cluster.

Enable Load Balancer Logging

Logging for a Cloud Load Balancing backend service provides visibility into the HTTP(S) network traffic towards your web applications.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category LOAD_BALANCER_LOGGING_DISABLED

Remediation steps

To enable logging on a backend service, see Enabling logging on an existing backend service.

Enable Log Checkpoints Flag for PostgreSQL

Turn on the log_checkpoints flag for PostgreSQL to log checkpoints and restart points.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_LOG_CHECKPOINTS_DISABLED

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set the log_checkpoints database flag to On for the instance.

Enable Log Connections Flag for PostgreSQL

Turn on the log_connections flag for the PostgreSQL instance.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_LOG_CONNECTIONS_DISABLED

Remediation steps

Turn the log_connections flag on. Go to the SQL > Instances page in the Google Cloud console and set the log_connections database flag to On for the instance.

Enable Log Disconnections Flag for PostgreSQL

Turn on the log_disconnections flag for the PostgreSQL instance. When set, end-of-session events are logged.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_LOG_DISCONNECTIONS_DISABLED

Remediation steps

Turn the logs_disconnections flag on. Go to the SQL > Instances page in the Google Cloud console and set the log_disconnections database flag to On for the instance.

Enable Log Duration Flag for PostgreSQL instance

Set the log_duration flag to log the duration of every completed statement.

Enforcement mode DETECTIVE
Severity MEDIUM
Finding category SQL_LOG_DURATION_DISABLED

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set the log_duration database flag to On for the instance.

Enable Log Error Verbosity Flag for PostgreSQL

Turn on verbose or default logging using the log_error_verbosity flag for the PostgreSQL instance. When set, the flag controls detail in logged messages.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_LOG_ERROR_VERBOSITY

Remediation steps

Set the log_error_verbosity flag. Go to the SQL > Instances page in the Google Cloud console and set the log_error_verbosity database flag to default or verbose for the instance.

Enable Log Events Data Sharing

The Google Admin console lets you share log events data from your Google Workspace or Cloud Identity with services in Google Cloud. Turn on log events sharing to view this data in Cloud Audit logs.

Enforcement mode AUDIT
Finding category LOG_EVENTS_DATA_SHARING_DISABLED

Remediation steps

To change data sharing options for Google Cloud audit logs in the Google Admin console, go to Menu > Account > Account settings > Legal and compliance > Sharing options. For more information, see Share data with Google Cloud services.

Enable Log Locks Wait Flag for PostgreSQL instance

Turn on the log_lock_waits flag for PostgreSQL to generate log entries for unusually long session waits.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_LOG_LOCK_WAITS_DISABLED

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set the log_lock_waits database flag to On for the Cloud SQL instance.

Enable Log Min Error Statement Flag for PostgreSQL

Configure the log_min_error_statement flag as per your organization's logging policy for the PostgreSQL instance. This flag controls logging of SQL statements that cause errors.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_LOG_MIN_ERROR_STATEMENT

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set the log_min_error_statement database flag for the Cloud SQL instance. The value of this flag must be set as per your organization's logging policy. Possible values are info, notice, warning, error, debug1, debug2, debug3, debug4, and debug5.

Enable Log Min Messages Flag for PostgreSQL

Set the log_min_messages flag to warning or lower levels for the PostgreSQL instance. This flag controls message levels recorded in logs.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category SQL_LOG_MIN_MESSAGES_INCORRECT

Remediation steps

Set the log_min_messages flag. Go to the SQL > Instances page in the Google Cloud console and set the log_min_messages database flag for the Cloud SQL instance to one of Notice, Info, Debug1, Debug2, Debug3, Debug4, or Debug5.

Enable Log Statement Flag for PostgreSQL

Set the log_statement flag to ddl for the PostgreSQL instance. When set to ddl, all data definition statements are logged for forensic analysis.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category SQL_LOG_STATEMENT

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set the log_statement database flag to ddl for the Cloud SQL instance.

Enable Log Temp Files Flag for PostgreSQL instance

Set the log_temp_files flag to 0 for PostgreSQL. When set to 0, all temp files are logged.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_LOG_TEMP_FILES

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set the log_temp_files database flag to 0 for the Cloud SQL instance.

Enable Network Policy on GKE Clusters

Restrict network connections between pods with a NetworkPolicy resource which acts as a pod-level firewall and only permits explicitly allowed connections.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category NETWORK_POLICY_DISABLED

Remediation steps

Go to the Kubernetes Engine > Clusters page in the Google Cloud console. Click the cluster name, and in the Networking section, edit the Calico Kubernetes Network policy to enable it for both the control plane and nodes.

Enable Object Versioning on Buckets

Versioning lets you track changes to objects and to enable recovery of specific versions of an object.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category OBJECT_VERSIONING_DISABLED_ON_BUCKETS

Remediation steps

To enable versioning for Cloud Storage buckets, see Set Object Versioning on a bucket.

Enable OS Login

Enable OS Login to centralize SSH key management with Identity and Access Management (IAM).

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category OS_LOGIN_DISABLED

Remediation steps

Enable OS Login. Go to the Metadata page for the Compute Engine from the Google Cloud console. Click Edit and add an item with the key set to enable-oslogin, value set to TRUE.

Enable OS Login for All Instances at Project Level

Enable OS Login to centralize SSH key management with Identity and Access Management (IAM).

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category OS_LOGIN_DISABLED

Remediation steps

Enable OS Login for the project. On the Metadata page in the Google Cloud console, add the key enable-oslogin and value TRUE. For more information, see Enable OS Login for all VMs in a project.

Enable PodSecurityPolicies for GKE Clusters

Define and authorize PodSecurityPolicies to validate requests to create and update pods on a Google Kubernetes Engine (GKE) cluster.

Enforcement mode DETECTIVE
Severity MEDIUM
Finding category POD_SECURITY_POLICY_DISABLED

Remediation steps

Enable the PodSecurityPolicy controller on the GKE clusters. For more information, see PodSecurityPolicy.

Enable Private Clusters for GKE

Use private clusters in Google Kubernetes Engine (GKE) to limit outbound internet access and node discoverability.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category PRIVATE_CLUSTER_DISABLED

Remediation steps

You can't change an existing cluster into a private cluster. Create a private cluster, move your workloads, and delete the older cluster. Go to the Kubernetes clusters page in the Google Cloud console and create a cluster with Private cluster turned on. For more information, see Create a private cluster. Migrate your workloads and then remove the old cluster.

Enable Private Google Access for VPC Subnets

Allow VM instances with only internal (private) IP addresses to reach Google public APIs with Private Google Access.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category PRIVATE_GOOGLE_ACCESS_DISABLED

Remediation steps

Enable Private Google Access for the subnets that don't have access to Google public APIs and services. For more information, see Enable Private Google Access.

Enable Private Google Access on an instance

Private Google Access enables VM instances with only private, internal IP addresses to reach the public IP addresses of Google APIs and services. Configuring cluster hosts to use only private IPs helps improve security.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED

Remediation steps

Enable Private Google Access on the cluster. Complete the following steps:

  1. Go to the VPC Network > VPC networks page in the Google Cloud console.
  2. Click the network name.
  3. On the VPC network details page, click Subnets tab.
  4. Click the subnet name associated with the Kubernetes cluster in the finding.
  5. On the Subnet details page, click Edit.
  6. Under Private Google Access, select On.

Enable SDP for Data Discovery

The Sensitive Data Protection (SDP) discovery service helps you protect data across your organization by identifying where sensitive and high-risk data resides.

Enforcement mode AUDIT
Finding category SDP_TO_DISCOVER_DATA_DISABLED

Remediation steps

Use SDP to discover the data and address critical findings. For instructions on using SDP, see Inspect Google Cloud storage and databases for sensitive data.

Enable Secure Boot for Shielded GKE Nodes

Enable Secure Boot to authenticate the boot components of your node VMs, such as the kernel and the bootloader, during the boot process.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category NODEPOOL_SECURE_BOOT_DISABLED

Remediation steps

Create a node pool with Secure Boot and migrate your workloads from the existing non-conforming node pools to the new node pools. After moving the workloads, delete the original non-conforming node pool. For more information, see Secure boot.

Enable Secure Boot for Vertex AI Runtime Templates

Enable secure boot in Colab Enterprise runtime templates to help prevent unauthorized code execution and help protect operating system integrity.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_RUNTIME_TEMPLATE_SECURE_BOOT_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

You can't change this setting after the runtime template is created. Delete the existing runtime template and create a new one with secure boot enabled.

  1. Delete the runtime template. For instructions, see Delete a runtime template.

  2. Create a runtime template. For instructions, see Create a runtime template. To enable secure boot, in the Configure compute section, select Secure Boot.

Enable Secure Boot for Vertex AI Workbench Instances

Enable secure boot for Workbench instances to help prevent the execution of unauthorized or malicious software during the boot process.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_WORKBENCH_SECURE_BOOT_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

Enable secure boot.

  1. Stop your WorkBench instance:

gcloud workbenck instances stop INSTANCE_NAME --location=LOCATION --format="yaml(state)"

