CIS Google Cloud Platform Foundations Benchmark
- Version: 3.0.0
- URL: https://www.cisecurity.org/benchmark/google_cloud_computing_platform
- Source of truth:
pipeline_check/core/standards/data/cis_gcp_foundations.py
CIS Google Cloud Platform Foundations Benchmark, CI/CD-relevant subset. Covers IAM, Cloud Storage, Cloud KMS, and Cloud Logging controls.
At a glance
- Controls in this standard: 30
- Controls evidenced by at least one check: 29 / 30
- Distinct checks evidencing this standard: 50
- Of those, autofixable with
--fix: 0
Severity levels (CRITICAL / HIGH / MEDIUM / LOW / INFO) follow the same scale across every provider and standard. See How to read severity on the standards overview for the definitions.
Coverage by control
Click a control ID to jump to the per-control section with the full check list. The severity mix column shows the spread of evidencing checks by severity (Critical / High / Medium / Low / Info).
| Control | Title | Checks | Severity mix |
|---|---|---|---|
1.4 |
Ensure that Service Account has no Admin privileges | 3 | 1C · 1H · 1M |
1.5 |
Ensure that Service Account Keys are managed and rotated | 2 | 2H |
1.6 |
Ensure IAM Users are not assigned SA User or Token Creator roles at project level | 1 | 1H |
2.1 |
Ensure Cloud Audit Logging is configured properly for all services and all users in a project | 2 | 1H · 1M |
2.2 |
Ensure that sinks are configured for all log entries | 1 | 1M |
2.3 |
Ensure log metric filter and alerts exist for Audit Configuration changes | 6 | 6M |
2.12 |
Ensure that Cloud Audit Logging is configured properly | 2 | 1H · 1M |
5.1 |
Ensure that Cloud Storage bucket is not anonymously or publicly accessible | 7 | 3H · 4M |
5.2 |
Ensure that Cloud Storage buckets have uniform bucket-level access enabled | 1 | 1M |
7.1 |
Ensure KMS Encryption Keys are rotated within a period of 365 days | 2 | 2M |
7.2 |
Ensure KMS Encryption Keys are not anonymously or publicly accessible | 2 | 2H |
7.3 |
Ensure KMS keys are protected by a Hardware Security Module (HSM) | 2 | 2L |
3.1 |
Ensure the default network does not exist in a project | 1 | 1M |
3.6 |
Ensure that SSH access is restricted from the Internet | 1 | 1C |
3.7 |
Ensure that RDP access is restricted from the Internet | 1 | 1C |
3.8 |
Ensure that VPC flow logs are enabled for every subnet in a VPC network | 4 | 3M · 1L |
3.9 |
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | 1 | 1M |
3.10 |
Ensure firewall rules logging is enabled | 1 | 1M |
4.1 |
Ensure that instances are not configured to use default service accounts | 3 | 2H · 1L |
4.2 |
Ensure instances are not configured to use default SA with full Cloud API access | 1 | 1H |
4.3 |
Ensure 'Block Project-wide SSH keys' is enabled for VM instances | 1 | 1M |
4.4 |
Ensure oslogin is enabled for a project | 1 | 1M |
4.5 |
Ensure 'Enable connecting to serial ports' is not enabled for a VM instance | 1 | 1M |
4.6 |
Ensure that IP forwarding is not enabled on instances | 1 | 1H |
4.11 |
Ensure Compute instances are launched with Shielded VM enabled | 1 | 1M |
6.1 |
Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | 2 | 1H · 1M |
6.2 |
Ensure 'skip_show_database' database flag for Cloud SQL MySQL instance is set to 'on' | 0 | — |
6.5 |
Ensure that Cloud SQL database instances are not open to the world | 1 | 1H |
6.6 |
Ensure that Cloud SQL database instances do not have public IPs | 1 | 1H |
6.7 |
Ensure that Cloud SQL database instances are configured with automated backups | 2 | 2M |
Filter at runtime
Restrict a scan to checks that evidence this standard with --standard cis_gcp_foundations:
# All providers, only checks tied to this standard
pipeline_check --standard cis_gcp_foundations
# Compose with --pipeline to scope by provider
pipeline_check --pipeline github --standard cis_gcp_foundations
# Compose with another standard to widen the lens
pipeline_check --pipeline aws --standard cis_gcp_foundations --standard owasp_cicd_top_10
Controls in scope
1.4: Ensure that Service Account has no Admin privileges
Evidenced by 3 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCIAM-001 |
