Benchmark: Compute
Description
This section contains recommendations for configuring Compute resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Compute.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.all_controls_computeSnapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.all_controls_compute --shareControls
- Compute Backend Bucket should not have dangling storage bucket
- Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
- Ensure external backend service has IAP enabled
- Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses
- Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
- Ensure no open default firewall rules allow ingress from 0.0.00/0 to any port
- Ensure no open firewall rules allow ingress from 0.0.00/0 to DNS port 53
- Ensure no open firewall rules allow ingress from 0.0.00/0 to FTP port 21
- Ensure no open firewall rules allow ingress from 0.0.00/0 to HTTP port 80
- Ensure no open firewall rules allow ingress from 0.0.00/0 to Microsoft DS port 445
- Ensure no open firewall rules allow ingress from 0.0.00/0 to MongoDB port 27017
- Ensure no open firewall rules allow ingress from 0.0.00/0 to MySQL DB port 3306
- Ensure no open firewall rules allow ingress from 0.0.00/0 to NetBIOS SSN port 139
- Ensure no open firewall rules allow ingress from 0.0.00/0 to Oracle DB port 1521
- Ensure no open firewall rules allow ingress from 0.0.00/0 to POP3 port 110
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port 10250
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port 10255
- Ensure no open firewall rules allow ingress from 0.0.00/0 to PostgreSQL port 5432
- Ensure no open firewall rules allow ingress from 0.0.00/0 to SMTP port 25
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 137 to 139
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 27017 to 27019
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 61620 or 6162
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 636
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 6379
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 7000 or 7001
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 7199
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 8888
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 9042
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 9090
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 9160
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port TCP 9200 or 9300
- Ensure no open firewall rules allow ingress from 0.0.00/0 to TCP or UDP port 11211
- Ensure no open firewall rules allow ingress from 0.0.00/0 to TCP or UDP port 11214 to 11215
- Ensure no open firewall rules allow ingress from 0.0.00/0 to TCP or UDP port 2483 to 24845
- Ensure no open firewall rules allow ingress from 0.0.00/0 to TCP or UDP port 389
- Ensure no open firewall rules allow ingress from 0.0.00/0 to Telnet port 23
- Ensure compute firewall rule have logging enabled
- Ensure no open firewall rules allow ingress from 0.0.00/0 to any port without any specific target
- Ensure no open firewall rules allow ingress from 0.0.00/0 to any port
- Ensure Logging is enabled for HTTP(S) Load Balancer
- Ensure 'Block Project-wide SSH keys' is enabled for VM instances
- Ensure that Compute instances have Confidential Computing enabled
- Ensure that IP forwarding is not enabled on Instances
- Compute Instances should restrict data destruction permission
- Compute Instances should restrict database write permission
- Compute Instances should restrict deployments manager permission
- Compute Instances should restrict disrupt logging permission
- Compute Instances should restrict IAM write permission
- Compute Instances should restrict service account impersonate permission
- Compute Instances should restrict write permission on deny policy
- Ensure OS login is enabled for all instances in the Project
- Compute Instance preemptible termination should be disabled
- Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
- Ensure Compute instances are launched with Shielded VM enabled
- Compute Instance template IP forwarding should be disabled
- Compute Instances should have custom metadata
- Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
- Ensure that instances are not configured to use the default service account
- Ensure that Compute instances do not have public IP addresses
- Compute Instances should restrict high level basic role
- Compute Networks should have auto create subnetwork enabled
- Ensure that the default network does not exist in a project
- Ensure legacy networks do not exist for a project
- Ensure that Cloud DNS logging is enabled for all VPC networks
- Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
- Compute Target HTTPS proxy QUIC protocol should be enabled
- Compute Target HTTPS proxy should use custom SSL policy
- Ensure HTTPS target use latest TLS version
- Ensure VPC Flow logs is enabled for every subnet in VPC Network
- Ensure Private Google Access is enabled for all subnetworks in VPC
- Check for open firewall rules allowing RDP from the internet
- Check for open firewall rules allowing SSH from the internet
- Check for open firewall rules allowing TCP/UDP from the internet