Alibaba Cloud
AWS
Google Cloud
Microsoft Azure
Microsoft Entra IDOverview
Statement
This security configuration benchmark covers foundational elements of Google Cloud. The recommendations detailed here are important security considerations when designing your infrastructure on Google Cloud. Most of the recommendations provided with this release of the benchmark cover security considerations only at individual Project level and not at the organization level.
Intended Audience
This document is intended for system and application administrators, security specialists, auditors, help desk, platform deployment, and/or DevOps personnel who plan to develop, deploy, assess, or secure solutions on Google Cloud.
Recommendations
Procedures and mapped controls
1. Identity and Access Management
Mapped controls
Ensure that corporate login credentials are used instead of Gmail accounts
Users Should Have Multi-Factor Authentication (MFA/2SV)
Ensure that there are only GCP-managed service account keys for each service account
Ensure Service Account has no Admin privileges
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure API Keys are restricted to use by only specified hosts and apps
Ensure API Keys are restricted to use only APIs that application needs access to
Ensure API Keys Are Rotated Every 90 Days
Ensure Essential Contacts is Configured for Organization
Ensure Secrets are not stored in Cloud Functions environment variables by using Secret Manager
2. Logging and Monitoring
This section covers recommendations addressing Logging and Monitoring on Google Cloud.
Mapped controls
Ensure Cloud Audit Logging is configured properly across all services and all users from a project
Ensure sinks are configured for all Log entries
Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock
Ensure log metric filter and alerts exist for Project Ownership assignments/changes
Ensure log metric filter and alerts exist for Audit Configuration Changes
Ensure log metric filter and alerts exist for Custom Role changes
Ensure log metric filter and alerts exist for VPC Network Firewall rule changes
Ensure log metric filter and alerts exist for VPC network route changes
Ensure log metric filter and alerts exist for VPC network changes
Ensure log metric filter and alerts exist for Cloud Storage IAM permission changes
Ensure log metric filter and alerts exist for SQL instance configuration changes
Ensure Cloud DNS Logging Is Enabled for All VPC Networks
Ensure Cloud Asset Inventory Is Enabled
Ensure Logging is enabled for HTTP(S) Load Balancers
3. Networking
Mapped controls
Ensure the default network does not exist in a project
Ensure legacy networks do not exist for a project
Ensure DNSSEC is enabled for Cloud DNS
Ensure RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Ensure RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
Ensure management ports are restricted from the internet
Ensure VPC Flow logs is enabled for every subnet in a VPC Network
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
4. Virtual Machines
Mapped controls
Ensure instances are not configured to use the default service account
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure "Block Project-wide SSH keys" is enabled for VM instances
Ensure oslogin is enabled for a Project
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
Ensure that IP forwarding is not enabled on Instances
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Ensure Compute instances are launched with Shielded VM enabled
Ensure Compute instances do not have public IP addresses
Ensure App Engine Applications Enforce HTTPS Connections
Ensure Compute Instances have Confidential Computing Enabled
5. Storage
6. Cloud SQL Database Services
Mapped controls
Ensure 'skip_show_database' database flag for Cloud SQL MySQL instance is set to 'On'
Ensure the 'local_infile' database flag for a Cloud SQL MySQL instance is set to 'Off'
Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Ensure the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'On'
Ensure the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'On'
Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Ensure the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately
Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Ensure the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (Disabled)
Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud SQL PostgreSQL instance is set to 'on' for centralized logging
Ensure Instance IP assignment is set to private
Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure the 'cross db ownership chaining' database flag for Cloud SQL on the SQL Server instance is set to 'Off'
Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set to a non-limiting value
Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
Ensure the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure Cloud SQL database instances do not have public IPs
Ensure Cloud SQL database instances are configured with automated backups
7. BigQuery
Query logic
These are the stored checks tied to this framework.