  1. Enable the secure boot feature:

```gcloud workbench instances update INSTANCE_NAME --location=LOCATION --shielded-secure-boot true --format="yaml(gceSetup.shieldedInstanceConfig.enableSecureBoot)"``

  1. Restart the instance:

gcloud workbench instances start INSTANCE_NAME --location=LOCATION --format="yaml(state)"

Enable Secure Boot on Compute Engine Instances

Secure Boot helps to protect VM instances against advanced threats such as rootkits and bootkits.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category COMPUTE_SECURE_BOOT_DISABLED

Remediation steps

Turn on Secure Boot. Go to the Compute Engine > VM instances page in the Google Cloud console. Select the instance name. On the VM instance details page, stop the instance. Click Edit. Enable Secure Boot under Shielded VM, and start the instance.

Enable Shielded GKE Nodes on a Cluster

Shielded Google Kubernetes Engine (GKE) nodes help to protect against Pod vulnerabilities by preventing attackers from accessing cluster secrets.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category CLUSTER_SHIELDED_NODES_DISABLED

Remediation steps

Enable Shielded GKE nodes for the cluster. Go to the Clusters page of Kubernetes Engine in the Google Cloud console. Select the cluster from the list. Under Security, edit Shielded GKE nodes and select the Enable Shielded GKE nodes checkbox.

Enable Shielded VM for Compute Engine Instances

Ensure Compute Engine instances are created with Shielded VM enabled.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SHIELDED_VM_DISABLED

Remediation steps

Enable Shielded VM for the instance. For more information, see Enable Shielded VM options.

Enable Skip Show Database Flag for MySQL

Turn on the skip_show_database flag for the MySQL instance to prevent users without privilege from using SHOW DATABASES.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_SKIP_SHOW_DATABASE_DISABLED

Remediation steps

Turn on the skip_show_database flag. Go to the SQL > Instances page in the Google Cloud console and set the skip_show_database flag to On for the MySQL instance.

Enable SSL Encryption On AlloyDB Instances

Enforce Secure Sockets Layer (SSL) to permit only authenticated and encrypted connections to AlloyDB instances.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category ALLOYDB_SSL_NOT_ENFORCED

Remediation steps

Enforce SSL for the AlloyDB cluster. Go to the AlloyDB > Clusters page in the Google Cloud console. Click the cluster from the Resource Name column, and edit the primary instance. Enable Only allow SSL connections.

Enable Subnet Flow Logs

Monitor sub network flows using VPC Flow Logs for security analysis, forensics, and expense optimization.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category FLOW_LOGS_DISABLED

Remediation steps

To configure VPC Flow Logs for a subnet, see Enable VPC Flow Logs for a subnet.

Enable System Use Notifications on VMs

Implement system use notifications (messages or warning banners) before users log in. The notifications are retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system.

Enforcement mode AUDIT
Finding category SYSTEM_USE_NOTIFICATIONS_MISSING

Remediation steps

Create a banner text file and transfer it to your VMs using the Secure Copy Protocol (SCP) file transfer utility. For example: gcloud compute scp banner.txt YOUR_VM_NAME:~ --zone YOUR_INSTANCE_ZONE For more information, see Transfer files to Linux VMs.

Enable the Confidential VM Organization Policy Constraint

To help protect against memory attacks, enable the Restrict Non-Confidential Computing (compute.restrictNonConfidentialComputing) organization policy constraint so that each virtual machine (VM) is a Confidential VM.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORG_POLICY_CONFIDENTIAL_VM_POLICY

Remediation steps

Enable the Restrict Non-Confidential Computing organization policy. For instructions, see Enforce Confidential VM use.

Enable the Restrict Authorized Networks on Cloud SQL Instances Organization Policy Constraint

Enable the Restrict Authorized Networks on Cloud SQL instances (constraints/sql.restrictAuthorizedNetworks) organization policy constraint to restrict adding Authorized Networks for unproxied database access to Cloud SQL instances.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category RESTRICT_AUTHORIZED_NETWORKS_ORG_POLICY

Remediation steps

Enable the Restrict Authorized Networks on Cloud SQL instances constraint in the Organization Policies page from the Google Cloud console. For more information, see Organization policy constraints and Creating and managing organization policies.

Enable Uniform Bucket-Level Access on Cloud Storage Buckets

When uniform bucket-level access is enabled, only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects that it contains.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category BUCKET_POLICY_ONLY_DISABLED

Remediation steps

Go to the Cloud Storage > Buckets in the Google Cloud console. In the list of buckets, click the name of the bucket and then click the Configuration tab. In the Permissions section, click Edit access control model, and select Uniform. For more information, see Uniform bucket-level access.

Enable VPC Flow Logs for Compute Engine Instances

VPC Flow Logs provides you visibility into network throughput and performance.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category COMPUTE_VPC_ADVANCED_FLOW_LOGS_DISABLED

Remediation steps

To configure VPC Flow Logs, see Configure VPC Flow Logs.

Enable vTPM on Vertex AI Workbench Instances

Enable the virtual trusted platform module (vTPM) on Workbench instances to safeguard the boot process and gain more control over encryption.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_WORKBENCH_VTPM_DISABLED
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

Enable vTPM for the Vertex AI Workbench instance.

  1. Stop your WorkBench instance:

gcloud workbenck instances stop INSTANCE_NAME --location=LOCATION --format="yaml(state)"

  1. Enable the vTPM feature:

gcloud workbench instances update INSTANCE_NAME --location=LOCATION --shielded-vtpm true --format="yaml(gceSetup.shieldedInstanceConfig.enableVtpm)"

  1. Restart the instance:

gcloud workbench instances start INSTANCE_NAME --location=LOCATION --format="yaml(state)"

Enable Workload Identity Federation for GKE on clusters

Access Google Cloud services from within Google Kubernetes Engine (GKE) using Workload Identity Federation for GKE for improved security and manageability.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category WORKLOAD_IDENTITY_DISABLED

Remediation steps

Enable Workload Identity Federation for GKE. For more information, see Enable Workload Identity Federation for GKE on clusters and node pools.

Encrypt Data at Rest with CMEK

Encrypt data at rest with customer-managed encryption keys (CMEK).

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category DATA_AT_REST_CMEK_ENCRYPTION_MISSING

Remediation steps

Check the encryption status for Cloud Storage buckets and ensure the KMS key name is set. For Compute Engine instances, the kmsKeyName for instance and attached disks must not be empty. For Cloud SQL instances, the kmsKeyName within diskEncryptionConfiguration must not be empty.

Encrypt Pub/Sub topic with CMEK

Encrypt a Pub/Sub topic with customer-managed encryption keys (CMEKs) to gain more control over data encryption and key management.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category PUBSUB_CMEK_DISABLED

Remediation steps

You can't enable CMEK on a Pub/Sub topic after it's been created. Delete the topic and create a new topic with CMEK enabled. In the Google Cloud console, go to the Pub/Sub Topics page. Delete and recreate the Pub/Sub topic with CMEK. For more information, see Delete topics and Configure a topic with CMEK.

Enforce 2-Step Verification for Super Admin Accounts

Google recommends using Titan security keys as the second factor for Super Admin accounts. The Titan security key helps protect against unauthorized access.

Enforcement mode AUDIT
Finding category SUPER_ADMIN_ACCOUNTS_MFA_DISABLED

Remediation steps

To enforce 2-Step Verification, sign in to the Google Admin console (admin.google.com), navigate to Security > Authentication > ** 2-Step Verification**, and turn on enforcement for the organizational unit or group containing the super administrators.

Enforce CMEK

Use customer-managed encryption keys (CMEKs) for increased ownership and control of the keys that protect your data at rest in Google Cloud.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category CMEK_NOT_ENFORCED

Remediation steps

Complete the following:

  • Configure CMEK across your services.

  • Consider the Certificate Authority Service for hardware-protected private keys which are FIPS 140-2 Level 3 validated.

Enforce CMEK for Supported Services

Use the "Restrict which services may create resources without CMEK" (gcp.restrictNonCmekServices) organization policy constraint to define which Google Cloud services must use customer-managed encryption keys (CMEKs).

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORGPOLICY_RESTRICT_NON_CMEK_SERVICES_VIOLATED

Remediation steps

To configure this constraint, see Require CMEK protection.

Enforce Compute Session Inactive Policy

Monitor user inactivity on Compute Engine instances and end sessions after a session has been inactive for 30 minutes.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category COMPUTE_SESSION_INACTIVITY_POLICY_NOT_SET

Remediation steps

  • Set the [httpkeepAliveTimeoutSec attribute]https://cloud.google.com/load-balancing/docs/https/setup-global-ext-https-compute#update-keepalive-timeout) to the session timout.

  • Verify you’re monitoring user activity for your Compute Engine VMs. For example, the following script sets a metadata flag (terminate-session=true) if the idle time exceeds 30 minutes: !/bin/ # Logic to check user activity if [ $(idle_time_minutes) -gt 30 ]; then gcloud compute instances add-metadata INSTANCE_NAME --metadata terminate-session=true fi

  • Verify session termination scripts are implemented. For example, the following script ends the session based on your conditions: !/bin/ # Logic to terminate the user session # (This may involve logging out the user, killing user processes, etc.) # Clear the metadata flag gcloud compute instances add-metadata INSTANCE_NAME --metadata terminate-session=false

Enforce Configuration Management for IAC

Ensure configuration management for your infrastructure as code (IAC) during system, component, or service development. Consider version control and change tracking.

Enforcement mode AUDIT
Finding category MISSING_IAC_CONFIGURATION_MANAGEMENT

Remediation steps

Complete the following:

  • Use Deployment Manager or Terraform to define and manage your IAC files. Use a Git repository to track changes and for version control.

  • Implement a change management process that includes code reviews and approvals.

  • Create a change implementation process and use IAM to ensure only authorized personnel can modify configuration items.

  • Document approved changes and implement logging and monitoring.

  • Track security issues and resolutions using vulnerability scanning, Security Command Center, monitoring alerting policies, and reporting practices.

Enforce Deny All Egress Firewall Rule

The deny-all egress firewall rule helps to prevent unwanted outbound network connections.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category EGRESS_DENY_RULE_NOT_SET

Remediation steps

Set the firewall rule to deny egress traffic.

  1. Go to Firewall > VPC Network page in the Google Cloud console.

  2. Click Create firewall rule.

  3. For Direction of traffic, select Egress.

  4. In Action on match field, select Deny.

  5. In the Targets drop-down menu, select All instances in the network.

  6. In the Destination filter drop-down menu, select IP ranges, and type 0.0.0.0/0 into the Destination IP ranges box.

  7. In Protocols and ports field, select Deny all.

  8. Click Disable Rule.

  9. In Enforcement, select Enabled and click Create.

For more information, see Add a firewall rule to deny egress traffic originating from all other VPC networks.

Enforce Domain Restricted Sharing

Configure the "Domain restricted sharing" (iam.allowedPolicyMemberDomains) organization policy constraint to allow principals only from specified customer or organization IDs to be added to IAM policies. This policy lets you limit resource sharing based on a domain or organization resource.

Enforcement mode AUDIT
Finding category ORG_POLICY_ALLOWED_IAM_MEMBER_DOMAINS_NOT_SET

Remediation steps

Verify that the Domain restricted sharing (iam.allowedPolicyMemberDomains) constraint is set to your customer ID. Only principals that belong to the allowed customer IDs can be added to IAM policies. For more information, see Restricting identities by domain.

Enforce HTTPS Traffic Only

Configure your HTTP(S) load balancers to permit only HTTPS traffic to maintain data integrity and secure communications against tampering.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category HTTP_LOAD_BALANCER

Remediation steps

