Remediating findings

This document describes how to remediate findings in reports.

A report combines aggregate findings from Security Command Center and inventory data from Cloud Asset Inventory to give an aggregate view of risk across your organization. These reports are aligned with the CIS Google Cloud Computing Foundations Benchmark v1.2.0. For more information on this framework, see CIS Benchmarks.

As a best practice, start by remediating the findings that have the highest impact, as indicated in a Cyber Insurance Hub report.

Before you begin

Create a report.

Remediating CIS Benchmark findings

Cyber Insurance Hub has integrated with Security Command Center Premium and Enterprise tiers to simplify the remediation process for CIS Benchmark findings. If you're a Security Command Center Standard tier customer, you can't use Security Command Center to inspect and remediate all individual CIS Benchmark findings on your Google Cloud resources. Upgrade to Premium tier or Enterprise tier to get full support. See Activation overview for more detailed information about how to activate each Security Command Center tier.

Remediating CIS Benchmark findings with Security Command Center Premium or Enterprise tier

To inspect and remediate individual findings using Security Command Center, follow these steps:

  1. In a report, in the table of CIS benchmark topics, expand a CIS Benchmark topic to view the CIS Benchmarks for that topic.

  2. In a CIS Benchmark table row, click the finding count.

    This links to Security Command Center to display the active findings related to that CIS Benchmark.

  3. In Security Command Center, in the table of findings, click the category of the finding that you want to remediate.

    A pane opens with information on how to remediate that finding.

Remediating CIS Benchmarks with Security Command Center Standard tier

While Cyber Insurance Hub reports provide a table of the CIS Benchmark topics identified across your organization, Security Command Center Standard tier doesn't let you pivot directly to the related findings in Security Command Center.

To view instructions on how to remediate general CIS Benchmarks, follow these steps:

  1. In a report, in the table of CIS benchmark topics, expand a CIS Benchmark topic to view the CIS Benchmarks for that topic.

  2. In a CIS Benchmark table row, click the CIS Benchmark description.

    This links to the general remediation instructions for that CIS Benchmark.

You can also use the following instructions to remediate findings for CIS Benchmarks supported by Cyber Insurance Hub:

