📄️ 1.1
Use Corporate Login Credentials (Manual)
📄️ 1.2
Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts (Manual)
📄️ 1.3
Enable Security Key Enforcement for All Admin Accounts (Manual)
📄️ 1.4
Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account (Automated)
📄️ 1.5
Ensure That Service Account Has No Admin Privileges (Automated)
📄️ 1.6
Ensure That Identity and Access Management (IAM) Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level (Manual)
📄️ 1.7
Rotate User-Managed/External Keys for Service Accounts Every 90 Days or Fewer (Automated)
📄️ 1.8
Enforce Separation of Duties While Assigning Service Account Related Roles to Users (Manual)
📄️ 1.9
Ensure That Cloud Key Management Service (KMS) Cryptokeys Are Not Anonymously or Publicly Accessible (Automated)
📄️ 1.10
Rotate Key Management Service (KMS) Encryption Keys Within a Period of 90 Days (Automated)
📄️ 1.11
Enforce Separation of Duties While Assigning Key Management Service (KMS) Related Roles to Users (Manual)
📄️ 1.12
Ensure API Keys Are Not Created for a Project (Automated)
📄️ 1.13
Restrict API Keys To Use by Only Specified Hosts and Apps (Automated)
📄️ 1.14
Restrict API Keys to Only APIs That Application Needs Access (Automated)
📄️ 1.15
Rotate API Keys Every 90 Days (Automated)
📄️ 1.16
Configure Essential Contacts for Organization (Manual)
📄️ 1.17
Encrypt Dataproc Cluster using Customer-Managed Encryption Key (CMEK) (Automated)
📄️ 1.18
Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager (Manual)
📄️ 2.1
This rule also encompasses lacework-global-487 and lacework-global-488. See Adjusted Rules for CIS GCP 2.0.0 for further details.
📄️ 2.2
This rule has been split and is linked to lacework-global-489. See Adjusted Rules for CIS GCP 2.0.0 for further details.
📄️ 2.2
This rule has been split and is linked to lacework-global-246. See Adjusted Rules for CIS GCP 2.0.0 for further details.
📄️ 2.3
Configure Retention Policies on Cloud Storage Buckets Used for Exporting Logs Using Bucket Lock (Automated)
📄️ 2.4
Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes (Automated)
📄️ 2.5
Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes (Automated)
📄️ 2.6
Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes (Automated)
📄️ 2.7
Ensure That the Log Metric Filter and Alerts Exist for Virtual Private Cloud (VPC) Network Firewall Rule Changes (Automated)
📄️ 2.8
Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes (Automated)
📄️ 2.9
Ensure That the Log Metric Filter and Alerts Exist for Virtual Private Cloud (VPC) Network Changes (Automated)
📄️ 2.10
Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage Identity and Access Management (IAM) Permission Changes (Automated)
📄️ 2.11
Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes (Automated)
📄️ 2.12
Enable Cloud Domain Name System (DNS) Logging for All Virtual Private Cloud (VPC) Networks (Automated)
📄️ 2.13
Enable Cloud Asset Inventory (Automated)
📄️ 2.14
Ensure 'Access Transparency' is 'Enabled' (Manual)
📄️ 2.15
Ensure 'Access Approval' is 'Enabled' (Manual)
📄️ 2.16
Enable Logging for HTTP(S) Load Balancer (Region Backend) (Automated)
📄️ 3.1
Ensure That the Default Network Does Not Exist in a Project (Automated)
📄️ 3.2
Ensure Legacy Networks Do Not Exist for Older Projects (Automated)
📄️ 3.3
Enable DNSSEC for Cloud Domain Name System (DNS) (Automated)
📄️ 3.4
Ensure That RSASHA1 Is Not Used for the Key-Signing Key (KSK) in Cloud Domain Name System (DNS) DNSSEC (Automated)
📄️ 3.5
Ensure That RSASHA1 Is Not Used for the Zone-Signing Key (ZSK) in Cloud Domain Name System (DNS) DNSSEC (Automated)
📄️ 3.6
Restrict SSH Access From the Internet (Automated)
📄️ 3.7
Restrict Remote Desktop Protocol (RDP) Access From the Internet (Automated)
📄️ 3.8
Enable Virtual Private Cloud (VPC) Flow Logs for Every Subnet in a VPC Network (Automated)
📄️ 3.9
This rule also encompasses lacework-global-490. See Adjusted Rules for CIS GCP 2.0.0 for further details.
