Benchmark: 164.308(a)(3)(i) Workforce security
Description
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 164.308(a)(3)(i) Workforce security.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.hipaa_164_308_a_3_iSnapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.hipaa_164_308_a_3_i --shareControls
- Ensure that Compute instances do not have public IP addresses
- Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
- Ensure that Separation of duties is enforced while assigning KMS related roles to users
- Prevent a public IP from being assigned to a Cloud SQL instance
- Check if BigQuery datasets are publicly readable
- Check if Cloud Storage buckets have Bucket Only Policy turned on
- Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'
- Ensure Instance IP assignment is set to private
- Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
- Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure that Cloud Storage buckets used for exporting logs are configured using bucket lock