Skip to content

GCP Cloud Misconfiguration

Name Description
gcp-bq-anon-or-public Ensure that BigQuery datasets are not anonymously or publicly accessible
gcp-gce-default-svcacct Ensure that instances are not configured to use the default service account
gcp-gce-fw-public-rdp Ensure Google compute firewall ingress does not allow unrestricted rdp access
gcp-gce-fw-public-ssh Ensure Google compute firewall ingress does not allow unrestricted ssh access
gcp-gce-ip-fwd-on Ensure that IP forwarding is not enabled on Instances
gcp-gce-public-ip Ensure that Compute instances do not have public IP addresses
gcp-gce-serialport-on Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
gcp-gcs-anon-or-public Ensure that Cloud Storage bucket is not anonymously or publicly accessible
gcp-gcs-logs-off Bucket should log access
gcp-iam-svcacct-admin-role Ensure that Service Account has no Admin privileges
gcp-iam-svcacct-allo-sudo Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
gcp-k8s-basic-auth-on Ensure GKE basic auth is disabled
gcp-k8s-legacy-instance-metadata-on Ensure legacy Compute Engine instance metadata APIs are Disabled
gcp-k8s-legacy-rbac-on Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
gcp-k8s-metadata-server-off Ensure the GKE Metadata Server is Enabled
gcp-k8s-stackdriver-monitor-off Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
gcp-k8s-strackdriver-logs-off Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
gcp-kms-bad-key-rotation Ensure KMS encryption keys are rotated within a period of 90 days
gcp-lb-ssl-weak-ciphers Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
gcp-res-man-default-svcacct Ensure Default Service account is not used at a project level
gcp-sql-backup-off Ensure all Cloud SQL database instance have backup configuration enabled
gcp-sql-mysql-local_infile-on Ensure MySQL database 'local_infile' flag is set to 'off'
gcp-sql-public-access Ensure that Cloud SQL database Instances are not open to the world
gcp-sql-public-ip Ensure SQL database do not have public IP
gcp-sql-ssl-off Ensure all Cloud SQL database instance requires all incoming connections to use SSL