Benchmark: CFT Scorecard v1
Overview
The CFT Scorecard can be used to print a scorecard of your GCP environment, for resources and IAM policies in Cloud Asset Inventory (CAI) exports. The policies tested are based on constraints and constraint templates from the Config Validator policy library.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select CFT Scorecard v1.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.cft_scorecard_v1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.cft_scorecard_v1 --shareControls
- Verify all GKE clusters are Private Clusters
- Prevent public users from having access to resources via IAM
- Ensure Kubernetes web UI/Dashboard is disabled
- Ensure default Service account is not used for Project access in Kubernetes Engine clusters
- Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
- Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)
- Ensure that RSASHA1 is not used for key-signing key in Cloud DNS
- Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS
- Ensure Kubernetes Cluster is created with Alias IP ranges enabled
- Ensure automatic node repair is enabled on all node pools in a GKE cluster
- Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
- Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
- Ensure VPC Flow logs is enabled for every subnet in VPC Network
- Ensure Private Google Access is enabled for all subnetworks in VPC
- Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters
- Check that GKE clusters have a Network Policy installed
- Prevent a public IP from being assigned to a Cloud SQL instance
- Check if BigQuery datasets are publicly readable
- Check if Cloud Storage buckets have Bucket Only Policy turned on
- Check if Cloud SQL instances have SSL turned on
- Check for open firewall rules allowing RDP from the internet
- Check for open firewall rules allowing SSH from the internet
- Enforce corporate domain by banning gmail.com addresses access to BigQuery datasets
- Enforce corporate domain by banning googlegroups.com addresses access to BigQuery datasets
- Limit the number of App Engine application versions simultaneously running or installed
- Check if Cloud SQL instances are world readable