📄️ 3.10
Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' (Manual)
📄️ 4.1
Ensure That Instances Are Not Configured To Use the Default Service Account (Automated)
📄️ 4.2
Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs (Automated)
📄️ 4.3
Enable Block Project-Wide SSH Keys for VM Instances (Automated)
📄️ 4.4
This rule also encompasses lacework-global-498. See Adjusted Rules for CIS GCP 2.0.0 for further details.
📄️ 4.5
Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance (Automated)
📄️ 4.6
Ensure That IP Forwarding Is Not Enabled on Instances (Automated)
📄️ 4.7
Encrypt VM Disks for Critical VMs With Customer-Supplied Encryption Keys (CSEK) (Automated)
📄️ 4.8
Launch Compute Instances With Shielded VM Enabled (Automated)
📄️ 4.9
Ensure That Compute Instances Do Not Have Public IP Addresses (Automated)
📄️ 4.10
Ensure That App Engine Applications Enforce HTTPS Connections (Manual)
📄️ 4.11
Ensure That Compute Instances Have Confidential Computing Enabled (Automated)
📄️ 4.12
Install the Latest Operating System Updates On Your Virtual Machines in All Projects (Manual)
📄️ 5.1
Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible (Automated)
📄️ 5.2
Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled (Automated)
📄️ 6.1.1
Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges (Manual)
📄️ 6.1.2
Set 'Skipshowdatabase' Database Flag for Cloud SQL MySQL Instance to 'On' (Automated)
📄️ 6.1.3
Set the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance to 'Off' (Automated)
📄️ 6.2.1
Set 'Logerrorverbosity' Database Flag for Cloud SQL PostgreSQL Instance to 'DEFAULT' or Stricter (Automated)
📄️ 6.2.2
Set the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance to 'On' (Automated)
📄️ 6.2.3
Set the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance to 'On' (Automated)
📄️ 6.2.4
Set 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Appropriately (Automated)
📄️ 6.2.5
Set the 'Logminmessages' Database Flag for Cloud SQL PostgreSQL Instance to at least 'Warning' (Automated)
📄️ 6.2.6
Set 'Logminerror_statement' Database Flag for Cloud SQL PostgreSQL Instance to 'Error' or Stricter (Automated)
📄️ 6.2.7
Set the 'Logminduration_statement' Database Flag for Cloud SQL PostgreSQL Instance to '-1' (Disabled) (Automated)
📄️ 6.2.8
Set 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance to 'on' For Centralized Logging (Automated)
📄️ 6.2.9
Set Instance IP assignment to private (Automated)
📄️ 6.3.1
Set 'external scripts enabled' database flag for Cloud SQL on SQL Server instance to 'off' (Automated)
📄️ 6.3.2
Set the 'cross db ownership chaining' database flag for Cloud SQL on SQL Server instance to 'off' (Automated)
📄️ 6.3.3
Set 'user Connections' Database Flag for Cloud SQL on SQL Server Instance to a Non-limiting Value (Automated)
📄️ 6.3.4
Do not configure 'user options' database flag for Cloud SQL on SQL Server instance (Automated)
📄️ 6.3.5
Set 'remote access' database flag for Cloud SQL on SQL Server instance to 'off' (Automated)
📄️ 6.3.6
Set '3625 (trace flag)' database flag for all Cloud SQL Server instances to 'on' (Automated)
📄️ 6.3.7
Set the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance to 'off' (Automated)
📄️ 6.4
Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL (Automated)
📄️ 6.5
Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses (Automated)
📄️ 6.6
Ensure That Cloud SQL Database Instances Do Not Have Public IPs (Automated)
📄️ 6.7
Configure Cloud SQL Database Instances With Automated Backups (Automated)
📄️ 7.1
Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible (Automated)
📄️ 7.2
Encrypt All BigQuery Tables With Customer-Managed Encryption Key (CMEK) (Automated)
📄️ 7.3
Specify a Default Customer-Managed Encryption Key (CMEK) for All BigQuery Data Sets (Automated)