Benchmark: 1 Identity and Access Management
Overview
This section covers recommendations addressing Identity and Access Management on Google Cloud Platform.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1 Identity and Access Management.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.cis_v300_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.cis_v300_1 --shareControls
- 1.1 Ensure that Corporate Login Credentials are Used
- 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
- 1.3 Ensure that Security Key Enforcement is Enabled for All Admin Accounts
- 1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
- 1.5 Ensure That Service Account Has No Admin Privileges
- 1.6 Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
- 1.7 Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
- 1.8 Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
- 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
- 1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
- 1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
- 1.12 Ensure API Keys Only Exist for Active Services
- 1.13 Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps
- 1.14 Ensure API Keys Are Restricted to Only APIs That Application Needs Access
- 1.15 Ensure API Keys Are Rotated Every 90 Days
- 1.16 Ensure Essential Contacts is Configured for Organization
- 1.17 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager