Skip to main content

CIS Google Cloud 1.3.0 Benchmark

Lacework provides compliance policies based on CIS Google Cloud Platform Foundation Benchmark v1.3.0 (or CIS Google Cloud 1.3.0 Benchmark for short).

Once you have integrated your Google Cloud environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.

Visibility and Usage in the Lacework Console

You can use the CIS Google Cloud 1.3.0 Benchmark in the following ways:

Prerequisites

Ensure you have integrated your Google Cloud environment with the Lacework Compliance platform. Completing this will prepare your environment for the CIS Google Cloud 1.3.0 Benchmark:

Previous Integrations using Terraform

If you have previously integrated Google Cloud with Lacework using Terraform before this benchmark was available:

  1. Enter the directory containing the Terraform files used for the integration.
  2. Run terraform init -upgrade to initialize the working directory (containing the Terraform files).
  3. Run terraform plan and review the changes that will be applied.
  4. Once satisfied with the changes that will be applied, run terraform apply to upgrade the modules.
info

The Cloud Asset Inventory and Essential Contacts endpoints are now required for the Google Cloud resource collections to work with the new benchmark (see API List for a full list of APIs needed for Google Cloud integrations).

As such, upgrade to the latest Terraform modules to ensure the necessary permissions are met.

Previous Integrations using the Google Cloud Console

If you have previously integrated Google Cloud with Lacework manually using the Google Cloud Console, ensure that you enable the Cloud Asset Inventory and Essential Contacts APIs on projects that host the service account for the integrations (see API List for a full list of APIs needed for Google Cloud integrations).

See How to Enable the APIs for guidance.

CIS Google Cloud 1.3.0 Benchmark Policies

All policies in the CIS Google Cloud 1.3.0 Benchmark are enabled by default.

You can disable or enable them using one of the following methods outlined in this section.

Enable or Disable Policies in the Lacework Console

On the Policies page, use the framework:cis-gcp-1-3-0 tag to filter for CIS Google Cloud 1.3.0 policies only.

You can enable or disable each one using the status toggle.

Alternatively, see Batch Update Policies to enable or disable multiple policies at once.

note

Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.

Enable or Disable Policies using the Lacework CLI

Enable or disable all the CIS Google Cloud 1.3.0 policies using the following commands in the Lacework CLI:

Enable all policies
lacework policy enable --tag framework:cis-gcp-1-3-0
Disable all policies
lacework policy disable --tag framework:cis-gcp-1-3-0

Enable or disable specific CIS Google Cloud 1.3.0 policies using the following command examples in the Lacework CLI:

Enable lacework-global-237
lacework policy enable lacework-global-237
Disable lacework-global-237
lacework policy disable lacework-global-237

Organization vs Project Level Policies

The majority of the CIS Google Cloud Benchmark policies are evaluated at the Project level, however, some are evaluated at the Organization level. As such, depending on your level of integration with Google Cloud, these Organization level policies may not display.

Policy Mapping for CIS Google Cloud 1.3.0

The CIS Google Cloud 1.3.0 controls are mapped to Lacework policies, as listed in the following tables.

Table key:

  • Control ID - The CIS Google Cloud 1.3.0 Benchmark security control identifier.
  • Title - The policy/control title.
  • Lacework Policy ID - The Lacework policy identifier.
  • CIS Assessment - Whether CIS have determined that the security control can be assessed automatically or if it requires manual verification.
  • Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
  • Severity - The severity of the policy (as determined by Lacework).
Control IDTitleLacework Policy IDCIS AssessmentLacework AssessmentSeverity
1.1Ensure that Corporate Login Credentials are Usedlacework-global-232ManualManualHigh
1.2Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accountslacework-global-233ManualManualHigh
1.3Ensure that Security Key Enforcement is Enabled for All Admin Accountslacework-global-293ManualManualMedium
1.4Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Accountlacework-global-234AutomatedAutomatedMedium
1.5Ensure That Service Account Has No Admin Privilegeslacework-global-235AutomatedAutomatedMedium
1.6Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Levellacework-global-236AutomatedManualMedium
1.7Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewerlacework-global-237AutomatedAutomatedMedium
1.8Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Userslacework-global-294AutomatedManualHigh
1.9Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessiblelacework-global-238AutomatedAutomatedCritical
1.10Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Dayslacework-global-239AutomatedAutomatedMedium
1.11Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Userslacework-global-295AutomatedManualHigh
1.12Ensure API Keys Are Not Created for a Projectlacework-global-296ManualAutomatedMedium
1.13Ensure API Keys Are Restricted To Use by Only Specified Hosts and Appslacework-global-240ManualAutomatedMedium
1.14Ensure API Keys Are Restricted to Only APIs That Application Needs Accesslacework-global-241ManualAutomatedMedium
1.15Ensure API Keys Are Rotated Every 90 Dayslacework-global-242ManualAutomatedMedium
1.16Ensure Essential Contacts is Configured for Organizationlacework-global-243AutomatedManualMedium
1.17Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Keylacework-global-297AutomatedAutomatedMedium
1.18Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Managerlacework-global-244ManualManualMedium

Automated vs Manual Policies

Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.

