Benchmark: Forseti Security v2.26.0
Overview
Forseti Security is a collection of community-driven, open-source tools to help you improve the security of your Google Cloud Platform (GCP) environments. Forseti consists of core modules that you can enable, configure, and execute independently of each other. Community contributors are also developing add-on modules to offer unique capabilities. Forseti’s core modules work together, and provide a foundation that others can build upon.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Forseti Security v2.26.0.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.forseti_security_v226Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.forseti_security_v226 --shareControls
- Check that CMEK rotation policy is in place and is sufficiently short
- Prevent public users from having access to resources via IAM
- Check if service account keys are older than 100 days
- Only allow members from my domain to be added to IAM roles
- Check if BigQuery datasets are publicly readable
- Check for open firewall rules allowing SSH from the internet
- Check for open firewall rules allowing TCP/UDP from the internet
- Enforce corporate domain by banning gmail.com addresses access to BigQuery datasets
- Enforce corporate domain by banning googlegroups.com addresses access to BigQuery datasets
- Check if Cloud SQL instances are world readable