Corporate login credentials are used instead of Gmail accounts
Connectors
Covered asset types
Expected check: eq []
GCPIAM1{...AssetFragment}Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false }) {
...AssetFragment
}
}There are only GCP-managed service account keys for each service account
Connectors
Covered asset types
Expected check: eq []
{iamServiceAccounts(where:{hasIAMServiceAccountKeys_SOME:{keyType: "USER_MANAGED"}}){...AssetFragment}}Ensure Service Account has no Admin privileges
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: {
hasIAMRole_SOME: {
OR: [
{ name: "roles/owner" }
{ name: "roles/editor" }
{ name_CONTAINS: "admin" }
]
}
}
) {
...AssetFragment
}
}IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Connectors
Covered asset types
Expected check: eq []
GCP110IAM6{...AssetFragment}User-managed/external keys for service accounts are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
GCPIAM5{...AssetFragment}Separation of duties is enforced while assigning service account related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountAdmin"
}
}
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountUser"
}
}
]
}
) {
...AssetFragment
}
}Cloud KMS cryptokeys are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{OR:[{policyDocument_CONTAINS:"allUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}KMS encryption keys are rotated within a period of 90 days
Connectors
Covered asset types
Expected check: eq []
GCP110IAM10{...AssetFragment}GCP API Keys are restricted based on hosts and apps
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
clientRestrictions: []
}
) {
...AssetFragment
}
}GCP API Keys are restricted based on APIs
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
apiRestrictions: []
}
) {
...AssetFragment
}
}API Keys rotation
Connectors
Covered asset types
Expected check: eq []
{
APIKeysRotation(days: 90) {...AssetFragment}
}Essential Contacts Set
Connectors
Covered asset types
Expected check: eq []
EssentialContactsSetOnConnector{...AssetFragment}Ensure Secrets are not stored in Cloud Functions environment variables by using Secret Manager
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
envVars_SOME: {
key_MATCHES: "(?i).*(api|key|secret|token|password|access|id|auth|app|client|credential|security|private|public|authorization|confidential|encryption|hmac|signature|passphrase|session|authentication|verify|oauth|ssl|tls|jwt|service_account|code|secure|sudo).*"
}
}
) {
...AssetFragment
}
}Cloud Audit Logging is configured properly across all services and all users from a project
Connectors
Covered asset types
Expected check: eq []
GCPLogging1{...AssetFragment}Sinks are configured for all Log entries
Connectors
Covered asset types
Expected check: eq []
GCPLogging2{...AssetFragment}Retention policies on log buckets are configured using Bucket Lock
Connectors
Covered asset types
Expected check: eq []
logBuckets(where:{locked:false}){...AssetFragment}Log metric filter and alerts exist for Project Ownership assignments/changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging4{...AssetFragment}Log metric filter and alerts exist for Audit Configuration Changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging5{...AssetFragment}Log metric filter and alerts exist for Custom Role changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging6{...AssetFragment}Log metric filter and alerts exist for VPC Network Firewall rule changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging7{...AssetFragment}Log metric filter and alerts exist for VPC network route changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging8{...AssetFragment}Log metric filter and alerts exist for VPC network changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging9{...AssetFragment}Log metric filter and alerts exist for Cloud Storage IAM permission changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging10{...AssetFragment}Log metric filter and alerts exist for SQL instance configuration changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging11{...AssetFragment}Google Cloud VPCs without DNS logging
Connectors
Covered asset types
Expected check: eq []
{
vpcs(where: { dnsPolicy_NONE: { NOT: { enableLogging_IN: ["true"] } } }) {
...AssetFragment
}
}Google Cloud Projects Without Asset Inventory
Connectors
Covered asset types
Expected check: eq []
{
projects(
where: { NOT: { enabledServices_INCLUDES: "cloudasset.googleapis.com" } }
) {
...AssetFragment
}
}Google Cloud Load Balancers without logging
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: { backendServices_ALL: { NOT: { logConfigEnabled: true } } }
) {
...AssetFragment
}
}The default network does not exist in a project
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{name:"default"}){...AssetFragment}Legacy networks do not exist for a project