For some benchmark recommendations, it is not possible to automate the policy checks in a Google Cloud environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).

Automated Policies (that were deemed manual)

In some cases, Lacework is able to automate certain CIS benchmark controls that were deemed as manual by CIS.

The following table outlines the CIS Google Cloud 1.3.0 Benchmark policies that fall within this category:

Click to expand
Control IDLacework Policy IDTitle
1.12lacework-global-296Ensure API Keys Are Not Created for a Project.
1.13lacework-global-240Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps.
1.14lacework-global-241Ensure API Keys Are Restricted to Only APIs That Application Needs Access.
1.15lacework-global-242Ensure API Keys Are Rotated Every 90 Days.
3.4lacework-global-260Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC.
3.5lacework-global-261Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC.
3.9lacework-global-490Ensure No SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites.
6.2.1lacework-global-312Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter.
6.2.4lacework-global-279Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately.
6.2.6lacework-global-281Ensure That the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning'.
7.1lacework-global-292Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible.
7.3lacework-global-314Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets.

Manual Policies (that were deemed automated)

In some cases, Lacework cannot automate certain CIS benchmark controls that were deemed as automated by CIS.

This is often due to one of the following reasons:

  • Scope is defined by the user.
  • It requires configuring other products or API permissions that are out of scope.
  • Known issues for audit procedure described by the CIS control.

The following table outlines the CIS Google Cloud 1.3.0 Benchmark policies that fall within this category:

info

Lacework intends to automate these policies in a future release.

Click to expand
Control IDLacework Policy IDTitle
1.6lacework-global-236Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level.
1.8lacework-global-294Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users.
1.11lacework-global-295Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users.
1.16lacework-global-243Ensure Essential Contacts is Configured for Organization.

Permanently Manual Policies (that were deemed automated)

The following table outlines controls that were deemed automated by CIS, but will remain as manual policies:

Click to expand
Control IDLacework Policy IDTitle
2.15lacework-global-299Ensure 'Access Approval' is 'Enabled'.

Adjusted Controls

2.1 Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project

This control has been split into three different policies to monitor at the project, folder, and organization levels separately.

The table below outlines each policy and their new title:

Click to expand
Control IDLacework Policy IDTitle
2.1lacework-global-245Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project.
2.1lacework-global-487Ensure That Cloud Audit Logging Is Configured Properly Across All Users From a Folder.
2.1lacework-global-488Ensure That Cloud Audit Logging Is Configured Properly Across All Users From an Organization.
note

The policy catalog only retains one entry for this control, which is lacework-global-245.

2.2 Ensure That Sinks Are Configured for All Log Entries

This control has been split into two different policies to check the following regarding Google Cloud sinks:

  1. There is at least one log sink with no filter configured (as this ensures all log entries are included).
  2. There is a destination that exists for the sink.

The table below outlines each policy and their new title:

Click to expand
Control IDLacework Policy IDTitle
2.2lacework-global-246Ensure That Sinks Are Configured for All Log Entries.
2.2lacework-global-489Ensure That Sink Destinations Exist.

3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites

This control has been split into two different policies to monitor HTTPS and SSL Proxy Load Balancers separately.

The table below outlines each policy and their new title:

Click to expand
Control IDLacework Policy IDTitle
3.9lacework-global-263Ensure No HTTPS Load Balancers Permit SSL Policies With Weak Cipher Suites.
3.9lacework-global-490Ensure No SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites.
note

The policy catalog only retains one entry for this control, which is lacework-global-263.

4.4 Ensure Oslogin Is Enabled for a Project

This control has been split into two different policies to check the following regarding OS Login:

  1. Checks for projects without OS Login enabled.
  2. Checks for VMs (instances) with OS Login disabled.

The table below outlines each policy and their new title:

Click to expand
Control IDLacework Policy IDTitle
4.4lacework-global-267Ensure Oslogin Is Enabled for a Project.
4.4lacework-global-498Ensure Oslogin Is Not Disabled on Instances.
note

The policy catalog only retains one entry for this control, which is lacework-global-267.

Determining Active Google Cloud API Keys for Certain Policies

For the following control IDs, Lacework pulls data on API keys from Google Cloud APIs. The data provided by Google returns active API keys, but also recently deleted API keys.

As such, the number of assessed resources in the policy assessment (and reports) may be greater than the number of API keys seen in your Google Cloud Console.

Click to expand
Control IDLacework Policy IDTitle
1.12lacework-global-296Ensure API Keys Are Not Created for a Project.
1.13lacework-global-240Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps.
1.14lacework-global-241Ensure API Keys Are Restricted to Only APIs That Application Needs Access.
1.15lacework-global-242Ensure API Keys Are Rotated Every 90 Days.