Predefined posture template for CIS Benchmark v2.0

This page describes the detective policies that are included in the v1.0 version of the predefined posture template for Center for Internet Security (CIS) Google Cloud Computing Platform Benchmark v2.0.0. This predefined posture helps you detect when your Google Cloud environment doesn't align with the CIS Benchmark.

You can deploy this posture template without making any changes.

The following table describes the Security Health Analytics detectors that are included in the posture template. For more information about these detectors, see Vulnerability findings.

Detector name Description
ACCESS_TRANSPARENCY_DISABLED

This detector checks whether Access Transparency is turned off.

ADMIN_SERVICE_ACCOUNT

This detector checks whether a service account has Admin, Owner, or Editor privileges.

ESSENTIAL_CONTACTS_NOT_CONFIGURED

This detector checks whether you have at least one Essential Contact.

API_KEY_APIS_UNRESTRICTED

This detector checks whether API keys are being used too broadly.

API_KEY_EXISTS

This detector checks whether a project is using API keys instead of standard authentication.

API_KEY_NOT_ROTATED

This detector checks whether an API key has been rotated within the last 90 days.

AUDIT_CONFIG_NOT_MONITORED

This detector checks whether audit configuration changes are being monitored.

AUDIT_LOGGING_DISABLED

This detector checks whether audit logging is turned off for a resource.

AUTO_BACKUP_DISABLED

This detector checks whether a Cloud SQL database doesn't have automatic backups turned on.

BIGQUERY_TABLE_CMEK_DISABLED

This detector checks whether a BigQuery table isn't configured to use a customer-managed encryption key (CMEK). For more information, see Dataset vulnerability findings.

BUCKET_IAM_NOT_MONITORED This detector checks whether logging is turned off for IAM permission changes in Cloud Storage.
BUCKET_POLICY_ONLY_DISABLED

This detector checks whether uniform bucket-level access is configured.

CLOUD_ASSET_API_DISABLED

This detector checks whether Cloud Asset Inventory is turned off.

COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED

This detector checks whether project-wide SSH keys are being used.

COMPUTE_SERIAL_PORTS_ENABLED

This detector checks whether serial ports are enabled.

CONFIDENTIAL_COMPUTING_DISABLED

This detector checks whether Confidential Computing is turned off.

CUSTOM_ROLE_NOT_MONITORED

This detector checks whether logging is turned off for custom role changes.

DATAPROC_CMEK_DISABLED

This detector checks whether CMEK support is turned off for a Dataproc cluster.

DATASET_CMEK_DISABLED

This detector checks whether CMEK support is turned off for a BigQuery dataset.

DEFAULT_NETWORK

This detector checks whether the default network exists in a project.

DEFAULT_SERVICE_ACCOUNT_USED

This detector checks whether the default service account is being used.

DISK_CSEK_DISABLED

This detector checks whether customer supplied encryption key (CSEK) support is turned off for a VM.

DNS_LOGGING_DISABLED

This detector checks whether DNS logging is enabled on the VPC network.

DNSSEC_DISABLED

This detector checks whether DNSSEC is turned off for Cloud DNS zones.

FIREWALL_NOT_MONITORED

This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes.

VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED

This detector checks whether VPC Flow Logs is not turned on.

FULL_API_ACCESS

This detector checks whether an instance is using a default service account with full access to all Google Cloud APIs.

INSTANCE_OS_LOGIN_DISABLED

This detector checks whether OS Login is not turned on.

IP_FORWARDING_ENABLED

This detector checks whether IP forwarding is turned on.

KMS_KEY_NOT_ROTATED

This detector checks whether rotation for the Cloud Key Management Service encryption is not turned on.

KMS_PROJECT_HAS_OWNER

This detector checks whether a user has the Owner permission on a project that includes keys.

KMS_PUBLIC_KEY

This detector checks whether a Cloud Key Management Service cryptographic key is publicly accessible. For more information, see KMS vulnerability findings.

KMS_ROLE_SEPARATION

This detector checks for separation of duties for Cloud KMS keys.

LEGACY_NETWORK

This detector checks whether a legacy network exists in a project.

LOCKED_RETENTION_POLICY_NOT_SET

This detector checks whether the locked retention policy is set for logs.

LOAD_BALANCER_LOGGING_DISABLED

This detector checks whether logging is turned off for the load balancer.

LOG_NOT_EXPORTED

This detector checks whether a resource doesn't have a log sink configured.

MFA_NOT_ENFORCED

This detector checks whether a user isn't using 2-step verification.

NETWORK_NOT_MONITORED

This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes.

NON_ORG_IAM_MEMBER

This detector checks whether a user isn't using organization credentials.

OPEN_RDP_PORT

This detector checks whether a firewall has an open RDP port.

OPEN_SSH_PORT

This detector checks whether a firewall has an open SSH port that allows generic access. For more information, see Firewall vulnerability findings.

OS_LOGIN_DISABLED

This detector checks whether OS Login is turned off.