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{IPv4Range_NOT:"" gatewayIPv4_NOT:""}){...AssetFragment}DNSSEC is enabled for Cloud DNS
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{dnsSecConfigState_NOT:"on"}){...AssetFragment}RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{hasDNSKeySpec_SOME:{keyType:"keySigning",algorithm_MATCHES:"(?i)rsasha1"}}){...AssetFragment}RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{hasDNSKeySpec_SOME:{keyType:"zoneSigning",algorithm_MATCHES:"(?i)rsasha1"}}){...AssetFragment}Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
VPC Flow logs is enabled for every subnet in a VPC Network
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{hasSubnetwork_SOME:{enableFlowLogs:false}}){...AssetFragment}No HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: {OR: [
{httpsProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
{sslProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
]}){
...AssetFragment
}
}
Instances are not configured to use the default service account
Connectors
Covered asset types
Expected check: eq []
vms(where: {serviceAccountEmail_CONTAINS: "[email protected]"}) {...AssetFragment}Instances are not configured to use the default service account with full access to all Cloud APIs
Connectors
Covered asset types
Expected check: eq []
GCPVM1{...AssetFragment}"Block Project-wide SSH keys" is enabled for VM instances
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"block-project-ssh-keys" value:"false"}}){...AssetFragment}Oslogin is enabled for a Project
Connectors
Covered asset types
Expected check: eq []
projects(where:{hasCommonInstanceMetadataItem_SOME:{key:"os-login",value:"false"}}){...AssetFragment}'Enable connecting to serial ports' is not enabled for VM Instance
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"serial-port-enable",value:"true"}}){...AssetFragment}IP forwarding is not enabled on Instances
Connectors
Covered asset types
Expected check: eq []
vms(where:{canIPForward:true}){...AssetFragment}VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Connectors
Covered asset types
Expected check: eq []
disks(where:{encryptedWithCustomerSuppliedKey: false }){...AssetFragment}GCP VMs with security features disabled
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
OR: [
{ shieldedInstanceConfigEnableVtpm: false }
{ shieldedInstanceConfigEnableSecureBoot: false }
{ shieldedInstanceConfigEnableIntegrityMonitoring: false }
]
}
) {
...AssetFragment
}
}Compute instances do not have public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
}
) {
...AssetFragment
}
}App Engine Allowing Plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
appEngineServices(
where: {
serviceVersions_NONE: {
urlHandlers_SOME: {
urlRegex_IN: ["/.*", ".*"]
securityLevel_IN: ["SECURE_ALWAYS"]
}
}
}
) {
...AssetFragment
}
}Ensure That Compute Instances Have Confidential Computing Enabled
Connectors
Covered asset types
Expected check: eq []
{
vms(where: { cloudProvider: "gcp", NOT:{enableConfidentialCompute: true} }) {
...AssetFragment
}
}
Cloud Storage buckets have uniform bucket-level access enabled
Connectors
Covered asset types
Expected check: eq []
buckets(where:{iamConfigurationUniformBucketLevelAccessEnabled:false}){...AssetFragment}Publicly Accessible AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "aws"
publicAccessBlocked: false
OR: [
{
hasBucketACLGrant_SOME: {
OR: [
{ granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" }
{
granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
}
]
permission_IN: ["READ", "WRITE", "WRITE_ACP", "FULL_CONTROL"]
}
}
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "s3:GetObject" }
{ actions_INCLUDES: "s3:ListObjects" }
{ actions_INCLUDES: "s3:ListObjectsV2" }
{ actions_INCLUDES: "s3:PutObject" }
{ actions_INCLUDES: "s3:PutObjectAcl" }
{ actions_INCLUDES: "s3:CreateMultipartUpload" }
{ actions_INCLUDES: "s3:UploadPart" }
{ actions_INCLUDES: "s3:DeleteObject" }
{ actions_INCLUDES: "s3:DeleteObjects" }
{ actions_INCLUDES: "s3:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "AWS|*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Readable Azure Blob Containers
Connectors
Covered asset types
Expected check: eq []
{
blobContainers(
where: {
cloudProvider: "azure"
publicAccessBlocked: false
publicAccess_IN: ["Blob", "Container"]
}
) {...AssetFragment}
}
Publicly Accessible Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "gcp"
publicAccessBlocked: false
iamBindings_SOME: {
OR: [
{ members_INCLUDES: "allUsers" }
{ members_INCLUDES: "allAuthenticatedUsers" }
]
role: {
OR: [
{ permissions_INCLUDES: "storage.objects.get" }
{ permissions_INCLUDES: "storage.objects.list" }
{ permissions_INCLUDES: "storage.objects.create" }
{ permissions_INCLUDES: "storage.objects.delete" }
{ permissions_INCLUDES: "storage.objects.update" }
{ permissions_INCLUDES: "storage.objects.*" }
{ permissions_INCLUDES: "storage.objects.setIamPolicy" }