Service account has Owner or Editor role on project | CRITICAL | GCP | |
GCIAM-005 |
Domain-restricted sharing constraint not enforced | MEDIUM | GCP | |
GCRUN-001 |
Cloud Run service allows unauthenticated access | HIGH | GCP |
1.5: Ensure that Service Account Keys are managed and rotated
Evidenced by 2 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCIAM-002 |
Service account has user-managed key | HIGH | GCP | |
GCIAM-006 |
Service account key older than 90 days | HIGH | GCP |
1.6: Ensure IAM Users are not assigned SA User or Token Creator roles at project level
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCIAM-003 |
Service account token creator granted without constraint | HIGH | GCP |
2.1: Ensure Cloud Audit Logging is configured properly for all services and all users in a project
Evidenced by 2 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCLOG-001 |
Cloud Audit Logs not enabled for all services | HIGH | GCP | |
GCLOG-006 |
Critical service missing Data Access audit log types | MEDIUM | GCP |
2.2: Ensure that sinks are configured for all log entries
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCLOG-002 |
No log sink configured for audit logs | MEDIUM | GCP |
2.3: Ensure log metric filter and alerts exist for Audit Configuration changes
Evidenced by 6 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCLOG-003 |
Log bucket retention less than 365 days | MEDIUM | GCP | |
GCLOG-007 |
No log metric filter for IAM policy changes | MEDIUM | GCP | |
GCLOG-008 |
No log metric filter for firewall rule changes | MEDIUM | GCP | |
GCLOG-009 |
No log metric filter for route changes | MEDIUM | GCP | |
GCLOG-010 |
No log metric filter for Cloud SQL config changes | MEDIUM | GCP | |
GCLOG-011 |
No log metric filter for custom role changes | MEDIUM | GCP |
2.12: Ensure that Cloud Audit Logging is configured properly
Evidenced by 2 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCLOG-001 |
Cloud Audit Logs not enabled for all services | HIGH | GCP | |
GCLOG-006 |
Critical service missing Data Access audit log types | MEDIUM | GCP |
5.1: Ensure that Cloud Storage bucket is not anonymously or publicly accessible
Evidenced by 7 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GAR-001 |
Artifact Registry repository has no vulnerability scanning | HIGH | GCP | |
GAR-002 |
Artifact Registry repository is publicly readable | HIGH | GCP | |
GAR-003 |
Artifact Registry has no cleanup policy | MEDIUM | GCP | |
GCS-001 |
Cloud Storage bucket is publicly accessible | HIGH | GCP | |
GCS-003 |
Bucket versioning not enabled | MEDIUM | GCP | |
GCS-004 |
Cloud Storage bucket not encrypted with CMEK | MEDIUM | GCP | |
GCS-005 |
Cloud Storage bucket access logging not enabled | MEDIUM | GCP |
5.2: Ensure that Cloud Storage buckets have uniform bucket-level access enabled
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCS-002 |
Bucket does not enforce uniform bucket-level access | MEDIUM | GCP |
7.1: Ensure KMS Encryption Keys are rotated within a period of 365 days
Evidenced by 2 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCKMS-001 |
KMS key rotation period exceeds 365 days | MEDIUM | GCP | |
GCKMS-005 |
KMS key has primary version scheduled for destruction | MEDIUM | GCP |
7.2: Ensure KMS Encryption Keys are not anonymously or publicly accessible
Evidenced by 2 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCKMS-002 |
KMS key IAM policy grants public access | HIGH | GCP | |
GCKMS-004 |
KMS key ring IAM has overly broad bindings | HIGH | GCP |
7.3: Ensure KMS keys are protected by a Hardware Security Module (HSM)
Evidenced by 2 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCKMS-003 |
KMS key not using HSM protection level | LOW | GCP | |
GCKMS-006 |
KMS key uses imported (external) key material | LOW | GCP |
3.1: Ensure the default network does not exist in a project
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCNET-001 |
Default VPC network exists in project | MEDIUM | GCP |
3.6: Ensure that SSH access is restricted from the Internet
