CIS 8.1 - Google Cloud
This page lists all 102 policies in the CIS 8.1 pack for Google Cloud.
| Policy Name | Description | Framework Reference | Framework Specification |
|---|---|---|---|
| compute-engine-instance-proper-configuration | Ensure Compute Engine instances have proper configuration for lifecycle management | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| compute-engine-os-config-compliance-association-compliant | Ensure OS Config managed instances have compliance association | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| vpc-external-ip-associated | Ensure VPC external IP addresses are associated | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| vpc-firewall-rule-unused | Ensure VPC firewall rules are not unused | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| vpc-firewall-rule-associated-to-network | Ensure VPC firewall rules are associated to networks | 1.1 | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
| security-command-center-enabled | Ensure Security Command Center is enabled | 1.2 | Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. |
| app-engine-managed-updates-enabled | Ensure App Engine managed updates are enabled | 2.2 | Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. |
| managed-instance-group-launch-template-public-ip-disabled | Ensure Managed Instance Group launch templates have public IP addresses disabled | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| cloud-logging-retention-period-365 | Ensure Cloud Logging log retention is 365 days or more | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| database-migration-service-not-publicly-accessible | Prevent public accessibility of Database Migration Service instances | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| persistent-disk-snapshot-not-publicly-restorable | Restrict public access to Persistent Disk snapshots | 3.3 | CIS Controls v8 IG1 3.3 - Data Access Control: Configure data access control lists. Persistent Disk snapshots should not be publicly restorable to prevent unauthorized access to potentially sensitive data stored in disk snapshots. |
| compute-engine-instance-service-account-attached | Ensure Compute Engine instances have service accounts attached | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| compute-engine-instance-in-vpc | Ensure Compute Engine instances are deployed in VPC networks | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| compute-engine-instance-not-publicly-accessible | Ensure Compute Engine instances are not publicly accessible | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| compute-engine-instance-uses-os-login | Ensure Compute Engine instances enforce OS Login | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| gke-cluster-endpoint-restrict-public-access | Restrict public access for GKE clusters by enabling private endpoint or configuring master authorized networks | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| dataproc-cluster-master-nodes-no-public-ip | Restrict public access for Dataproc clusters by ensuring master nodes use internal IP addresses only | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| dataproc-kerberos-enabled | Ensure Dataproc Kerberos is enabled | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| cloud-sql-instance-not-publicly-accessible | Restrict public access for Cloud SQL instances | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| cloud-storage-bucket-restrict-public-read-access | Restrict public access for Cloud Storage buckets | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| iam-no-custom-role-excessive-permissions | Prevent IAM custom roles with excessive permissions for enhanced data access control. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| iam-policy-no-statements-with-full-access | Prevent IAM policy bindings with full access permissions for enhanced data security. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| elasticsearch-in-vpc-only | Ensure Elasticsearch is in VPC only | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| iam-user-no-direct-policies-check | Prevent IAM users from having direct policy attachments for better access management. | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| cloud-functions-public-access-prohibited | Ensure Cloud Functions prohibit public access | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| cloud-functions-inside-vpc | Ensure Cloud Functions are inside VPC | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| bigquery-dataset-public-access-check | Ensure BigQuery datasets are not publicly accessible | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| cloud-storage-bucket-level-public-access-prohibited | Ensure Cloud Storage bucket level public access is prohibited | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| cloud-storage-bucket-iam-policy-grantee-check | Ensure Cloud Storage bucket IAM policy grantee check | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| cloud-storage-bucket-public-write-prohibited | Ensure Cloud Storage bucket public write is prohibited | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| ai-platform-notebook-no-direct-internet-access | Ensure AI Platform notebook has no direct internet access | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| subnet-auto-assign-external-ip-disabled | Ensure subnet auto-assign external IP is disabled | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| cloud-run-service-configuration-check | Ensure Cloud Run service configuration check | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| cloud-storage-bucket-public-read-prohibited | Ensure Cloud Storage bucket public read is prohibited | 3.3 | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
| compute-engine-instance-detailed-monitoring-enabled | Enable Compute Engine instance detailed monitoring | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| elasticsearch-logs-to-cloud-logging | Ensure instances have proper Cloud Logging configuration | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| load-balancer-logging-enabled | Enable Load Balancer logging for monitoring | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| cloud-functions-concurrency-check | Configure Cloud Functions concurrency for monitoring | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| cloud-sql-logging-enabled | Enable Cloud SQL logging for monitoring | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| cloud-storage-bucket-logging-enabled | Enable Cloud Storage bucket logging for monitoring | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| bigquery-audit-logging-enabled | Enable BigQuery audit logging for monitoring | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| cloud-armor-logging-enabled | Ensure backend services with Cloud Armor have logging enabled | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| no-unrestricted-route-to-internet-gateway | Ensure no unrestricted route to Internet Gateway for monitoring | 3.8 | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| load-balancer-http-to-https-redirection | Ensure Load Balancer HTTP to HTTPS redirection is configured | 3.10 | Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). |
