Policy Templates for GCP
Google Cloud Platform (GCP)
This table lists the Policy Templates provided for use with Google Cloud Platform (GCP).
For response actions, see Auto-Remediation of Google Cloud Platform (GCP) Incidents.
For instructions on how to find Policy templates that are new or updated due to changed recommendations, see Find New and Updated Policy Templates.
| Policy Name | Resource/ Entity type |
Skyhigh CASB Recommended | CIS v1.0.0 Level 1 | CIS v1.0.0 Level 2 | CIS v1.1.0 Level 1 | CIS v1.1.0 Level 2 | PCI DSS v3.2 | HIPAA | NIST 800-53 Rev4 | Policy Description |
|---|---|---|---|---|---|---|---|---|---|---|
| Firewall Rules should not have unrestricted CIFS access | Network | 1.2.1 | 164.312(e)(2)(i) | Ensure that access through port 445 (CIFS) is restricted to required entities only. CIFS is a commonly used protocol for communication and sharing data. Unrestricted access could lead to unauthorized access to data. | ||||||
| Firewall Rules should not have unrestricted DNS access | Network | 1.2.1 | 164.312(e)(2)(i) | If you are using DNS, ensure that access through port 53 is restricted to required entities only. | ||||||
| Firewall Rules should not have unrestricted FTP access | Network | 1.2.1 | 164.312(e)(2)(i) | Ensure that access through port 20/21 (FTP) is restricted to required entities only. FTP is a commonly used protocol for sharing data. Unrestricted access could lead to unauthorized access to data or lead to an accidental breach. | ||||||
| Firewall Rules should not have unrestricted MongoDB access | Network | 1.2.1, 1.3.1, 1.3.2 | 164.312(e)(2)(i) | SC-7 | If you are using MongoDB, ensure that access through port 27017, used for MongoDB, is restricted to required entities only. | |||||
| Firewall Rules should not have unrestricted MSSQL access | Network | 1.2.1 | If you are using MSSQL, ensure that access through port 1433, used for MSSQL, is restricted to required entities only. | |||||||
| Firewall Rules should not have unrestricted MSSQL (UDP) access | Network | 1.2.1 | Check your security groups for inbound rules that allow unrestricted access to UDP port 1433 and restrict access to required IP addresses only. UDP port 1433 is used by the Microsoft SQL Server. | |||||||
| Firewall Rules should not have unrestricted MySQL access | Network | 1.2.1 | 164.312(e)(2)(i) | If you are using MySQL, ensure that access through port 3306, used for MySQL, is restricted to required entities only. | ||||||
| Firewall Rules should not have unrestricted NETBIOS access | Network | 1.2.1 | 164.312(e)(2)(i) | If you are using NetBIOS, ensure that access through port 137 to 139 are restricted to required entities only. | ||||||
| Firewall Rules should not have unrestricted Oracle DB access | Network | 1.2.1, 1.3.1, 1.3.2 | 164.312(e)(2)(i) | SC-7 | If you are using Oracle DB, ensure that access through port 1521, used for Oracle DB, is restricted to required entities only. | |||||
| Firewall Rules should not have unrestricted PostgreSQL access | Network | 1.2.1 | 164.312(e)(2)(i) | If you are using PostgreSQL, ensure that access through port 5432, used for PostgreSQL, is restricted to required entities only. | ||||||
| Firewall Rules should not have unrestricted RDP access | Network | 3.7 | 3.7 | 1.2.1, 1.3.1, 1.3.2 | 164.312(e)(2)(i) | SC-7 | If you are using Remote Desktop, ensure that access through port 3389, used for Remote Desktop, is restricted to required entities only. | |||
| Firewall Rules should not have unrestricted RPC access | Network | 1.2.1 | If you are using RPC, ensure that access through port 135, used for RPC, is restricted to required entities only. | |||||||
| Firewall Rules should not have unrestricted SMTP access | Network | 1.2.1 | 164.312(e)(2)(i) | If you are using SMTP, ensure that access through port 25, used for SMTP, is restricted to required entities only. Unrestricted SMTP access can be misused to spam your enterprise, DDOS, etc. | ||||||
| Firewall Rules should not have unrestricted SSH access | Network | 3.6 | 3.6 | 1.2.1, 1.3.1, 1.3.2 | 164.312(e)(2)(i) | SC-7 | If you are using SSH, ensure that access through port 22, used for SSH, is restricted to required entities only. | |||
| Firewall Rules should not have unrestricted Telnet access | Network | 1.2.1 | 164.312(e)(2)(i) | If you are using Telnet, ensure that access through port 23, used for Telnet, is restricted to required entities only. | ||||||
| Firewall Rules should not have unrestricted VNC Listener access | Network | 1.2.1 | Check your security groups for inbound rules that allow unrestricted access to TCP port 5500 and restrict access to required IP addresses only. TCP port 5500 is used by the VNC Listener | |||||||
| Firewall Rules should not have unrestricted VNC Server access | Network | 1.2.1 | Check your security groups for inbound rules that allow unrestricted access to TCP port 5900 and restrict access to required IP addresses only. TCP port 5900 is used by the VNC Server | |||||||
| Cloud storage buckets should not be publicly accessible | Storage | 5.1 | 5.1 | 9.1.2, 6.6 | 164.312(a)(1), 164.312(b), 164.312(c)(1) | AC-14, AU-3, SC-7, AC-3 | Risk of unauthorized access or loss of customer data increases with unrestricted access to cloud buckets | |||