Restrict traffic to HTTPS only. Go to the Network Services > Load balancing page in the Google Cloud console. In the Target proxies tab, select the target proxy and configure it to use HTTPS traffic only. For more information, see Target proxies.

Enforce IAM Least Privilege

Maintain the principle of least privilege by assigning Org-Policy IAM to a restricted number of security professionals.

Enforcement mode AUDIT
Finding category IAM_LEAST_PRIVILEGE_ORGPOLICY_VIOLATED

Remediation steps

Assign Org-Policy IAM to a limited number of security professionals to maintain least privilege.

Enforce Least Privilege

Ensure that access controls in Google Cloud abide by the principle of least privilege.

Enforcement mode AUDIT
Finding category ACCESS_CONTROL_BY_LEAST_PRIVILEGE_POLICY_NEEDS_REVIEW

Remediation steps

Complete the following:

  • Review best practices in Least privilege.

  • Automate enforcement using Deployment Manager or Terraform.

Enforce Least Privilege Guide

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Enforcement mode AUDIT
Finding category LEAST_PRIVILEGE_GUIDE_NOT_IMPLEMENTED

Remediation steps

Enforce Password for MySQL Database

Set a strong password for accounts connecting to MySQL database instances.

Enforcement mode AUDIT
Severity HIGH
Finding category SQL_NO_ROOT_PASSWORD

Remediation steps

Go to the SQL > Instances page in the Google Cloud console, select the instance, and set the password for the user.

Enforce Public Access Prevention

Use the "Enforce Public Access Prevention" (storage.publicAccessPrevention) organization policy constraint to help prevent Cloud Storage buckets and objects from being accidentally exposed to the public.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category ORGPOLICY_PUBLIC_ACCESS_PREVENTION_NOT_SET

Remediation steps

Configure public access prevention for Cloud Storage Buckets at the project and folder levels. For instructions, see Use public access prevention.

Enforce Separation of Duties

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion.

Enforcement mode AUDIT
Finding category SEPARATION_OF_DUTIES_NOT_IMPLEMENTED

Remediation steps

Complete the following:

Enforce Session Lock Policy

Enforce session lock policies after 15 minutes of user activity. Session locks temporarily prevent logical access to organizational systems when users are away but don't want to log out.

Enforcement mode AUDIT
Finding category SESSION_LOCK_POLICY_NOT_ENFORCED

Remediation steps

  • Define criteria for your session lock policy.

  • Configure session locks in your Workforce identity pool. gcloud iam workforce-pools update WORKFORCE_POOL_ID --location=LOCATION --session-duration=900s

  • Create scripts to monitor user activity and session lockouts.

  • Require reauthentication after a session locks. * Lock sessions on user request.

  • Notify users about the session lock policy.

  • Enable monitoring for session lock events and user-initiated requests. gcloud logging read "resource.type=global AND logName=projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity" --project=PROJECT_ID --format=json

  • Automate the session unlock process using authentication.

  • Include the session lock configuration in your deployment pipelines.

  • Document the process for reestablishing access.

Enforce SSL Encryption for Remote Access

Implement cryptographic mechanisms to help protect the confidentiality and integrity of remote access sessions.

Enforcement mode AUDIT
Finding category REMOTE_ACCESS_PROTECTION_OF_CONFIDENTIALITY_AND_INTEGRITY_POLICY_VIOLATED

Remediation steps

Complete the following.

Enforce SSL for all Incoming Database Connections

Use SSL for all incoming connections to your SQL database instance to secure data in transit.

Enforcement mode DETECTIVE
Severity HIGH
Finding category SSL_NOT_ENFORCED

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and select the instance. On the Connections tab, click either Allow only SSL connections or Require trusted client certificates. If you chose Require trusted client certificates, create a new client certificate. For more information, see Create a new client certificate.

Enforce Two-Step Verification

Two-step verification (2SV) helps to protect accounts from unauthorized access and against compromised login credentials.

Enforcement mode AUDIT
Severity HIGH
Finding category MFA_NOT_ENFORCED

Remediation steps

Enforce 2-Step Verification (2SV) for all organizational units in the Google Admin console. For more information, see Protect your business with 2-Step Verification.

Enforce Vertex AI Environment Options

Use the "Restrict environment options on new Vertex AI Workbench user-managed notebooks" (ainotebooks.environmentOptions) organization policy constraint to define the allowed VM and container image options for creating new Vertex AI Workbench notebooks and instances.

Enforcement mode AUDIT
Finding category ORG_POLICY_VERTEXAI_ENVIRONMENT_OPTIONS_NOT_SET

Remediation steps

Set the Restrict environment options on new Vertex AI Workbench user-managed notebooks (ainotebooks.environmentOptions) organization policy for both projects and folders. The expected format for VM instances is ainotebooks-vm/PROJECT_ID/IMAGE_TYPE/CONSTRAINED_VALUE. Replace IMAGE_TYPE with image-family or image-name.

The expected format for container images must be ainotebooks-container/CONTAINER_REPOSITORY:TAG.

Ensure Minimum TLS 1.2 Version

Enforce minimum TLS 1.2 in the SSL policies for Google Cloud and ensure organizational policies block older TLS versions.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category MINIMUM_TLS_1.2_NOT_ENFORCED

Remediation steps

For more information, see Restrict TLS Versions in Organization policy constraints.

Establish an SLA for Flaw Remediation

Measure the time between flaw identification and flaw remediation and set benchmarks for corrective actions.

Enforcement mode AUDIT
Finding category IMPROPER_FLAW_REMEDIATION_SLA

Remediation steps

Consider the following:

  • Define and implement an SLA for your flaw remediation cycle.

  • Establish benchmarks as appropriate.

  • Consider Security Command Center to implement benchmarks.

Generate Auditable Events

Generate audit events for all components of the production environment and applications.

Enforcement mode AUDIT
Finding category AUDIT_EVENTS_NOT_GENERATED

Remediation steps

  • Enable audit logging.

  • Use IAM allow policies to control access to logs and log configurations. Grant different users read-only access and admin access to audit logs.

  • Create a security alerting policy file in YAML or JSON format that defines which events are audited and the retention period. For example: logging: auditLog: LOGS_BUCKET_NAME retentionPeriod: 30d

  • Apply the policy using Deployment Manager. For example: ``` gcloud deployment-manager deployments create POLICY_DEPLOYMENT_NAME --config=POLICY_FILE.yaml

  • Review log entries to ensure that expected auditable events are being logged.

  • Automate log analysis using Cloud Monitoring, or other analysis tools.

  • Regularly review the security alerting policy and IAM roles.

Identify SDLC Functions and Services

Identify the functions, ports, protocols, and services intended for organizational use early in the system development life cycle (SDLC).

Enforcement mode AUDIT
Finding category SDLC_FUNCTIONS_SERVICES_NOT_IDENTIFIED

Remediation steps

Require developers to document the functions, ports, protocols, and services required for the SDLC lifecycle.

Implement Alerting for Incidence Response

Define indicators of security compromise and alert the appropriate personnel or roles when they are detected.

Enforcement mode AUDIT
Finding category INSUFFICIENT_ALERTING_FOR_INCIDENT_RESPONSE

Remediation steps

Configure alerts to the appropriate personnel so that they can respond to indicators of compromise.

Implement Audit Lifecycle Management

Implement audit record review, analysis, and reporting processes to establish an audit lifecycle management process for your systems.

Enforcement mode AUDIT
Finding category AUDIT_LIFECYCLE_MANAGEMENT_MISSING

Remediation steps

Complete the following:

Implement Authorized Decision Makers for Access Requests

Permit authorized individuals to integrate applications on your system with external products and services.

Enforcement mode AUDIT
Finding category AUTHORIZED_DECISION_MAKERS_NOT_IMPLEMENTED

Remediation steps

Identify the personnel in your organization who can make access authorization decisions. Set up mechanisms that can help them make these decisions.

Implement Centralized Intrusion Detection

Connect and configure individual intrusion detection tools into an information system-wide intrusion detection system.

Enforcement mode AUDIT
Finding category INTRUSION_DETECTION_NOT_CENTRALIZED

Remediation steps

Consider the following:

  • Connect and configure individual intrusion detection tools into an information system-wide intrusion detection system.

  • Explore implementing Security Command Center.

Implement Centralized Security Monitoring

Monitor information systems to detect attacks and indicators of potential attacks, identify unauthorized use of information systems, and deploy monitoring devices.

Enforcement mode AUDIT
Finding category SECURITY_MONITORING_NOT_CENTRALIZED

Remediation steps

Consider the following:

  • Identify what unauthorized use means. Consider legal and regulatory requirements.

  • Deploy monitoring devices across your system.

  • Use Cloud Logging and Cloud Monitoring to analyze logs and metrics, and implement alerts.

  • Enable VPC Flow Logs.

  • Consider Google Cloud Armor and Security Scanner to protect web applications.

  • Configure firewall rules with allowed and denied ports.

  • Implement a SIEM such as Security Command Center.

  • Use IAM allow policies to control access.

  • Implement Google Cloud security best practices, such as the CIS GCP Benchmark.

  • Enable audit logging.

Implement certificate lifecycle management

Use a certificate policy or an approved service provider to issue public key certificates. Perform end-to-end key management for encrypted network connections.

Enforcement mode AUDIT
Finding category CERTIFICATE_LIFECYCLE_MANAGEMENT_NOT_IMPLEMENTED

Remediation steps

Consider the following:

  • Issue public key certificates using certificate policies or obtain public key certificates from an approved vendor. Consider the Certificate Authority Service for hardware-protected private keys which are FIPS 140-2 Level 3 validated.

  • Use Cloud KMS to create and manage your keys.

  • Configure SSL certificates for your web servers that are running on VMs, GKE clusters, or Google App Engine.

Implement Continuous Network Traffic Monitoring

Monitor inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category CONTINUOUS_NETWORK_TRAFFIC_MONITORING_NOT_IMPLEMENTED

Remediation steps

Consider the following:

Implement Data Classification and Segmentation

Separate information flows logically or physically using organization-defined mechanisms and/or techniques to accomplish required separations by types of information. Enforcing the separation of information flows by type helps to enhance protection by ensuring that information is not commingled while in transit.

Enforcement mode AUDIT
Finding category DATA_CLASSIFICATION_SEGMENTATION_NOT_IMPLEMENTED

Remediation steps

  • Define how you’ll classify your data based on severity and segmentation requirements.

  • Create VPC networks to isolate different components. For example, create VPC networks for specific data flows.

  • Use subnets to logically segment data flows.

  • Create firewall rules that control traffic between different subnets.

  • Enable VPC Network Peering or Cloud VPN to communicate between different VPC networks.

  • Grant IAM allow policies to specific users to control access to data.

  • Configure Sensitive Data Protection.

  • Use Cloud KMS keys to protect sensitive data.

Implement Error Handling Mechanism

Configure applications to generate error messages that provide sufficient information for corrective actions.

Enforcement mode AUDIT
Finding category ERROR_HANDLING_MECHANISM_NOT_IMPLEMENTED

Remediation steps

Consider the following:

  • Build applications to generate appropriate error messages. Consider Cloud Logging for your log management system.

  • Use IAM allow policies to control who can see error messages.

Implement Event Logging for Google Cloud Services

Implement event logging for all Google Cloud services to capture event logs, API calls, and actions that modify the environment.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category EVENT_LOGS_NOT_ENABLED

Remediation steps

  • Review Admin Activity audit logs.

  • Enable audit logging.

  • Configure usage logs for Cloud Storage buckets.

  • Export logs for analysis to BigQuery.

  • Export Admin Activity audit logs to Cloud Storage.

  • Create custom logs for your applications, if required.

  • Use IAM allow policies to control access to logs and log configurations.

  • Regularly review logs using your log analysis tool (for example, Cloud Logging or BigQuery).

  • Implement IAM best practices to secure access to your resources and audit logs.

  • Review audit logs regularly.

  • Ensure application logs include timestamps and other information for traceability.

