📄️ 1.1
1.1 Use Corporate Login Credentials (Manual)
📄️ 1.2
1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts (Manual)
📄️ 1.3
1.3 Enable Security Key Enforcement for All Admin Accounts (Manual)
📄️ 1.4
1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account (Automated)
📄️ 1.5
1.5 Ensure That Service Account Has No Admin Privileges (Automated)
📄️ 1.6
1.6 Ensure That Identity and Access Management (IAM) Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level (Manual)
📄️ 1.7
1.7 Rotate User-Managed/External Keys for Service Accounts Every 90 Days or Fewer (Automated)
📄️ 1.8
1.8 Enforce Separation of Duties While Assigning Service Account Related Roles to Users (Manual)
📄️ 1.9
1.9 Ensure That Cloud Key Management Service (KMS) Cryptokeys Are Not Anonymously or Publicly Accessible (Automated)
📄️ 1.10
1.10 Rotate Key Management Service (KMS) Encryption Keys Within a Period of 90 Days (Automated)
📄️ 1.11
1.11 Enforce Separation of Duties While Assigning Key Management Service (KMS) Related Roles to Users (Manual)
📄️ 1.12
1.12 Ensure API Keys Are Not Created for a Project (Automated)
📄️ 1.13
1.13 Restrict API Keys To Use by Only Specified Hosts and Apps (Automated)
📄️ 1.14
1.14 Restrict API Keys to Only APIs That Application Needs Access (Automated)
📄️ 1.15
1.15 Rotate API Keys Every 90 Days (Automated)
📄️ 1.16
1.16 Configure Essential Contacts for Organization (Manual)
📄️ 1.17
1.17 Encrypt Dataproc Cluster using Customer-Managed Encryption Key (CMEK) (Automated)
📄️ 1.18
1.18 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager (Manual)
📄️ 2.1
This rule also encompasses lacework-global-487 and lacework-global-488. See Adjusted Rules for CIS GCP 1.3.0 for further details.
📄️ 2.2
This rule has been split and is linked to lacework-global-489. See Adjusted Rules for CIS GCP 1.3.0 for further details.
📄️ 2.2
This rule has been split and is linked to lacework-global-246. See Adjusted Rules for CIS GCP 1.3.0 for further details.
📄️ 2.3
2.3 Configure Retention Policies on Cloud Storage Buckets Used for Exporting Logs Using Bucket Lock (Automated)
📄️ 2.4
2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes (Automated)
📄️ 2.5
2.5 Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes (Automated)
📄️ 2.6
2.6 Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes (Automated)
📄️ 2.7
2.7 Ensure That the Log Metric Filter and Alerts Exist for Virtual Private Cloud (VPC) Network Firewall Rule Changes (Automated)
📄️ 2.8
2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes (Automated)
📄️ 2.9
2.9 Ensure That the Log Metric Filter and Alerts Exist for Virtual Private Cloud (VPC) Network Changes (Automated)
📄️ 2.10
2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage Identity and Access Management (IAM) Permission Changes (Automated)
📄️ 2.11
2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes (Automated)
📄️ 2.12
2.12 Enable Cloud Domain Name System (DNS) Logging for All Virtual Private Cloud (VPC) Networks (Automated)
📄️ 2.13
2.13 Enable Cloud Asset Inventory (Automated)
📄️ 2.14
2.14 Ensure 'Access Transparency' is 'Enabled' (Manual)
📄️ 2.15
2.15 Ensure 'Access Approval' is 'Enabled' (Manual)
📄️ 3.1
3.1 Ensure That the Default Network Does Not Exist in a Project (Automated)
📄️ 3.2
3.2 Ensure Legacy Networks Do Not Exist for Older Projects (Automated)
📄️ 3.3
3.3 Enable DNSSEC for Cloud Domain Name System (DNS) (Automated)
📄️ 3.4
3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key (KSK) in Cloud Domain Name System (DNS) DNSSEC (Automated)
📄️ 3.5
3.5 Ensure That RSASHA1 Is Not Used for the Zone-Signing Key (ZSK) in Cloud Domain Name System (DNS) DNSSEC (Automated)
📄️ 3.6
3.6 Restrict SSH Access From the Internet (Automated)
📄️ 3.7
3.7 Restrict Remote Desktop Protocol (RDP) Access From the Internet (Automated)
📄️ 3.8
3.8 Enable Virtual Private Cloud (VPC) Flow Logs for Every Subnet in a VPC Network (Automated)
📄️ 3.9
This rule also encompasses lacework-global-490. See Adjusted Rules for CIS GCP 1.3.0 for further details.