| load-balancer-managed-ssl-certificate | Ensure Load Balancer uses managed SSL certificates | 3.10 | Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). |
| load-balancer-tls-https-listeners-only | Ensure Load Balancer uses TLS/HTTPS listeners only | 3.10 | Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). |
| application-load-balancer-managed-ssl-certificate | Ensure Application Load Balancer uses managed SSL certificates | 3.10 | Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). |
| cloud-storage-bucket-ssl-requests-only | Ensure Cloud Storage buckets require SSL requests only | 3.10 | Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). |
| ai-platform-endpoint-configuration-kms-key-configured | Ensure AI Platform endpoint configuration uses Cloud KMS | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| ai-platform-notebook-instance-kms-key-configured | Ensure AI Platform notebook instance uses Cloud KMS | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| secret-manager-using-cmek | Ensure Secret Manager uses customer-managed encryption keys | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| cloud-storage-bucket-encryption-enabled | Ensure Cloud Storage bucket encryption is enabled | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| pubsub-encrypted-kms | Ensure Pub/Sub is encrypted with Cloud KMS | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| kms-key-not-scheduled-for-deletion | Ensure Cloud KMS keys are not scheduled for deletion | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| bigquery-dataset-encryption-enabled | Enable BigQuery dataset encryption | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| cloud-logging-encrypted | Ensure Cloud Logging is encrypted | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| persistent-disk-encrypted | Ensure Persistent Disks are encrypted | 3.11 | CIS Controls v8 IG2 3.11 - Encryption at Rest: Encrypt sensitive data at rest on servers, applications, and databases. Persistent Disks should be encrypted to protect data from unauthorized access and ensure compliance with security requirements. |
| cloud-filestore-encrypted-check | Ensure Cloud Filestore is encrypted | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| elasticsearch-encrypted-at-rest | Ensure Elasticsearch is encrypted at rest | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| cloud-sql-storage-encrypted | Ensure Cloud SQL storage is encrypted | 3.11 | Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
| cloud-storage-default-encryption-kms | Ensure Cloud Storage default encryption uses Cloud KMS | 3.11 | CIS Controls v8 IG2 3.11 - Encryption at Rest: Encrypt sensitive data at rest on servers, applications, and databases. Cloud Storage buckets should use Cloud KMS customer-managed encryption keys (CMEK) for enhanced security and key management control. |
| project-part-of-organization | Ensure project is part of GCP Organization | 4.1 | Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| bigquery-maintenance-settings-check | Ensure BigQuery maintenance settings are configured | 4.1 | Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| kms-key-rotation-enabled | Ensure Cloud KMS key rotation is enabled | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| persistent-disk-unused | Ensure Persistent Disks are not unused | 4.6 | CIS Controls v8 IG1 4.6 - Secure Configuration: Persistent Disks that are not attached to any compute instances should be reviewed and removed to maintain proper asset inventory hygiene and prevent orphaned storage resources. |
| persistent-disk-attached-encryption-enabled | Ensure Persistent Disks are encrypted when attached | 4.6 | CIS Controls v8 IG1 4.6 - Secure Configuration: Persistent Disks should use customer-managed encryption keys (CMEK) or at minimum Google-managed encryption to protect data at rest and ensure compliance with security requirements. |
| cloud-storage-bucket-default-encryption-enabled | Ensure Cloud Storage buckets have default encryption enabled | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| vpc-firewall-rule-restrict-ingress-ssh-all | Restrict SSH access from all IPs in firewall rules | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| managed-instance-group-load-balancer-healthcheck-required | Ensure Managed Instance Groups have Load Balancer health check required | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| cloud-storage-bucket-versioning-enabled | Ensure Cloud Storage bucket versioning is enabled | 4.6 | CIS Controls v8 IG1 4.6 - Secure Configuration: Enable versioning on Cloud Storage buckets to maintain multiple versions of objects. Versioning protects against accidental deletion or modification, supports data recovery, and helps meet compliance requirements for data retention. |
| iam-policy-no-statements-with-admin-access | Prevent IAM policy bindings with administrative access permissions for secure configuration. | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| restricted-ssh | Restrict SSH access for monitoring compliance | 4.6 | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
| iam-policy-no-wildcard-permissions | Prevent IAM custom roles with wildcard permissions to enforce least privilege access control. | 5.4 | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. |
| cloud-security-scanner-enabled | Ensure Cloud Security Scanner is enabled for vulnerability management | 7.1 | Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
| compute-engine-os-config-compliance-patch-compliant | Ensure OS Config managed instances have patch compliance | 7.1; 7.3 | CIS Controls v8 IG1 7.1; 7.3 - Vulnerability Management: Establish and maintain a documented vulnerability management process for enterprise assets, and perform automated operating system patch management on a monthly or more frequent basis. |