| Logging should be enabled for cloud storage buckets | Storage | 5.3 | Deleted | 10.1,10.5 | 164.312(b) | AU-3, AC-2 | Verify if logging is enabled on your cloud storage buckets | |||
| Incoming connections to Cloud SQL database instance should use SSL | SqLServices | 6.1 | 6.4 | 164.312(e)(2)(ii) | Verify if all incoming connections to Cloud SQL database uses SSL encryption | |||||
| Cloud SQL database instances should not have unrestricted access | SQLServices | 6.2 | 6.5 | 164.312(d) | Risk of unauthorized access or loss of customer data increases with unrestricted access to cloud sql database instances | |||||
| Corporate login credentials should be used instead of Gmail accounts | GcpIAMPolicy | 1.1 | 1.1 | 7.2 | 164.308(a)(4)(ii)(B), 164.312(a)(2)(i) | AC-6 ,AC-5, CM-7 | Use corporate login credentials instead of Gmail accounts | |||
| Service account should not have admin privileges | IAM | 1.4 | 1.5 | A service account is a special Google account that belongs to your application or a VM,instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for ServiceAccount. | ||||||
| IAM users should not be assigned service account user role at project level | IAM | 1.5 | 1.6 | 164.312(a)(1) | It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. | |||||
| Separation of duties should be enforced while assigning service account related roles to users | IAM | 1.7 | 1.8 | It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. | ||||||
| Cloud Instances should not be configured to use default service account with full access to all cloud APIs | Virtual Machines | 4.1 | 4.2 | 7.1.2 | AC-6, AC-5, CM-7 | Full access to all Cloud APIs will allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation. | ||||
| Separation of duties should be enforced while assigning KMS related roles to users | IAM | 1.9 | 1.11 | The principle of 'Separation of Duties' is enforced while assigning KMS related roles to users. | ||||||
| Default network should not exist in a project | Network | 3.1 | 3.1 | 1.3, 1.3.1, 1.3.2, 1.2.1, 2.1, 2.2.2 | SC-7, AC-17, CA-3, CM-7 | To prevent use of default network, a project should not have a default network. | ||||
| Legacy networks should not exist in a project | Project | 3.2 | 3.2 | In order to prevent use of legacy networks, a project should not have a legacy network configured. | ||||||
| IP forwarding should not be enabled on instances | Virtual Machines | 4.5 | 4.6 | Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP wont deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure. | ||||||
| Private Google access should be enabled for all subnetworks in VPC network | Subnet | 3.8 | Deleted | 1.3.1, 1.3.2 | SC-7 | Private Google Access enables virtual machine instances on a subnet to reach Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. | ||||
| VPC Flow logs should be enabled for all subnet in VPC Network | Network | 3.9 | 3.8 | Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. After you've created a flow log, you can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business critical VPC subnet. | ||||||
| Block Project wide SSH keys should be enabled for Virtual Machine Instances | Virtual Machines | 4.2 | 4.3 | 3.4.1 | SC-13, SC-8 | Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. | ||||
| "Enable Connecting to serial ports" should not be enabled for VM Instance | Virtual Machines | 4.4 | 4.5 | 1.3.1, 1.3.2 | SC-7 | Enabling Connection to serial ports clients will allow any user to connect to that instance from any IP address. | ||||
| oslogin should be enabled for a project | Project | 4.3 | 4.4 | 3.4.1 | SC-13 ,SC-8 | Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. | ||||
| Encryption keys should be rotated within a period of 365 days | IAM | 1.8 | A key is used to protect some corpus of data. You could encrypt a collection of files with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Hence it's necessary to make sure rotation period is set to specific time | |||||||
| VM disks for critical VMs should be encrypted with Customer-Supplied Encryption Keys (CSEK) | Virtual Machines | 4.6 | 4.7 | 3.4.1 | SC-13 ,SC-8 | Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys. | ||||
| GCP resources should be tagged | Virtual Machines | 1.1.4, 1.1.1, 1.1.7 | CM-3 | Ensure that user-defined tags (metadata) are being used for labeling, collecting and organizing resources available within your GCP environment. | ||||||
| GCP resources should be tagged | Virtual Machines | 1.1.3, 12.2 | CM-8 | A tag is a label that you assign to a resource. Each tag consists of a key and an optional value, both of which you define. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Ensure that user-defined tags (metadata) are being used for labelling, collecting and organizing resources available within your environment. |
Deprecated Policies
| Policy Name | Resource/ Entity type |
Skyhigh CASB Recommended | CIS v1.0.0 Level 1 | CIS v1.0.0 Level 2 | CIS v1.1.0 Level 1 | CIS v1.1.0 Level 2 | PCI DSS v3.2 | HIPAA | NIST 800-53 Rev4 | Policy Description |
|---|---|---|---|---|---|---|---|---|---|---|
| Cloud MySQL database instance should not have unrestricted access | Network | 6.3 | 6.1.1 | Risk of unauthorized access or loss of customer data increases with unrestricted access to cloud MySQL database instance |