  • Use logging filters to identify successful and unsuccessful events.

  • Review logs for failed data access events.

Implement Host-based Intrusion and Detection Systems

Implement Cloud IDS, which lets you set up host intrusion prevention and intrusion detection systems. Or, minimally, a host-based firewall at defined systems and components.

Enforcement mode AUDIT
Finding category HOST_BASED_INTRUSION_DETECTION_NOT_IMPLEMENTED

Remediation steps

Onboard your projects to Cloud IDS and secure the cloud resources. For more information, see Configure Cloud IDS. Optionally, use third-party tools to implement host intrusion prevention systems (HIPS) and host intrusion detection systems (HIDS) on your workloads.

Implement Host-based Monitoring Mechanism

Implement host-based monitoring mechanisms in your environment.

Enforcement mode AUDIT
Finding category HOST_BASED_MONITORING_NOT_IMPLEMENTED

Remediation steps

Implement host-based monitoring mechanisms:

  • Use Cloud Monitoring and Cloud Logging to collect, monitor, and analyze host-based data, such as system and application logs, performance metrics, and other relevant information.

  • Create custom monitoring metrics in Cloud Monitoring to track specific host-based parameters that are critical.

  • Set up alerting policies in Cloud Monitoring to receive notifications when host-based metrics or logs indicate unusual or unauthorized activities.

Implement On-Demand Audit Log Access

Implement an on-demand audit record review, analysis, and reporting requirement capability.

Enforcement mode AUDIT
Finding category ON_DEMAND_AUDIT_LOG_ACCESS_NOT_IMPLEMENTED

Remediation steps

Complete the following:

Implement Remote Access Policy

Establish and document usage restrictions, configuration requirements, and implementation guidance for permitted remote access.

Enforcement mode AUDIT
Finding category REMOTE_ACCESS_POLICY_NOT_IMPLEMENTED

Remediation steps

Define and configure usage restrictions, connection requirements, and implementation guidance for each type of remote access allowed. For example, consider VPNs to ensure authorization of remote access to your systems. Remote access methods include, for example, dial-up, broadband, and wireless.

Implement Secure Development Lifecycle

Manage information systems with integrated security processes.

Enforcement mode AUDIT
Finding category THREAT_DEFENSE

Remediation steps

Complete the following:

  • Manage the information system using methods such as secure SDLC.

  • Define and document your information security roles and responsibilities throughout the system development life cycle.

  • Identify individuals that have information security roles and responsibilities.

  • Integrate your risk management process into system development life cycle activities.

Implement Secure Domain Name Resolution Service

Use DNS Security Extensions (DNSSEC) to add an extra layer of security to your DNS resolution. Enforce secure connections to prevent DNS-related attacks.

Enforcement mode AUDIT
Finding category WEAK_DOMAIN_NAME_RESOLUTION_SERVICE

Remediation steps

  • Enable DNSSEC.

  • Use Cloud DNS.

  • Enforce HTTPS between web browsers and Google Cloud services.

  • Use SSL certificates from trusted CAs.

  • Consider web servers to use HTTPS.

  • Configure web applications to use secure URLs.

  • Configure end user devices to use trusted DNS servers.

  • Use the IP addresses for trusted DNS servers in the network settings for each device.

  • For corporate networks, configure a private DNS resolver.

  • Implement firewall rules and network security groups.

  • Consider VPC Service Controls.

  • Regularly perform audits and vulnerability assessments.

  • Use Cloud Logging and Cloud Monitoring to detect and respond to incidents.

  • Use Google's security best practices.

  • Train personnel on security protocols.

  • Regularly review your SSL certificates.

  • Implement fault tolerance by setting up multiple instances of your DNS.

  • Assign private IP addresses to your instances.

  • Use IAM allow policies to control access.

Implement Security Alert Advisory Management

Implement procedures for end-to-end management of security alerts, advisories, and directives.

Enforcement mode AUDIT
Finding category SECURITY_ALERT_ADVISORY_MANAGEMENT_NOT_IMPLEMENTED

Remediation steps

Implement procedures to:

  1. Receive information system security alerts, advisories, and directives on an ongoing basis.
  2. Generate internal security alerts, advisories, and directives as deemed necessary.
  3. Disseminate security alerts, advisories, and directives to include system security personnel and administrators with configuration/patch-management responsibilities.
  4. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

Implement Security Audits and Monitoring

Employ automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes.

Enforcement mode AUDIT
Finding category SECURITY_AUDIT_PROCESSES_NOT_INTEGRATED

Remediation steps

  • Enable audit logging including for Cloud Storage.

  • Export logs to Cloud Storage, BigQuery, or Pub/Sub for further analysis.

  • Configure alerting policies for exported logs.

  • Create notification channels to receive alerts.

  • Consider exporting logs through Pub/Sub for integration with other systems.

  • Automate log analysis using Cloud Storage, BigQuery, or other analysis tools.

  • Enable Security Command Center.

  • Automate incident response using tools like Cloud Functions to trigger automated responses to detected issues. For example: gcloud functions deploy my-incident-response --runtime=nodejs20 --trigger-topic=audit-alerts --allow-unauthenticated

  • Regularly review and update alerting policies.

  • Develop custom scripts for incident investigation and response.

Implement Security Event Correlation

Employ mechanisms to correlate information from monitoring tools deployed throughout your information system.

Enforcement mode AUDIT
Finding category SECURITY_EVENTS_CORRELATION_MISSING

Remediation steps

Verify that you can correlate various events across your systems. Consider tools such as Google SecOps or Security Command Center.

Import Google Workspace Audit Logs

Google Workspace lets you share its logs with the Google Cloud logging service. Google Workspace collects Login logs, Admin logs, and Group logs.

Enforcement mode AUDIT
Finding category IMPORT_GOOGLE_WORKSPACE_LOGS_DISABLED

Remediation steps

To import Google Workspace audit logs, see Share audit logs with Google Cloud.

Incorporate Integrity Monitoring into Incident Response

Incorporate unauthorized security-relevant changes to your systems into the organizational incident response capability.

Enforcement mode AUDIT
Finding category INCIDENT_RESPONSE_WITHOUT_INTEGRITY_MONITORING

Remediation steps

Ensure that you can detect unauthorized security-related changes and respond accordingly:

  • Create an OS policy and include integrity verification and response actions when unauthorized changes are detected.

  • Monitor for file integrity and unauthorized changes using various tools.

  • Regularly review and monitor the results and reports.

Inspect the External Load Balancer and SSL Connections

Ensure communications at the external boundary and at key internal boundaries use managed interfaces and are monitored and controlled.

Enforcement mode AUDIT
Finding category EXTERNAL_LOADBALANCER_SSL_NOT_INSPECTED

Remediation steps

Complete the following:

Limit KMS Crypto Keys Users to Three

Limit the number of principal users that can use cryptographic keys to three or less.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category TOO_MANY_KMS_USERS

Remediation steps

Go to the Security > Key Management page in the Google Cloud console. Next, click the key ring that contains the key, and then click Show Info Panel. Reduce the number of principals having permissions to encrypt, decrypt, or sign data to three or less. To revoke permissions, click Delete. The following predefined roles grant permissions to encrypt, decrypt, or sign data using cryptographic keys: roles/owner, roles/cloudkms.cryptoKeyEncrypterDecrypter, roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, and roles/cloudkms.signerVerifier. For more information, see Permissions and roles.

Limit Super Admin Accounts

Google recommends limiting the number of super administrators to two or three users and avoiding their use for daily tasks to enhance security. Super administrators have broad permissions, so limiting their number helps reduce the potential attack surface. You can configure alerts in Cloud Logging to track super administrator activity.

Enforcement mode AUDIT
Finding category EXCESSIVE_SUPER_ADMIN_ACCOUNTS

Remediation steps

To remediate this finding, reduce the number of super administrators to a minimum. Follow the principle of least privilege and use less permissive roles for daily administrative tasks. For more information, see the best practices for administrator accounts.

Lock Storage Bucket Retention Policies

Use the Bucket Lock feature to permanently lock retention policies on buckets.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category STORAGE_BUCKET_LOCKED_RETENTION_POLICY_NOT_SET

Remediation steps

To lock the retention policy on a bucket, see Lock a bucket.

Maintain Resource Isolation

Implement resource isolation using a combination of VPC networks, firewall rules, a CI/CD pipeline, Google Kubernetes Engine (GKE), and IAM.

Enforcement mode AUDIT
Finding category RESOURCE_ISOLATION_NOT_MAINTAINED

Remediation steps

Consider the following:

  • Use VPC networks to logically isolate resources.

  • Use firewall rules to control network traffic.

  • Implement a CI/CD pipeline using Cloud Build with version control systems like GitHub.

  • Use GKE for resource scheduling and management.

  • Use IAM allow policies to control access.

  • Isolate containers using Docker and container registries.

Manage Access to Audit Logs

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

Enforcement mode AUDIT
Finding category AUDIT_LOG_ACCESS_NOT_MANAGED

Remediation steps

Complete the following:

  • Enable audit logging, including for Cloud Storage.

  • Use IAM allow policies to control access to logs and log configurations.

  • Enable uniform bucket-level access on the bucket that stores audit logs.

  • Implement access controls in your application code to restrict access to audit functionality.

Manage Access to Google Cloud Resources from Mobile Devices

Manage access to Google Cloud resources from mobile devices.

Enforcement mode AUDIT
Finding category ACCESS_FROM_MOBILE_DEVICES_NOT_MANAGED

Remediation steps

  • Create custom roles for mobile device access.

  • Enable Cloud Identity Aware Proxy for mobile device access.

  • Implement endpoint verification for mobile devices and enforce context awareness. See Chrome Enterprise Premium overview.

  • Implement a device management solution that enforces security policies on mobile devices.

  • Create a VPN tunnel for your mobile devices.

  • Create firewall rules to permit mobile traffic. For example: gcloud compute firewall-rules create allow-mobile --allow=tcp:80,tcp:443 --source-ranges=MOBILE_IP_RANGE

  • Implement OAuth and API access controls.

  • Enable audit logging.

Manage Data Handling and Retention

Manage data handling and data retention for information on Google Cloud as required by your business regulatory requirements.

Enforcement mode AUDIT
Finding category DATA_HANDLING_RETENTION_MECHANISM_MISSING

Remediation steps

Admin Activity and System Event audit logs are retained for 400 days, while Data Access audit logs are retained for 30 days by default. Move the audit logs to another storage location at the end of this period. Explore and use any product in Storage and Database that meet your data retention needs.

Manage Malicious Code Protection Mechanisms

Automate patching and updates for code protection. Regularly scan for and quarantine malicious code, and address false positives.

Enforcement mode AUDIT
Finding category INSUFFICIENT_MALICIOUS_CODE_PROTECTION_MECHANISMS

Remediation steps

Implement and manage a code protection system. You can use Security Command Center and Patch feature in VM Manager to implement certain malicious code protection mechanisms.

Manage Publicly Accessible Content

Review and manage the data that's posted on publicly accessible systems that are hosted on Google Cloud.

Enforcement mode AUDIT
Finding category MISSING_STRATEGY_PUBLIC_CONTENT_ACCESS

Remediation steps

Complete the following:

  • Designate individuals who are authorized to post information onto a publicly accessible information system.

  • Train authorized individuals to ensure that publicly accessible information doesn’t contain nonpublic information.

  • Review the proposed content before posting it to the publicly accessible information system to ensure that nonpublic information is not included.

  • Regularly review the content on the publicly accessible information system for nonpublic information and remove such information, if discovered.

Manage System Integrity Policies and Procedures

Manage the development, documentation, and dissemination of system and information integrity policies and procedures.