{
permissions_INCLUDES: "storage.multipartUploads.create"
}
{ permissions_INCLUDES: "storage.multipartUploads.*" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "alibaba"
publicAccessBlocked: false
OR: [
{ acl_IN: ["public-read", "public-read-write"] }
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "oss:GetObject" }
{ actions_INCLUDES: "oss:PutObject" }
{ actions_INCLUDES: "oss:PutObjectAcl" }
{ actions_INCLUDES: "oss:ListObjects" }
{ actions_INCLUDES: "oss:GetObjectVersion" }
{ actions_INCLUDES: "oss:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "*"
}
}
}
]
}
) {...AssetFragment}
}
Ensure 'skip_show_database' database flag for Cloud SQL MySQL instance is set to 'On'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "mysql"
cloudProvider: "gcp"
OR: [
{ dbFlags_NONE: { name: "skip_show_database" } }
{ dbFlags_SOME: { name: "skip_show_database", value: "off" } }
]
}
) {
...AssetFragment
}}The 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "mysql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "local_infile" } } { dbFlags_SOME: { name: "local_infile", value: "on" } } ] } ) { ...AssetFragment }}Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_error_verbosity", value: "verbose" }
}
) {
...AssetFragment
}
}The 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "log_connections" } } { dbFlags_SOME: { name: "log_connections", value: "off" } } ] } ) { ...AssetFragment }}The 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "log_disconnections" } } { dbFlags_SOME: { name: "log_disconnections", value: "off" } } ] } ) { ...AssetFragment }}Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_NONE: { name: "log_statement" }
}
) {
...AssetFragment
}
}The 'log_min_messages' database flag for a Cloud SQL PostgreSQL is set
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" dbFlags_SOME: { name: "log_min_messages" NOT: { value_IN: ["error", "log", "fatal", "panic"] } } } ) { ...AssetFragment }}Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_min_error_statement", NOT: {value_IN: ["error", "log", "fatal", "panic"]} }
}
) {
...AssetFragment
}
}The 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" dbFlags_SOME: { name: "log_min_duration_statement", NOT: { value: "-1" } } } ) { ...AssetFragment }}Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud Sql Postgresql instance is set to 'on' for centralized logging
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "cloudsql.enable_pgaudit" }}, {dbFlags_SOME: {name: "cloudsql.enable_pgaudit", value: "off"}}]
}
) {
...AssetFragment
}
}Ensure Instance IP assignment is set to private
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
ipAddresses_SOME: { NOT: { type: "PRIVATE" } }
}
) {
...AssetFragment
}
}Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
dbFlags_SOME: { name: "external scripts enabled",value: "on" }
}
) {
...AssetFragment
}
}The 'cross db ownership chaining' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "sqlserver" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "cross db ownership chaining" } } { dbFlags_SOME: { name: "cross db ownership chaining", value: "on" } } ] } ) { ...AssetFragment }}Ensure 'user connections' database flag for Cloud Sql Sql Server instance is set to a non-limiting value
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
engine: "sqlserver"
dbFlags_SOME: { name: "user connections" }
}
) {
...AssetFragment
}
}Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
dbFlags_SOME: { name: "user options" }
}
) {
...AssetFragment
}
}Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "remote access" }}, {dbFlags_SOME: {name: "remote access", value: "on"}}]
}
) {
...AssetFragment
}
}Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "3625" }}, {dbFlags_SOME: {name: "3625", value: "off"}}]
}
) {
...AssetFragment
}
}The 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "sqlserver" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "contained database authentication" } } { dbFlags_SOME: { name: "contained database authentication" value: "on" } } ] } ) { ...AssetFragment }}Cloud SQL database instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsIPConfigurationRequireSsl:false}){...AssetFragment}Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
networkSettings_SOME: {
authorizedNetworks_SOME: {
OR: [{ cidrValue: "0.0.0.0/0" }, { cidrValue: "::/0" }]
}
}
}
) {
...AssetFragment
}
}Cloud SQL database instances do not have public IPs
Connectors
Covered asset types
Expected check: eq []
{cloudSqlInstances(where:{instanceType:"CLOUD_SQL_INSTANCE",backendType:"SECOND_GEN",ipAddresses_SOME:{type:"PRIMARY"}}){...AssetFragment}}Cloud SQL database instances are configured with automated backups
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsBackupConfigurationEnabled:false}){...AssetFragment}BigQuery datasets are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}