📄️ 3.10
3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' (Manual)
📄️ 4.1
4.1 Ensure That Instances Are Not Configured To Use the Default Service Account (Automated)
📄️ 4.2
4.2 Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs (Automated)
📄️ 4.3
4.3 Enable Block Project-Wide SSH Keys for VM Instances (Automated)
📄️ 4.4
This rule also encompasses lacework-global-498. See Adjusted Rules for CIS GCP 1.3.0 for further details.
📄️ 4.5
4.5 Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance (Automated)
📄️ 4.6
4.6 Ensure That IP Forwarding Is Not Enabled on Instances (Automated)
📄️ 4.7
4.7 Encrypt VM Disks for Critical VMs With Customer-Supplied Encryption Keys (CSEK) (Automated)
📄️ 4.8
4.8 Launch Compute Instances With Shielded VM Enabled (Automated)
📄️ 4.9
4.9 Ensure That Compute Instances Do Not Have Public IP Addresses (Automated)
📄️ 4.10
4.10 Ensure That App Engine Applications Enforce HTTPS Connections (Manual)
📄️ 4.11
4.11 Ensure That Compute Instances Have Confidential Computing Enabled (Automated)
📄️ 4.12
4.12 Install the Latest Operating System Updates On Your Virtual Machines in All Projects (Manual)
📄️ 5.1
5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible (Automated)
📄️ 5.2
5.2 Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled (Automated)
📄️ 6.1.1
6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges (Manual)
📄️ 6.1.2
6.1.2 Set 'Skipshowdatabase' Database Flag for Cloud SQL MySQL Instance to 'On' (Automated)
📄️ 6.1.3
6.1.3 Set the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance to 'Off' (Automated)
📄️ 6.2.1
6.2.1 Set 'Logerrorverbosity' Database Flag for Cloud SQL PostgreSQL Instance to 'DEFAULT' or Stricter (Automated)
📄️ 6.2.2
6.2.2 Set the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance to 'On' (Automated)
📄️ 6.2.3
6.2.3 Set the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance to 'On' (Automated)
📄️ 6.2.4
6.2.4 Set 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Appropriately (Automated)
📄️ 6.2.5
6.2.5 Set 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance to 'on' (Automated)
📄️ 6.2.5
6.2.5 Set 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance to 'on' (Automated)
📄️ 6.2.6
6.2.6 Set the 'Logminmessages' Database Flag for Cloud SQL PostgreSQL Instance to at least 'Warning' (Automated)
📄️ 6.2.7
6.2.7 Set 'Logminerror_statement' Database Flag for Cloud SQL PostgreSQL Instance to 'Error' or Stricter (Automated)
📄️ 6.2.8
6.2.8 Set the 'Logminduration_statement' Database Flag for Cloud SQL PostgreSQL Instance to '-1' (Disabled) (Automated)
📄️ 6.2.9
6.2.9 Set 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance to 'on' For Centralized Logging (Automated)
📄️ 6.3.1
6.3.1 Set 'external scripts enabled' database flag for Cloud SQL on SQL Server instance to 'off' (Automated)
📄️ 6.3.2
6.3.2 Set the 'cross db ownership chaining' database flag for Cloud SQL on SQL Server instance to 'off' (Automated)
📄️ 6.3.3
6.3.3 Set 'user Connections' Database Flag for Cloud SQL on SQL Server Instance to a Non-limiting Value (Automated)
📄️ 6.3.4
6.3.4 Do not configure 'user options' database flag for Cloud SQL on SQL Server instance (Automated)
📄️ 6.3.5
6.3.5 Set 'remote access' database flag for Cloud SQL on SQL Server instance to 'off' (Automated)
📄️ 6.3.6
6.3.6 Set '3625 (trace flag)' database flag for all Cloud SQL Server instances to 'off' (Automated)
📄️ 6.3.6
6.3.6 Set '3625 (trace flag)' database flag for all Cloud SQL Server instances to 'off' (Automated)
📄️ 6.3.7
6.3.7 Set the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance to 'off' (Automated)
📄️ 6.4
6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL (Automated)
📄️ 6.5
6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses (Automated)
📄️ 6.6
6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs (Automated)
📄️ 6.7
6.7 Configure Cloud SQL Database Instances With Automated Backups (Automated)
📄️ 7.1
7.1 Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible (Automated)
📄️ 7.2
7.2 Encrypt All BigQuery Tables With Customer-Managed Encryption Key (CMEK) (Automated)
📄️ 7.3
7.3 Specify a Default Customer-Managed Encryption Key (CMEK) for All BigQuery Data Sets (Automated)