Enforcement mode AUDIT
Finding category IMPROPER_SYSTEM_INTEGRITY_POLICY_MANAGEMENT

Remediation steps

Consider the following:

  • Document and maintain relevant security policies for your organization.

  • Designate an organization-defined official to manage the development, documentation, and dissemination of the system and information integrity policy and procedures.

Monitor the Threat Environment and Review Audit Logs

Security teams must monitor the threat environment and review audit logs for the production environment.

Enforcement mode AUDIT
Finding category REGULAR_THREAT_MONITORING_NOT_ENABLED

Remediation steps

Ensure that your security team reviews and updates audited events annually or whenever there is a change in the threat environment for your system or applications.

Perform Integrity Checks Every Month

Perform integrity checks of software, firmware, and information at startup, at specific security-relevant events, and at minimum once a month.

Enforcement mode AUDIT
Finding category IRREGULAR_INTEGRITY_CHECKS

Remediation steps

Configure your OS policy to perform integrity verification of your system every month. For more information, see OS policy and OS policy assignment, Create an OS policy assignment, and Manage OS policy assignments.

Perform Threat Modeling and Vulnerability Analyses

Perform threat modeling and vulnerability analyses during development and testing phases of a system or its components.

Enforcement mode AUDIT
Finding category THREAT_MODELING_VULNERABILITY_ANALYSIS_NOT_PERFORMED

Remediation steps

Complete the following:

  • Create the requirements for threat and vulnerability analysis and testing.

  • Grant appropriate IAM roles to developers.

  • Define and communicate your security standards.

  • Encourage developers to use Google Cloud threat and analysis tools (such as Security Command Center, Google Threat Intelligence, Google SecOps, and Cloud NGFW).

  • For vulnerability testing, use Web Security Scanner.

  • For penetration testing, collaborate with qualified testing teams or use third-party tools.

Plan Security Assessments and Remediation

Develop and implement ongoing security and privacy control assessments. Set up a remediation process to resolve any findings.

Enforcement mode AUDIT
Finding category SECURITY_ASSESSMENTS_REMEDIATIONS_MISSING

Remediation steps

Complete the following:

  • Create a security assessment plan.

  • Perform unit, integration, system, and regression testing.

  • Document the security assessment plan execution and the results of the security testing.

  • Establish a verifiable flaw remediation process.

  • Address any security flaws identified during testing or evaluation.

Prevent IP Forwarding on Compute Engine Instances

Don't permit IP forwarding of data packets for your VMs to prevent potential data loss or unauthorized disclosure. Preventing IP forwarding restricts the routing of data packets.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category IP_FORWARDING_ENABLED

Remediation steps

You can't turn off IP forwarding for an existing VM instance. Delete the VM and create a new VM with IP forwarding turned off. Go to the Compute Engine > VM instances page in the Google Cloud console. Click the instance name. Select the instance name and delete it. Create a new instance. To ensure IP forwarding is turned off, go to Management, disks, networking, SSH keys and click Networking. In the Network interfaces section, click Edit and ensure IP forwarding is turned off.

Prevent Nested Virtualization for Compute Engine VMs

Use the "Disable VM nested virtualization" (compute.disableNestedVirtualization) organization policy constraint to turn off hardware-accelerated nested virtualization for all Compute Engine VMs. Turning off nested virtualization can reduce the attack surface and improve the overall security posture of the Google Cloud environment.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category COMPUTE_NESTED_VIRTUALIZATION_CONSTRAINT_ENABLED

Remediation steps

Set the Disable VM nested virtualization (constraints/compute.disableNestedVirtualization) organization policy constraint to true. For more information, see Manage the nested virtualization constraint.

Protect System Memory

Implement appropriate failsafe measures to protect system memory from unauthorized code execution.

Enforcement mode AUDIT
Finding category MISSING_CONTROL_TO_PROTECT_SYSTEM_MEMORY

Remediation steps

This control does not apply to Google Cloud. Verify that you have appropriate fail-safe procedures to protect memory from unauthorized code execution for your systems.

Remove Inactive Accounts

Verify that all inactive accounts are removed from Google Cloud.

Enforcement mode AUDIT
Finding category INACTIVE_ACCOUNTS_ENABLED

Remediation steps

Find unused service accounts and remove them. See Identify and disable unused service accounts. Consider Find unused service accounts.

Remove Temporary Accounts

Verify that access for any account that's meant to be temporary is removed within 24 hours.

Enforcement mode AUDIT
Finding category TEMPORARY_ACCOUNTS_ENABLED

Remediation steps

Review the service accounts and remove the roles that are meant to be temporary. For instructions, see List and edit service accounts and Revoke a single IAM role. Configure temporary access for your accounts, where possible. Monitor service account usage.

Require Additional Logging for Sensitive Buckets

Logging access to a sensitive data bucket helps provide audit traceability from who gained access and when, which might be used when appropriate due to the high volume of logs the buckets generate.

Enforcement mode AUDIT
Finding category AUDIT_LOGS_FOR_SENSITIVE_BUCKETS_MISSING

Remediation steps

Enable additional logging around particular storage objects based on their use case. For more information, see Cloud Audit Logs with Cloud Storage.

Require Audit Logging for Privileged Activities

Require audit logs for privileged activities such as data access and IAM conditions.

Enforcement mode AUDIT
Finding category AUDIT_LOGS_FOR_PRIVILEGED_ACTIVITIES_NOT_IMPLEMENTED

Remediation steps

Complete the following:

Require Auto Upgrade Schedule Set for Vertex AI Workbench

Use the "Require automatic scheduled upgrades on new Vertex AI Workbench user-managed notebooks and instances" (ainotebooks.requireAutoUpgradeSchedule) organization policy constraint to benefit from framework updates, package updates, and bug fixes.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category ORG_POLICY_AUTO_UPGRADE_SCHEDULE_NOT_SET

Remediation steps

Set the Require automatic scheduled upgrades on new Vertex AI Workbench user-managed notebooks and instances (ainotebooks.requireAutoUpgradeSchedule) value to true to require automatic scheduled upgrades on new Vertex AI Workbench user-managed notebooks and instances. For more information, see Updating policies with boolean rules.

Require Binary Authorization on a Cluster

Binary Authorization helps to enhance supply chain security by ensuring only signed container images are deployed.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category BINARY_AUTHORIZATION_DISABLED

Remediation steps

Enable Binary Authorization on the cluster. Go to the Kubernetes Engine > Clusters page in the Google Cloud console. In the Security section, edit the Binary authorization row and enable it.

Require Cloud Storage Bucket Logging

Enable access logs and storage information for your Cloud Storage buckets to help investigate security issues and monitor storage consumption.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category BUCKET_LOGGING_DISABLED

Remediation steps

For instructions to set up logging for a bucket, see Usage logs & storage logs.

Require CMEK on Dataproc Clusters

A Dataproc cluster with customer-managed encryption keys (CMEK) gives you more control over data encryption and key management.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category DATAPROC_CMEK_DISABLED

Remediation steps

You can't enable CMEK on a Dataproc cluster after it's been created. Create a new cluster with CMEK enabled, migrate your workloads, and delete the older cluster. To create a new cluster, go to the Dataproc > Clusters page in the Google Cloud console. Click Create Cluster to recreate the Dataproc cluster. In the Manage security section, click Encryption and select Customer-managed key to enable CMEK. After the cluster is created, migrate your workloads from the older cluster to the new cluster, and delete the older cluster.

Require Container-Optimized OS for a GKE Cluster

Google recommends Container-Optimized OS for containers due to its enhanced security, minimal OS footprint, and automatic updates for quick vulnerability patching.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category COS_NOT_USED

Remediation steps

Enable Container-Optimized OS for the cluster. Go to the Kubernetes clusters page in the Google Cloud console. Click the cluster's name. Click the Nodes tab. For each node pool, click the name to open its details page. Click Edit. Under Nodes > Image type, click Change. Select Container-Optimized OS and click Change.

Require GKE Sandbox for GKE clusters

Configure GKE Sandbox to help protect the host kernel on your nodes.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category GKE_SANDBOX_DISABLED

Remediation steps

Update your GKE cluster to use GKE Sandbox. For more information, see Enable GKE Sandbox on an existing Standard cluster.

Require Least Privilege

Use Cloud IAM to implement least privilege.

Enforcement mode AUDIT
Finding category LEAST_PRIVILEGE_NOT_IMPLEMENTED

Remediation steps

See Cloud IAM to help achieve least privilege. For viewing permissions and predefined roles, see Permissions and Pre-defined roles.

Require Object Versioning for Cloud Storage Buckets

Log buckets that use Object Versioning support the retrieval of deleted or overwritten objects that helps to protect data from accidental deletion.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category OBJECT_VERSIONING_DISABLED

Remediation steps

Update the bucket to use Object Versioning. In the Google Cloud console, go to the Buckets page. Select the bucket. In the Protection tab, configure object versioning. See Set Object Versioning on a bucket.

Require OS Login on Compute Engine Instances

OS Login centralizes SSH key management with IAM and disables metadata-based SSH key configuration on all project instances.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category INSTANCE_OS_LOGIN_DISABLED

Remediation steps

Turn on OS Login for the VM instance. Go to the Compute Engine > VM instances page in the Google Cloud console. Click the instance name. On the Instance details page, click Stop. Edit the instance and set enable-oslogin to True in the Custom metadata section. For more information, see Set up OS Login.

Require Private Nodes in GKE Clusters

Ensure that GKE clusters use private nodes to prevent external clients from accessing the nodes.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category GKE_PRIVATE_NODES_DISABLED

Remediation steps

Update your cluster to use private nodes. For more information, see Enable private nodes.

Require Rotation of API Key

Rotating API keys at least every 90 days reduces risk from stolen API keys that can be used to access data on a compromised or terminated account.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category API_KEY_NOT_ROTATED

Remediation steps

Go to the APIs & Services > Credentials page in the Google Cloud console. Under API Keys, edit each key using the Actions menu. On the Edit API key page, click Rotate key if the creation date is older than 90 days.

Require Service Account Key Rotation

Rotate your service account keys every 90 days or less to help protect data if a key gets compromised.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SERVICE_ACCOUNT_KEY_NOT_ROTATED

Remediation steps

Rotate your service account key. For instructions, see Service account key rotation. When possible, avoid using service account keys. For other options, see Choose the right authentication method for your use case.

Require Unique Super Admin Account

Use a unique email address for super administrator accounts to manage and track administrator actions.

Enforcement mode AUDIT
Finding category DEDICATED_SUPERADMIN_ACCOUNT_NOT_CONFIGURED

Remediation steps

Verify that the super admin accounts use unique email addresses that aren't specific to a user. For more information, see Super administrator account best practices.

Require Workload Identity Federation for GKE and the GKE Metadata Server

Enable Workload Identity Federation for GKE with the GKE metadata server. Workload Identity Federation for GKE uses IAM policies to grant Kubernetes workloads in your GKE cluster access to specific Google Cloud APIs without needing manual configuration or less secure methods.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category GKE_METADATA_SERVER_DISABLED

Remediation steps

Move your applications to use Workload Identity Federation for GKE. For more information, see Migrate existing workloads to Workload Identity Federation for GKE.

Restrict Access Control Points for Authorized and Managed Remote Access