Identity and Access Management
1.1 Ensure that corporate login credentials are used
1.2 Ensure that multi-factor authentication is enabled for all non-service accounts
1.4 Ensure that there are only GCP-managed service account keys for each service account
1.5 Ensure that Service Account has no Admin privileges
1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
1.7 Ensure user-managed/external keys for service accounts are rotated every 90 days or less
1.8 Ensure that Separation of duties is enforced while assigning service account related roles to users
1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
1.10 Ensure KMS encryption keys are rotated within a period of 90 days
1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users
1.12 Ensure API keys are not created for a project
1.13 Ensure API keys are restricted to use by only specified Hosts and Apps
1.14 Ensure API keys are restricted to only APIs that application needs access
1.15 Ensure API keys are rotated every 90 days
Logging and Monitoring
2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
2.2 Ensure that sinks are configured for all log entries
2.3 Ensure that retention policies on log buckets are configured using Bucket Lock
2.4 Ensure log metric filter and alerts exist for project ownership assignments/changes
2.5 Ensure that the log metric filter and alerts exist for Audit Configuration changes
2.6 Ensure that the log metric filter and alerts exist for Custom Role changes
2.7 Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes
2.8 Ensure that the log metric filter and alerts exist for VPC network route changes
2.9 Ensure that the log metric filter and alerts exist for VPC network changes
2.10 Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes
2.11 Ensure that the log metric filter and alerts exist for SQL instance configuration changes
2.12 Ensure that Cloud DNS logging is enabled for all VPC networks
Networking
3.1 Ensure that the default network does not exist in a project
3.2 Ensure legacy network does not exist for a project
3.3 Ensure that DNSSEC is enabled for Cloud DNS
3.4 Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
3.5 Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
3.6 Ensure that SSH access is restricted from the internet
3.7 Ensure that RDP access is restricted from the Internet
3.8 Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network
3.9 Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Virtual Machines
4.1 Ensure that instances are not configured to use the default service account
4.2 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
4.3 Ensure "Block Project-wide SSH keys" is enabled for VM instances
4.4 Ensure oslogin is enabled for a Project
4.5 Ensure "Enable connecting to serial ports" is not enabled for VM Instance
4.6 Ensure that IP forwarding is not enabled on Instances
4.7 Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
4.8 Ensure Compute instances are launched with Shielded VM enabled
4.9 Ensure that Compute instances do not have public IP addresses
4.11 Ensure that Compute instances have Confidential Computing enabled
Storage
5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible
5.2 Ensure that Cloud Storage buckets have uniform bucket-level access enabled
Cloud SQL Database Services
6.1.1 Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges
6.1.2 Ensure "skip_show_database" database flag for Cloud SQL Mysql instance is set to "on"
6.1.3 Ensure that the "local_infile" database flag for a Cloud SQL Mysql instance is set to "off"
6.2.1 Ensure that the "log_checkpoints" database flag for Cloud SQL PostgreSQL instance is set to "on"
6.2.2 Ensure "log_error_verbosity" database flag for Cloud SQL PostgreSQL instance is set to "DEFAULT" or stricter
6.2.3 Ensure that the "log_connections" database flag for Cloud SQL PostgreSQL instance is set to "on"
6.2.4 Ensure that the "log_disconnections" database flag for Cloud SQL PostgreSQL instance is set to "on"
6.2.5 Ensure "log_duration" database flag for Cloud SQL PostgreSQL instance is set to "on"
6.2.6 Ensure that the "log_lock_waits" database flag for Cloud SQL PostgreSQL instance is set to "on"
6.2.7 Ensure "log_statement" database flag for Cloud SQL PostgreSQL instance is set appropriately
6.2.8 Ensure "log_hostname" database flag for Cloud SQL PostgreSQL instance is set appropriately
6.2.9 Ensure "log_parser_stats" database flag for Cloud SQL PostgreSQL instance is set to "off"
6.2.10 Ensure "log_planner_stats" database flag for Cloud SQL PostgreSQL instance is set to "off"
6.2.11 Ensure "log_executor_stats" database flag for Cloud SQL PostgreSQL instance is set to "off"
6.2.12 Ensure "log_statement_stats" database flag for Cloud SQL PostgreSQL instance is set to "off"
6.2.13 Ensure that the "log_min_messages" database flag for Cloud SQL PostgreSQL instance is set appropriately
6.2.14 Ensure "log_min_error_statement" database flag for Cloud SQL PostgreSQL instance is set to "Error" or stricter
6.2.15 Ensure that the "log_temp_files" database flag for Cloud SQL PostgreSQL instance is set to "0"
6.2.16 Ensure that the "log_min_duration_statement" database flag for Cloud SQL PostgreSQL instance is set to "-1"
6.3.1 Ensure "external scripts enabled" database flag for Cloud SQL SQL Server instance is set to "off"
6.3.2 Ensure that the "cross db ownership chaining" database flag for Cloud SQL SQL Server instance is set to "off"
6.3.3 Ensure "user connections" database flag for Cloud SQL SQL Server instance is set as appropriate
6.3.4 Ensure "user options" database flag for Cloud SQL SQL Server instance is not configured
6.3.5 Ensure "remote access" database flag for Cloud SQL SQL Server instance is set to "off"
6.3.6 Ensure "3625 (trace flag)" database flag for Cloud SQL SQL Server instance is set to "off"
6.3.7 Ensure that the "contained database authentication" database flag for Cloud SQL on the SQL Server instance is set to "off"
6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL
6.5 Ensure that Cloud SQL database instances are not open to the world
6.6 Ensure that Cloud SQL database instances do not have public IPs
6.7 Ensure that Cloud SQL database instances are configured with automated backups
BigQuery
7.1 Ensure that BigQuery datasets are not anonymously or publicly accessible
7.2 Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)
7.3 Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets

What's next?