| api-gateway-logging-configuration | Ensure API Gateway has proper logging configuration with service accounts and audit logs | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| cloud-audit-logs-cloud-logging-enabled | Enable Cloud Audit Logs Cloud Logging integration for monitoring | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| cloud-cdn-logging-enabled | Ensure Cloud CDN has logging enabled for audit and monitoring | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| vpc-flow-logs-enabled | Ensure VPC subnets have Flow Logs enabled for audit and monitoring | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| cloud-armor-security-policy-logging-enabled | Ensure Cloud Armor security policies have logging enabled through their backend services | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| cloud-audit-logs-security-trail-enabled | Ensure Cloud Audit Logs security trail is enabled | 8.2 | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
| cloud-audit-logs-multi-region-trail-enabled | Ensure Cloud Audit Logs multi-region trail is enabled | 8.3 | Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process. |
| cloud-audit-logs-integrity-monitoring-enabled | Ensure Cloud Audit Logs integrity monitoring is enabled | 8.3 | Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process. |
| cloud-audit-logs-data-access-events-enabled | Enable Cloud Audit Logs data access events for monitoring | 8.5 | Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. |
| cloud-sql-instance-backup-enabled | Perform automated backups for Cloud SQL instances | 11.2 | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
| cloud-firestore-in-backup-plan | Perform automated backups for Cloud Firestore databases and maintain isolated recovery data | 11.2; 11.4 | CIS Controls v8 IG1 11.2; 11.4 - Data Recovery: Perform automated backups of in-scope enterprise assets weekly or more frequently, and maintain isolated recovery data through version controlling backup destinations via offline, cloud, or off-site systems. |
| persistent-disk-in-backup-plan | Perform automated backups for Persistent Disks and maintain isolated recovery data | 11.2; 11.4 | CIS Controls v8 IG1 11.2; 11.4 - Data Recovery: Ensure automated backups are configured for critical data. Persistent Disks should be included in backup plans using snapshots or backup policies to maintain isolated recovery data. |
| cloud-storage-bucket-cross-region-replication-enabled | Perform automated backups for Cloud Storage buckets with cross-region replication and maintain isolated recovery data | 11.2; 11.4 | CIS Controls v8 IG1 11.2; 11.4 - Data Recovery: Perform automated backups of in-scope enterprise assets weekly or more frequently, and maintain isolated recovery data through version controlling backup destinations via offline, cloud, or off-site systems. |
| compute-engine-optimized-instance | Ensure Compute Engine instances are optimized for backup and maintain isolated recovery data | 11.2; 11.4 | CIS Controls v8 IG1 11.2; 11.4 - Data Recovery: Perform automated backups of in-scope enterprise assets weekly or more frequently, and maintain isolated recovery data through version controlling backup destinations via offline, cloud, or off-site systems. |
| cloud-firestore-pitr-enabled | Ensure Cloud Firestore point-in-time recovery is enabled and maintain isolated recovery data | 11.2; 11.4 | CIS Controls v8 IG1 11.2; 11.4 - Data Recovery: Perform automated backups of in-scope enterprise assets weekly or more frequently, and maintain isolated recovery data through version controlling backup destinations via offline, cloud, or off-site systems. |
| cloud-sql-backup-enabled | Ensure Cloud SQL backup is enabled and maintain isolated recovery data | 11.2; 11.4 | CIS Controls v8 IG1 11.2; 11.4 - Data Recovery: Perform automated backups of in-scope enterprise assets weekly or more frequently, and maintain isolated recovery data through version controlling backup destinations via offline, cloud, or off-site systems. |
| compute-engine-instance-os-config-managed | Ensure Compute Engine instances are managed with OS Config | 12.1 | Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network as a service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. |
| certificate-manager-certificate-lifecycle-management | Ensure proper certificate lifecycle management to prevent expiration | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| cloud-sql-enhanced-networking-enabled | Ensure Cloud SQL enhanced networking is enabled | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| cloud-firestore-autoscaling-enabled | Ensure Cloud Firestore autoscaling is enabled | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| load-balancer-cross-region-load-balancing-enabled | Ensure Load Balancer cross-region load balancing is enabled | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| load-balancer-deletion-protection-enabled | Ensure Load Balancer has high availability configuration | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| cloud-sql-instance-deletion-protection-enabled | Ensure Cloud SQL instance deletion protection is enabled | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| cloud-sql-multi-region-support | Ensure Cloud SQL multi-region support is enabled | 12.2 | Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. |
| load-balancer-cloud-armor-enabled | Ensure Load Balancer has Cloud Armor enabled for network monitoring and defense | 13.1 | Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. |
| cloud-build-trigger-envvar-gcpcred-check | Ensure Cloud Build trigger environment variables do not contain GCP credentials | 16.1; 16.12 | CIS Controls v8 IG2 16.1 and IG3 16.12 - Application Security: Establish and maintain a secure application development process addressing secure coding practices, developer training, vulnerability management, security of third-party code, application security testing procedures, and code-level security checks. |
| cloud-build-trigger-source-repo-url-check | Ensure Cloud Build trigger source repository URLs use secure protocols | 16.1; 16.12 | CIS Controls v8 IG2 16.1 and IG3 16.12 - Application Security: Establish and maintain a secure application development process addressing secure coding practices, developer training, vulnerability management, security of third-party code, application security testing procedures, and code-level security checks. |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