Route remote access through authorized and managed network access control points to help reduce the attack surface for organizations.

Enforcement mode AUDIT
Finding category ACCESS_CONTROL_POINTS_TO_ROUTE_REMOTE_ACCESS_UNRESTRICTED

Remediation steps

  • Consider Dedicated Interconnect to isolate your organization's data and traffic from the internet.

  • Configure Cloud VPN to further protect information in transit.

  • Implement Cloud Load Balancing for additional encryption protection to applications.

  • Enable Cloud Identity Aware Proxy to manage and restrict remote access to applications.

  • Implement endpoint verification for devices that connect to Google Cloud services and enforce context awareness. See Chrome Enterprise Premium overview.

  • Implement a device management solution that enforces security policies on devices that access Google Cloud resources.

  • Enforce security keys for user authentication and use hardware security keys (such as Titan Security Keys) for multi-factor authentication.

Restrict Access to Audit Logs

Restrict access to audit management information to privileged users.

Enforcement mode AUDIT
Finding category UNRESTRICTED_ACCESS_TO_AUDIT_LOGS

Remediation steps

  • Use IAM allow policies to control access to logs and log configurations. Grant different users read-only access and admin access to audit logs.

  • Create custom roles, if required.

  • Enable uniform bucket-level access on the bucket that stores audit logs.

  • Implement a request and approval process for accessing audit logs.

  • Create a machine ACL system group and grant it viewer access to the project where your audit logs are stored.

  • Configure appropriate access for your auditing tools.

  • Monitor access to your audit logs.

  • Implement IAM best practices to secure access to your audit logs.

Restrict API Access to Google Cloud APIs for Compute Engine Instances

Compute Engine instances that use the default service account and have full access to all Google Cloud APIs are overly permissive.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category FULL_API_ACCESS

Remediation steps

Reset the access permissions to APIs for the VM instance. Go to the Compute Engine > VM instances page in the Google Cloud console. Click the instance name. Click Edit. Navigate to Security and access > Service accounts, select Compute Engine default service account. In the Access scopes section, select Set access for each API, set Cloud Platform to None. Enable the specific APIs that the default VM service account requires access to.

Restrict API Keys for Required APIs Only

Restricting API keys limits their access to only the APIs that are required by the application.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category API_KEY_APIS_UNRESTRICTED

Remediation steps

Go to the APIs & Services > Credentials page in the Google Cloud console. Under API Keys, edit each key using the Actions menu and then restrict the APIs in the API restrictions section.

Restrict Cloud Shell Access Settings

Administrators can use Cloud Shell to access and manage Google Cloud resources, including sensitive data and projects. Disabling Cloud Shell for Cloud Identity managed user accounts helps reduce the potential attack surface for unauthorized access.

Enforcement mode AUDIT
Finding category CLOUDSHELL_MANAGED_USERS_ACCESS_ENABLED

Remediation steps

In the Google Admin console, navigate to Apps > Additional Google services > Google Cloud Platform > Cloud Shell Settings and disable Cloud Shell Access Settings. To disable Cloud Shell for specific users, you'll need to use access groups: add individual users to the group and turn off the group's Cloud Shell access setting. For more information, see Turn Google Cloud on or off for users.

Restrict CMEK Crypto Key Projects

Define the projects that Cloud KMS can store customer managed encryption keys (CMEKs) using the "Restrict which projects may supply KMS CryptoKeys for CMEK" (gcp.restrictCmekCryptoKeyProjects) organization policy constraint.

Enforcement mode AUDIT
Finding category ORG_POLICY_CMEK_RESTRICTED_NOT_SET

Remediation steps

Define the projects that can store CMEKs using the Restrict which projects may supply KMS CryptoKeys for CMEK (constraints/gcp.restrictCmekCryptoKeyProjects) constraint. For more information, see Limit the use of Cloud KMS keys for CMEK.

Restrict Default Network Creation for Compute Engine Instances

Use the "Skip default network creation" (compute.skipDefaultNetworkCreation) organization policy constraint to skip the creation of the default network and related resources when creating projects.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SKIP_DEFAULT_NETWORK_CREATION_ORG_POLICY

Remediation steps

Set the Skip default network creation (constraints/compute.skipDefaultNetworkCreation) constraint to true. For more information, see Organization policy constraints.

Restrict External IP Addresses to Specific VM Instances

Use the "Define allowed external IPs for VM instances" (compute.vmExternalIpAccess) organization policy constraint to block public access to your VMs.

Enforcement mode AUDIT
Finding category ORG_POLICY_EXTERNAL_IP_FOR_VM_INSTANCES_NOT_SET

Remediation steps

To block external IP addresses on Compute Engine VM instances, see Restrict external IP addresses to specific instances.

Restrict Insecure SSL Policies for Compute Engine Instances

Avoid weak or insecure SSL policies for Compute Engine instances.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category WEAK_SSL_POLICY

Remediation steps

Configure TLS 1.2 and strong cipher suites on your load balancers. If a weak cipher suite or down-level TLS version is used, edit the SSL policy and change Minimum TLS version to TLS 1.2 and Profile to Modern or Restricted. If a default Google Cloud SSL policy is used, create a new SSL policy and apply it to the appropriate forwarding rules. In both the cases, ensure the following cipher suites are disabled if you want to use a custom profile: TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, and TLS_RSA_WITH_3DES_EDE_CBC_SHA. For more information, see Use SSL policies for SSL and TLS protocols.

Restrict Legacy IAM Roles

To implement the principle of least privilege, avoid the overly permissive legacy roles like Owner, Editor, and Viewer.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category PRIMITIVE_ROLES_USED

Remediation steps

Go to the IAM page in the Google Cloud console and replace primitive roles with more granular roles.

Restrict Legacy TLS Versions

Use the "Restrict TLS Versions" (gcp.restrictTLSVersion) organization policy constraint to deny access from older TLS versions such as TLS 1.0 or TLS 1.1.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORG_POLICY_RESTRICT_TLS_VERSION_NOT_SET

Remediation steps

Update the organization policy to restrict TLS versions for resources within the folder or project. For instructions, see Restrict a TLS version.

Restrict Non CMEK Services

Use the "Restrict which services may create resources without CMEK" (gcp.restrictNonCmekServices) organization policy constraint to block services that don't use CMEK encryption.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORG_POLICY_NON_CMEK_SERVICES_ALLOWED

Remediation steps

Configure the Restrict which services may create resources without CMEK (constraints/gcp.restrictNonCmekServices) constraint. For instructions, see Require CMEK protection.

Restrict Non-Privileged Users from Executing Privileged Functions

Enable audit logs for the IAM API, Security Token Service API, and Service Account Credentials API. Include the ADMIN_READ, DATA_READ, and DATA_WRITE types.

Enforcement mode AUDIT
Finding category IAM_AUDIT_LOGS_NOT_IMPLEMENTED

Remediation steps

Enable DATA_READ, DATA_WRITE, and ADMIN_READ for the following APIs: iam.googleapis.com, iamcredentials.googleapis.com, and sts.googleapis.com. For more information, see the following: * Service Account Credentials audit logging * Security Token Service audit logging * Identity and Access Management audit logging

Restrict Public Access to BigQuery Datasets

Restrict public access to BigQuery datasets to avoid data exposure risk.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category PUBLIC_DATASET

Remediation steps

Remove the principals allUsers and allAuthenticatedUsers from the dataset permissions. For more information, see Revoke access to a dataset.

Restrict Public Access to Cloud SQL Database Instances

Restrict public access to Cloud SQL database instances. If a Cloud SQL instance has '0.0.0.0/0' as an allowed network, any IPv4 client can attempt a login.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category PUBLIC_SQL_INSTANCE

Remediation steps

Go to the Cloud SQL Instances page in the Google Cloud console. Click the instance name. Select Connections. Under Authorized networks, delete 0.0.0.0/0. Add a specific IP addresses or IP ranges that you want to let connect to your instance.

For more information, see Authorize with authorized networks.

Restrict Public Access to Cloud Storage Buckets

Restrict public access to Cloud Storage bucket to avoid data exposure risk.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category PUBLIC_BUCKET_ACL

Remediation steps

Restrict anonymous public access to objects in Cloud Storage buckets. For more information, see Remove public access for all objects within a bucket.

Restrict Public IP Addresses on Vertex AI Workbench Notebooks and Instances

Use the "Restrict public IP access on new Vertex AI Workbench notebooks and instances" (ainotebooks.restrictPublicIp) organization policy constraint to restrict public IP access to newly created Vertex AI Workbench notebooks and instances.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category ORG_POLICY_PUBLIC_IP_ACCESS_ALLOWED_ON_VERTEXAI_WORKBENCH

Remediation steps

Set the Restrict public IP access on new Vertex AI Workbench notebooks and instances (ainotebooks.restrictPublicIp) constraint to true to restrict public IP access on new Vertex AI Workbench notebooks and instances. For more information, see Updating policies with boolean rules.

Restrict Public IP Addresses to Compute Engine Instances

Don't assign public IP addresses to Compute Engine instances. A Compute Engine instance with a public IP address increases attack surface.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category PUBLIC_IP_ADDRESS

Remediation steps

Go to the VM instances page in the Google Cloud console. Find the instances with a public IP address. For each interface under Network interfaces, set External IP to None. To block public IP addresses across Compute Engine, use the Define allowed external IPs for VM instances (constraints/compute.vmExternalIpAccess) organization policy. Configure an empty allowlist of external IP addresses that the VM can use and deny all others.

Restrict Resource Service Usage

Use the "Restrict Resource Service Usage" (gcp.restrictServiceUsage) organization policy constraint to define which Google Cloud services can be used within an organization, folder, or project.

Enforcement mode AUDIT
Finding category ORG_POLICY_RESOURCE_SERVICE_USAGE_NOT_ALLOWED

Remediation steps

Configure the Restrict Resource Service Usage (gcp.restrictServiceUsage) constraint. For instructions, see Setting the organization policy.

Restrict Service Usage

Use the "Restrict Resource Service Usage" (constraints/gcp.restrictServiceUsage) organization policy constraint to define which Google Cloud services can be used within an organization, folder, or project.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ORG_POLICY_RESTRICT_SERVICE_USAGE_NOT_SET

Remediation steps

Configure the Restrict Resource Service Usage (constraints/gcp.restrictServiceUsage) organization policy. For instructions, see Setting the organization policy.

Restrict Usage of Shared and Group Accounts

Restrict the use of shared or group accounts to help maintain a secure environment.

Enforcement mode AUDIT
Finding category SECURE_MANAGEMENT_OF_SHARED_AND_GROUP_ACCOUNTS_POLICY_NEEDS_REVIEW

Remediation steps

Complete the following:

  • Define policies for the use of shared or group accounts.

  • Use role-based access control (RBAC) and IAM roles. Assign roles based on responsibilities.

  • Use individual accounts whenever possible.

  • Regularly audit and review activities associated with shared or group accounts.

  • Use strong authentication practices such as 2-step verification for shared or group accounts.

  • Review access regularly to ensure that shared accounts are still required.

  • Document and communicate your policies regarding shared or group accounts.

  • Train users on these policies.

  • Use automation, such as Deployment Manager or Terraform, to enforce your policies and configuration. For more best practices, see Best practices for using Google groups.

Restrict Use of Default Service Account for Vertex AI Workbench Instances

Restrict the use of the highly permissive default service account for Workbench instances to reduce the risk of unauthorized access to Google Cloud services.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category VERTEX_AI_DEFAULT_SERVICE_ACCOUNT_IN_USE
Category name in the API CC_CATEGORY_ARTIFICIAL_INTELLIGENCE

