Benchmark: 1 Identity and Access Management
Overview
This section contains recommendations for configuring GCP's project Identity and Access Management features.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1 Identity and Access Management.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.cis_v120_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.cis_v120_1 --shareControls
- 1.1 Ensure that corporate login credentials are used
- 1.2 Ensure that multi-factor authentication is enabled for all non-service accounts
- 1.3 Ensure that Security Key Enforcement is enabled for all admin accounts
- 1.4 Ensure that there are only GCP-managed service account keys for each service account
- 1.5 Ensure that Service Account has no Admin privileges
- 1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- 1.7 Ensure user-managed/external keys for service accounts are rotated every 90 days or less
- 1.8 Ensure that Separation of duties is enforced while assigning service account related roles to users
- 1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
- 1.10 Ensure KMS encryption keys are rotated within a period of 90 days
- 1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users
- 1.12 Ensure API keys are not created for a project
- 1.13 Ensure API keys are restricted to use by only specified Hosts and Apps
- 1.14 Ensure API keys are restricted to only APIs that application needs access
- 1.15 Ensure API keys are rotated every 90 days