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCNET-003 |
Firewall allows SSH or RDP from the internet | CRITICAL | GCP |
3.7: Ensure that RDP access is restricted from the Internet
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCNET-003 |
Firewall allows SSH or RDP from the internet | CRITICAL | GCP |
3.8: Ensure that VPC flow logs are enabled for every subnet in a VPC network
Evidenced by 4 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCLOG-004 |
VPC Flow Logs not enabled on subnet | MEDIUM | GCP | |
GCNET-004 |
Subnet does not have Private Google Access enabled | MEDIUM | GCP | |
GCNET-005 |
No Cloud NAT gateway configured | LOW | GCP | |
GCRUN-004 |
Cloud Run service does not use a VPC connector | MEDIUM | GCP |
3.9: Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCNET-002 |
No default-deny ingress firewall rule configured | MEDIUM | GCP |
3.10: Ensure firewall rules logging is enabled
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCLOG-005 |
Firewall rule logging not enabled | MEDIUM | GCP |
4.1: Ensure that instances are not configured to use default service accounts
Evidenced by 3 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCIAM-004 |
Compute instance uses default service account | HIGH | GCP | |
GCRUN-002 |
Cloud Run service or function uses default compute SA | HIGH | GCP | |
GCRUN-003 |
Cloud Run service has zero minimum instances | LOW | GCP |
4.2: Ensure instances are not configured to use default SA with full Cloud API access
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCIAM-004 |
Compute instance uses default service account | HIGH | GCP |
4.3: Ensure 'Block Project-wide SSH keys' is enabled for VM instances
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCCE-005 |
Instance does not block project-wide SSH keys | MEDIUM | GCP |
4.4: Ensure oslogin is enabled for a project
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCCE-002 |
Compute instance does not have OS Login enabled | MEDIUM | GCP |
4.5: Ensure 'Enable connecting to serial ports' is not enabled for a VM instance
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCCE-003 |
Compute instance has serial port access enabled | MEDIUM | GCP |
4.6: Ensure that IP forwarding is not enabled on instances
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCCE-004 |
Compute instance has an external IP address | HIGH | GCP |
4.11: Ensure Compute instances are launched with Shielded VM enabled
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCCE-001 |
Compute instance does not have Shielded VM enabled | MEDIUM | GCP |
6.1: Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges
Evidenced by 2 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCSQL-003 |
Cloud SQL instance does not require SSL connections | HIGH | GCP | |
GCSQL-004 |
Cloud SQL instance does not have IAM authentication enabled | MEDIUM | GCP |
6.2: Ensure 'skip_show_database' database flag for Cloud SQL MySQL instance is set to 'on'
No checks in this scanner currently evidence this control. Open an issue if your team would value coverage.
6.5: Ensure that Cloud SQL database instances are not open to the world
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCSQL-001 |
Cloud SQL instance has a public IP address | HIGH | GCP |
6.6: Ensure that Cloud SQL database instances do not have public IPs
Evidenced by 1 check across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCSQL-001 |
Cloud SQL instance has a public IP address | HIGH | GCP |
6.7: Ensure that Cloud SQL database instances are configured with automated backups
Evidenced by 2 checks across GCP.
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
GCSQL-002 |
Cloud SQL instance does not have automated backups enabled | MEDIUM | GCP | |
GCSQL-005 |
Cloud SQL instance does not have point-in-time recovery enabled | MEDIUM | GCP |
This page is generated. Edit pipeline_check/core/standards/data/cis_gcp_foundations.py (mappings) or scripts/gen_standards_docs.py (intro / per-control prose) and run python scripts/gen_standards_docs.py cis_gcp_foundations.