Remediation steps

Change the service account associated with the Workbench instance:

  1. If required, create a service account with appropriate privileges. For instructions, see Manage access to an instance.

  2. In the Google Cloud console, go to the Instances page.

  3. Click the instance that you want to configure.

  4. Stop the instance.

  5. In the Systems section, click VM details.

  6. Edit the Compute Engine instance and select a service account that uses appropriate privileges.

  7. Restart the instance.

Restrict User Managed Service Account Keys

Avoid having user-managed keys for user-managed service accounts.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category USER_MANAGED_SERVICE_ACCOUNT_KEY

Remediation steps

Determine a secure alternative and delete the user-managed service account keys. For information about alternatives, see Choose the right authentication method for your use case. To delete the user-managed service account keys, go to the Service Accounts page in the Google Cloud console. Select and delete the user-managed service account keys. For more information on service account key management, see Best practices for managing service account keys.

Restrict VM IP Forwarding for Compute Engine Instances

Use the "Restrict VM IP Forwarding" (compute.vmCanIpForward) organization policy constraint to define the set of VM instances that can enable IP forwarding.

Enforcement mode AUDIT
Finding category ORG_POLICY_COMPUTE_IPFORWARD_LIST_VIOLATED

Remediation steps

Specify the VM instances that can enable IP forwarding in the Restrict VM IP Forwarding (compute.vmCanIpForward) constraint. Use one of the following forms: * under:organizations/ORGANIZATION_ID * under:folders/FOLDER_ID * under:projects/PROJECT_ID * projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME. For more information, see Enable IP forwarding for instances.

Restrict VPC Networks on Vertex AI

Use the "Restrict VPC networks on new Vertex AI Workbench instances" (ainotebooks.restrictVpcNetworks) organization policy constraint to define the VPC networks that a user can select when creating new Vertex AI Workbench instances.

Enforcement mode AUDIT
Finding category ORG_POLICY_VERTEXAI_VPC_NETWORK_POLICY_NOT_SET

Remediation steps

Set the Restrict VPC networks on new Vertex AI Workbench instances (ainotebooks.restrictVpcNetworks) constraint to the allowed or denied list of networks. Use one of the following formats: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.

Retain Audit Records

Retain audit records for 90 days or more to provide support for after-the-fact investigations of incidents.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category AUDIT_RECORDS_NOT_RETAINED

Remediation steps

Complete the following:

  • Enable audit logging.

  • Export audit logs to Cloud Storage, BigQuery, or Pub/Sub for retention for at least 90 days.

  • Create a process to archive logs to an cost-effective, offline storage system.

  • Configure the lifecycle for your Cloud Storage bucket.

  • Regularly review and monitor exports to logs.

  • Regularly test your backup and restore procedures.

Review Authentication, Authorization, User Account Management

Manage and review user authentication, authorization, and account management practices.

Enforcement mode AUDIT
Finding category IAM_USERACCOUNT_MANAGEMENT_UNAUTHORIZED

Remediation steps

  • Enable SSO.

  • Synchronize user accounts using Google Cloud Directory Sync.

  • Configure Google Sign-In authentication for anyone with the legacy basic Owners role.

  • Grant the legacy basic Owners role to your account managers. Maintain assignments as required.

  • Define and maintain group and role membership conditions in your user directories.

  • Grant appropriate roles to users and groups in your organization.

  • Implement an approval process in your user directories for account creation.

  • Manage service accounts according to your organization's processes.

  • Enable audit logging and review logs for account usage.

  • Notify account managers about account deactivations and transfers. Consider exporting audit logs to BigQuery.

  • Ensure all Google Cloud access is by valid accounts and for intended usage.

  • Review IAM roles and account configuration for compliance with your internal and external policies.

  • Revoke and reissue shared credentials when a user is removed from a group.

Review Log and Alert Configuration

Review alerting policies, log filters, and metrics.

Enforcement mode AUDIT
Finding category MISSING_AUDIT_PROCESSING_FAILURES_ALERTS

Remediation steps

Complete the following:

Review Organization Administrator Assignments

Review the users in your organization who have the roles/resourcemanager.organizationAdmin role. Ensure at least one user has this role.

Enforcement mode AUDIT
Finding category ORGANIZATION_ADMIN_ROLE_NOT_ASSIGNED

Remediation steps

Verify the Organization Administrator (roles/resourcemanager.organizationAdmin) role assignments and grant it to additional users as required. For more information, see Viewing existing access for an organization resource and Grant an IAM role by using the Google Cloud console.

SENSITIVE DATA BIGQUERY TABLE_CMEK DISABLED

Data Security Posture Management (DSPM) system has detected that this resource has highly sensitive data and is not using CMEK for encryption. This poses a data security risk and requires immediate attention.

Enforcement mode DETECTIVE
Severity CRITICAL
Finding category SENSITIVE_DATA_BIGQUERY_TABLE_CMEK_DISABLED

Remediation steps

  1. Follow the remediation steps for the related findings -
    • BigQuery Table CMEK disabled finding
    • High Sensitive Data finding
  2. Once any of the findings is resolved, this finding will automatically get resolved.

For more detailed information, view the user guide.

SENSITIVE DATA DATASET CMEK DISABLED

Data Security Posture Management (DSPM) system has detected that this resource has highly sensitive data and is not using CMEK for encryption. This poses a data security risk and requires immediate attention.

Enforcement mode DETECTIVE
Severity CRITICAL
Finding category SENSITIVE_DATA_DATASET_CMEK_DISABLED

Remediation steps

  1. Follow the remediation steps for the related findings -
    • Dataset CMEK disabled finding
    • High Sensitive Data finding
  2. Once any of the findings is resolved, this finding will automatically get resolved.

For more detailed information, view the user guide.

SENSITIVE DATA PUBLIC DATASET

Data Security Posture Management (DSPM) system has detected publicly exposed sensitive data. This poses a data security risk and requires immediate attention.

Enforcement mode DETECTIVE
Severity CRITICAL
Finding category SENSITIVE_DATA_PUBLIC_DATASET

Remediation steps

  1. Follow the remediation steps for the related findings -
    • Public Dataset finding
    • High Sensitive Data finding
  2. Once any of the findings is resolved, this finding will automatically get resolved.

For more detailed information, view the user guide.

SENSITIVE DATA PUBLIC SQL INSTANCE

Data Security Posture Management (DSPM) system has detected publicly exposed sensitive data. This poses a data security risk and requires immediate attention.

Enforcement mode DETECTIVE
Severity CRITICAL
Finding category SENSITIVE_DATA_PUBLIC_SQL_INSTANCE

Remediation steps

  1. Follow the remediation steps for the related findings -
    • Public SQL instance finding
    • Public SQL IP finding
    • High Sensitive Data finding
  2. Once any of the findings is resolved, this finding will automatically get resolved.

For more detailed information, view the user guide.

SENSITIVE DATA SQL CMEK DISABLED

Data Security Posture Management (DSPM) system has detected that this resource has highly sensitive data and is not using CMEK for encryption. This poses a data security risk and requires immediate attention.

Enforcement mode DETECTIVE
Severity CRITICAL
Finding category SENSITIVE_DATA_SQL_CMEK_DISABLED

Remediation steps

  1. Follow the remediation steps for the related findings -
    • SQL CMEK disabled finding
    • High Sensitive Data finding
  2. Once any of the findings is resolved, this finding will automatically get resolved.

For more detailed information, view the user guide.

Separate User and Administrator Roles

Define separate user and admin roles.

Enforcement mode AUDIT
Finding category USER_ADMIN_ROLES_NOT_SEPARATED

Remediation steps

Complete the following:

  • Define different roles and accounts for users and administrators.

  • Enable two-factor or multi-factor authentication for users, especially administrators, to enhance account security.

Set Application Restriction on API Keys

Unrestricted API keys pose a security risk as any untrusted application can use them. Implement restrictions on API keys to specific hosts, HTTP referrers, and applications to help enhance security.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category API_KEY_APPS_UNRESTRICTED

Remediation steps

Go to the APIs & Services > Credentials page in the Google Cloud console. Under API Keys, edit each key using the Actions menu, and then restrict applications under the Application restrictions section.

Set Ingress and Egress Controls for Compute

Limit the number of external network connections to your system.

Enforcement mode AUDIT
Finding category INGRESS_EGRESS_CONTROLS_NOT_SET

Remediation steps

Complete the following:

  • Create firewall rules to limit incoming external connections and outgoing external connections.

  • Create a rule that denies all traffic that you haven’t explicitly allowed.

Set Log Bucket Flag for Bucket Logging

The log-bucket flag enables usage logs and storage logging for Cloud Storage buckets.

Enforcement mode AUDIT
Finding category LOGBUCKET_SET_INCORRECTLY

Remediation steps

Set the correct log bucket for Cloud Storage buckets. See Set up log delivery.

Set Log Error Verbosity Flag for AlloyDB Instances

The log_error_verbosity flag for AlloyDB for PostgreSQL helps to control details in logged messages when set to default or verbose.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ALLOYDB_LOG_ERROR_VERBOSITY

Remediation steps

Set the log_error_verbosity flag to default or verbose.

  1. Go to the AlloyDB for PostgreSQL clusters page in the Google Cloud console.

  2. Click a cluster in the Resource Name column.

  3. Under the Instances in your cluster section, click Edit for the instance.

  4. Click Advanced Configuration Options.

  5. Under the Flags section, set the log_error_verbosity flag to default or verbose.

Set Log Min Error Statement Flag for AlloyDB Instances

The log_min_error_statement flag for AlloyDB for PostgreSQL instance helps to identify the SQL statements that cause an error condition to be recorded in the server log. At a minimum, set the value to error.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category ALLOYDB_LOG_MIN_ERROR_STATEMENT_SEVERITY

Remediation steps

Set the log_min_error_statement flag to error. 1. Go to the AlloyDB for PostgreSQL clusters page in the Google Cloud console. 2. Click the cluster in the Resource Name column. 3. Under the Instance in your cluster section, click Edit for the instance. 4. Click Advanced Configuration Options, and set the log_min_error_statement flag under the Flags section to a recommended value like error.

Set Log Min Messages Flag for AlloyDB Instances

The log_min_messages flag for AlloyDB for PostgreSQL instance helps to control message levels recorded in server logs. At a minimum, set the value to warning.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category ALLOYDB_LOG_MIN_MESSAGES

Remediation steps

Set the log_min_messages flag to warning.

  1. Go to the AlloyDB for PostgreSQL clusters page in the Google Cloud console.

  2. Click the cluster in the Resource Name column.

  3. Under the Instance in your cluster section, click Edit.

  4. Click Advanced Configuration Options.

  5. Set the log_min_messages flag under the Flags section to one of Notice, Info, Debug1, Debug2, Debug3, Debug4, or Debug5.

Set Uniform Bucket Level Access for Cloud Storage Buckets

Set the "Enforce uniform bucket-level access" (storage.uniformBucketLevelAccess) organization policy constraint to enable fine-grained access control for Cloud Storage buckets.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category UNIFORM_BUCKET_LEVEL_ACCESS_ORG_POLICY

Remediation steps

Set the Enforce uniform bucket-level access (storage.uniformBucketLevelAccess) organization policy constraint to true. For more information, see Require uniform bucket-level access.

Set Up Job Scheduling and Configurations

Set up proper job scheduling and configurations to manage security tasks.

Enforcement mode AUDIT
Finding category MISSING SCHEDULING AND CONFIGURATIONS_SECURITY_TASKS

Remediation steps

Complete the following:

  • Configure job scheduling and configurations to manage tasks. Consider using Cloud Scheduler.

  • Grant appropriate IAM roles to different groups.

  • Enable multi-factor authentication (MFA) or two-factor authentication (2FA) for production access.

  • Create separate projects to segregate resources.

Store Audit Logs in a Separate Repository