OVER_PRIVILEGED_SERVICE_ACCOUNT_USER

This detector checks whether a user has service account roles at the project level, instead of for a specific service account.

OWNER_NOT_MONITORED

This detector checks whether logging is turned off for project ownership assignments and changes.

PUBLIC_BUCKET_ACL

This detector checks whether a bucket is publicly accessible.

PUBLIC_DATASET

This detector checks whether a dataset is configured to be open to public access. For more information, see Dataset vulnerability findings.

PUBLIC_IP_ADDRESS

This detector checks whether an instance has an external IP address.

PUBLIC_SQL_INSTANCE

This detector checks whether a Cloud SQL allows connections from all IP addresses.

ROUTE_NOT_MONITORED

This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes.

RSASHA1_FOR_SIGNING

This detector checks whether RSASHA1 is used for key signing in Cloud DNS zones.

SERVICE_ACCOUNT_KEY_NOT_ROTATED

This detector checks whether a service account key has been rotated within the last 90 days.

SERVICE_ACCOUNT_ROLE_SEPARATION

This detector checks for separation of duties for service account keys.

SHIELDED_VM_DISABLED

This detector checks whether Shielded VM is turned off.

SQL_CONTAINED_DATABASE_AUTHENTICATION

This detector checks whether the contained database authentication flag in Cloud SQL for SQL Server isn't off.

SQL_CROSS_DB_OWNERSHIP_CHAINING

This detector checks whether the cross_db_ownership_chaining flag in Cloud SQL for SQL Server isn't off.

SQL_EXTERNAL_SCRIPTS_ENABLED

This detector checks whether the external scripts enabled flag in Cloud SQL for SQL Server isn't off.

SQL_INSTANCE_NOT_MONITORED

This detector checks whether logging is turned off for Cloud SQL configuration changes.

SQL_LOCAL_INFILE

This detector checks whether the local_infile flag in Cloud SQL for MySQL isn't off.

SQL_LOG_CONNECTIONS_DISABLED

This detector checks whether the log_connections flag in Cloud SQL for PostgreSQL isn't on.

SQL_LOG_DISCONNECTIONS_DISABLED

This detector checks whether the log_disconnections flag in Cloud SQL for PostgreSQL isn't on.

SQL_LOG_ERROR_VERBOSITY

This detector checks whether the log_error_verbosity flag in Cloud SQL for PostgreSQL isn't set to default.

SQL_LOG_MIN_DURATION_STATEMENT_ENABLED

This detector checks whether the log_min_duration_statement flag in Cloud SQL for PostgreSQL isn't set to -1.

SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY

This detector checks whether the log_min_error_statement flag in Cloud SQL for PostgreSQL doesn't have an appropriate severity level.

SQL_LOG_MIN_MESSAGES

This detector checks whether the log_min_messages flag in Cloud SQL for PostgreSQL isn't set to warning.

SQL_LOG_STATEMENT

This detector checks whether the log_statement flag in Cloud SQL for PostgreSQL Server isn't set to ddl.

SQL_NO_ROOT_PASSWORD

This detector checks whether a Cloud SQL database with an external IP address doesn't have a password for the root account.

SQL_PUBLIC_IP

This detector checks whether a Cloud SQL database has an external IP address.

SQL_REMOTE_ACCESS_ENABLED

This detector checks whether the remote_access flag in Cloud SQL for SQL Server isn't off.

SQL_SKIP_SHOW_DATABASE_DISABLED

This detector checks whether the skip_show_database flag in Cloud SQL for MySQL isn't on.

SQL_TRACE_FLAG_3625

This detector checks whether the 3625 (trace flag) flag in Cloud SQL for SQL Server isn't on.

SQL_USER_CONNECTIONS_CONFIGURED

This detector checks whether the user connections flag in Cloud SQL for SQL Server is configured.

SQL_USER_OPTIONS_CONFIGURED

This detector checks whether the user options flag in Cloud SQL for SQL Server is configured.

USER_MANAGED_SERVICE_ACCOUNT_KEY

This detector checks whether a user manages a service account key.

WEAK_SSL_POLICY

This detector checks whether an instance has a weak SSL policy.

View the posture template

To view the posture template for CIS Benchmark v2.0, do the following:

gcloud

Before using any of the command data below, make the following replacements:

  • ORGANIZATION_ID: the numeric ID of the organization

Execute the gcloud scc posture-templates describe command:

Linux, macOS, or Cloud Shell

gcloud scc posture-templates describe \
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/cis_2_0

Windows (PowerShell)

gcloud scc posture-templates describe `
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/cis_2_0

Windows (cmd.exe)

gcloud scc posture-templates describe ^
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/cis_2_0

The response contains the posture template.

REST

Before using any of the request data, make the following replacements:

  • ORGANIZATION_ID: the numeric ID of the organization

HTTP method and URL:

GET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/cis_2_0

To send your request, expand one of these options:

The response contains the posture template.

What's next