Back up audit logs in a separate physical repository and configure a retention schedule, integrity checks, monitoring, and access controls.

Enforcement mode AUDIT
Finding category IMPROPER_STORAGE_AUDIT_LOGS

Remediation steps

Complete the following:

  • Enable audit logging.

  • Export logs to your backup. You can use a Cloud Storage bucket or export to an external storage system.

  • Configure retention periods.

  • Review and monitor exported logs.

  • Use checksums to verify integrity.

  • Use Cloud Monitoring and Pub/Sub to set up custom monitoring and alerting policies for exported logs.

  • Test your backup and restore procedures.

  • If storing logs outside of Google Cloud, configure security settings for your backup system.

  • Follow Google Cloud best practices for audit logging, export, and backup configurations.

  • Configure access controls for the backup destination.

Subscribe a GKE Cluster to a Release Channel

Subscribe to a release channel to automate Google Kubernetes Engine (GKE) cluster version upgrades.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category RELEASE_CHANNEL_DISABLED

Remediation steps

Subscribe the GKE cluster to a release channel. For more information, see Enroll a new cluster in a release channel and Enroll an existing cluster.

Synchronize System Clocks

Ensure that all clocks use the same timezone (for example, UTC) so that you can use audit logs.

Enforcement mode AUDIT
Finding category SYSTEM_CLOCKS_NOT_SYNCHRONIZED

Remediation steps

Complete the following:

  • Set all system clocks to UTC.

  • For applications that generate custom logs, generate the timestamp in UTC.

  • Use Google Cloud logging libraries, which automatically generate timestamps in the system⒙s timezone.

  • Verify that the timestamp for audit logs is in UTC.

  • Verify the timestamp in logs.

  • Consider manually synchronizing with Google⒙s time servers.

  • Synchronize system clocks with Google's NTP servers. For example: sudo chronyc makestep

Terminate Network Connections

Terminate the network connection associated with a communications session at the end of the session or after 600 seconds (10 minutes) of inactivity.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category NETWORK_CONNECTION_TERMINATION_PROCEDURE_MISSING

Remediation steps

Verify the HTTP keepalive timeout for your clients. For instructions, see Update client HTTP keepalive timeout.

Triage and Remediate System Flaws

Identify, report, and correct system flaws. Incorporate flaw remediation into the organizational configuration management process.

Enforcement mode AUDIT
Finding category WEAK_TRIAGING_REMEDIATION_MECHANISM_SYSTEM_FLAWS

Remediation steps

Consider the following:

  • Verify the images that you use for VMs and containers.

  • Triage and correct information system flaws. Use Security Command Center) and Patch feature in VM Manager.

  • Test software and firmware updates before installation.

  • Install security software and firmware updates within 30 days of release.

  • Include flaw remediation into your configuration management processes.

Turn Off Contained Database Authentication Flag for SQL Server

Turn off the contained database authentication flag for SQL Server instances.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_CONTAINED_DATABASE_AUTHENTICATION

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set contained database authentication database flag to Off for the instance.

Turn Off Cross Database Ownership Chaining Flag for SQL Server

Turn off the cross db ownership chaining flag for SQL Server.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_CROSS_DB_OWNERSHIP_CHAINING

Remediation steps

Turn the cross db ownership chaining flag off. Go to the SQL > Instances page in the Google Cloud console and set the cross db ownership chaining database flag to Off for the instance. For cross-database access, use the Microsoft Tutorial: Signing Stored Procedures with a Certificate instead.

Turn Off External Scripts Flag for SQL Server

Turn off the external scripts enabled flag for SQL Server.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_EXTERNAL_SCRIPTS_ENABLED

Remediation steps

Turn the external scripts enabled flag off. Go to the SQL > Instances page in the Google Cloud console and set external scripts enabled database flag to Off for the instance.

Turn Off Local Infile Flag for MySQL

Turn off the local_infile flag for the MySQL instance.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_LOCAL_INFILE

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set the local_infile database flag to Off for the instance.

Turn Off Log Executor Stats Flag for PostgreSQL

Turn off the log_executor_stats flag for PostgreSQL instances to reduce performance overhead.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category SQL_LOG_EXECUTOR_STATS_ENABLED

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set the log_executor_stats database flag to Off for the Cloud SQL instance.

Turn off Log Hostname Flag for PostgreSQL

Turn off the log_hostname flag for PostgreSQL instances to reduce performance overhead.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category SQL_LOG_HOSTNAME_ENABLED

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set the log_hostname database flag to Off for the Cloud SQL instance.

Turn Off Log Min Duration Statement Flag for PostgreSQL

Turn off the log_min_duration_statement flag by setting it to -1 for PostgreSQL instances.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_LOG_MIN_DURATION_STATEMENT_ENABLED

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set the log_min_duration_statement database flag to -1 for the Cloud SQL instance.

Turn off Log Parser Stats Flag for PostgreSQL

Turn off the log_parser_stats flag for PostgreSQL to reduce performance overhead.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_LOG_PARSER_STATS_ENABLED

Remediation steps

Set the log_parser_stats flag to Off. Go to the SQL > Instances page in the Google Cloud console and set the log_parser_stats database flag to Off for the Cloud SQL instance.

Turn off Log Planner Stats Flag for PostgreSQL

Turn off the log_planner_stats flag for PostgreSQL to reduce performance overhead.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category SQL_LOG_PLANNER_STATS_ENABLED

Remediation steps

Set the log_planner_stats flag to Off. Go to the SQL > Instances page in the Google Cloud console and set the log_planner_stats database flag to Off for the Cloud SQL instance.

Turn off Log Statement Stats Flag for PostgreSQL

Turn off the log_statement_stats flag for PostgreSQL instance to reduce performance overhead.

Enforcement mode DETECTIVE, AUDIT
Severity LOW
Finding category SQL_LOG_STATEMENT_STATS_ENABLED

Remediation steps

Go to the SQL > Instances page in the Google Cloud console and set the log_statement_stats database flag to Off for the Cloud SQL instance.

Turn Off Remote Access Flag for SQL Server

Turn off the remote access flag for the SQL Server instance to avoid security risks.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category SQL_REMOTE_ACCESS_ENABLED

Remediation steps

Turn off the remote_access flag. Go to the SQL > Instances page in the Google Cloud console and set the Remote access flag to Off for the SQL Server instance.

Use Custom Service Accounts for Compute Engine Instances

Default Compute Engine instances have broad editor roles, granting read and write access to most Google Cloud services. Custom service accounts help prevent privilege escalation and unauthorized access.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category DEFAULT_SERVICE_ACCOUNT_USED

Remediation steps

Change the service account that the VM instance uses. Go to the Compute Engine > VM instances page in the Google Cloud console. Click the instance name. Select the instance, and click Stop on the Instance details page. After the instance stops, edit it, and select a non-default service account with least privileges.

Use FIPS 201 Approved Products

Use information technology products on the Federal Information Processing Standards (FIPS) 201-approved products list for Personal Identity Verification (PIV) capability.

Enforcement mode AUDIT
Finding category FIPS 201_APPROVED_PRODUCTS_NOT_USED

Remediation steps

Complete the following:

  • Use only services and products that comply with FIPS-201 standards.

  • Implement a user account system or SSO solution for authentication.

  • Configure 2FA using a PIV card.

  • Use IAM allow policies to control access to your resources.

Use Google Groups for Kubernetes RBAC

Set up Google Groups to work with Kubernetes role-based access control (RBAC) in your GKE clusters.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category GKE_AUTHENTICATOR_GROUPS_DISABLED

Remediation steps

Update your cluster to use Google Groups for RBAC. For more information, see Update an existing cluster.

Use IAM Tags

Use tags to create annotations for resources, and in some cases conditionally allow or deny policies based on whether a resource has a specific tag.

Enforcement mode AUDIT
Finding category IAM_TAGS_NOT_FOUND

Remediation steps

  • To create a tag key, run the following command: gcloud resource-manager tags keys create SHORT_NAME --parent=organizations/ORGANIZATION_ID.

  • To create a tag value, run the following command: gcloud resource-manager tags values create SHORT_NAME --parent=PARENT.

  • To attach a tag to a resource, run the following command: gcloud resource-manager tags bindings create --tag-value=TAG_VALUE --parent=RESOURCE_ID --location=LOCATION.

Use Latest Image Versions on Dataproc Clusters

Ensure that Dataproc clusters don't use outdated image versions that are impacted by the Log4j vulnerability.

Enforcement mode DETECTIVE, AUDIT
Severity HIGH
Finding category DATAPROC_IMAGE_OUTDATED

Remediation steps

Recreate and update the affected cluster with the latest sub-minor image versions. See Steps to recreate a cluster for specific image and log4j version information.

Use Least Privilege Service Accounts for GKE Clusters

Restrict Google Kubernetes Engine (GKE) nodes from using a Compute Engine default service node, which has broad access and is over-privileged for running your GKE cluster.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category OVER_PRIVILEGED_ACCOUNT

Remediation steps

Use a service account with the minimal permissions required to run your GKE nodes. For more information, see Use least privilege IAM service accounts.

Use Networks with Custom Firewall Rules

Create a VPC network with custom firewall rules to help enhance security and provide better control over network access.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category DEFAULT_NETWORK

Remediation steps

Go to the VPC Network > VPC networks page in the Google Cloud console and delete the default VPC network. Create a network with custom firewall rules. For more information, see Create networks.

Use Secure Web Proxy for Network Traffic Control

Configure Secure Web Proxy to route all network traffic and ensure the routing complies with regulatory standards for Compute Engine instances and Google Kubernetes Engine (GKE) clusters.

Enforcement mode AUDIT
Finding category WEB_PROXY_NOT_CONFIGURED_TRAFFIC_CONTROL

Remediation steps

Use Secure Web Proxy and set up appropriate rules to ensure that all the internal and external traffic routing is in compliance with the regulatory standards.

Use TLS 1.2 or Higher

Use TLS 1.2 or higher for encryption.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category IMPROPER_TLS_VERSION_IN_USE

Remediation steps

Set the minimum TLS version for Compute Engine instances to TLS 1.2 at both the global and regional levels. For more information, see Use SSL policies for SSL and TLS protocols.

Validate Information Inputs

Validate information inputs and document exceptions when they occur.

Enforcement mode AUDIT
Finding category INPUT_VALIDATION_MISSING

Remediation steps

Verify that you have the appropriate input checks set up and a way to document your exceptions.

Validate the Integrity of Data Stored in External Systems

Provide the capability to check the integrity of information while it resides in an external system.

Enforcement mode AUDIT
Finding category MISSING_CONTROLS_DATA_STORED_EXTERNAL_SYSTEM

Remediation steps

This control doesn't apply to Google Cloud. Verify that you have the appropriate controls set up in external systems, as appropriate.

Verify Cloud KMS Key Version Algorithm

Check whether the key algorithms for Cloud KMS keys match the algorithms that you specify.

Enforcement mode DETECTIVE, AUDIT
Severity MEDIUM
Finding category CRYPTOKEY_ALGORITHM_VERSION_RESTRICTED

Remediation steps

Default values are RSA_SIGN_PSS_2048_SHA256, RSA_SIGN_PSS_3072_SHA256, RSA_SIGN_PSS_4096_SHA256, RSA_DECRYPT_OAEP_2048_SHA256, RSA_DECRYPT_OAEP_4096_SHA256, RSA_DECRYPT_OAEP_2048_SHA1, and RSA_DECRYPT_OAEP_4096_SHA1. For more information, see Key purposes and algorithms.

Verify Cloud Storage Bucket Classification

Set the appropriate classification label for Cloud Storage buckets.

Enforcement mode AUDIT
Finding category INCORRECT_CLOUD_STORAGE_CLASSIFICATION_ASSIGNED

Remediation steps

Set the right classification for the storage. See Storage classes.

What's next