Benchmark: 164.312(a)(1) Access control.
Description
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 164.312(a)(1) Access control..
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.hipaa_164_312_a_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.hipaa_164_312_a_1 --shareControls
- Ensure that Compute instances do not have public IP addresses
- Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
- Ensure that Separation of duties is enforced while assigning KMS related roles to users
- Prevent a public IP from being assigned to a Cloud SQL instance
- Check if BigQuery datasets are publicly readable
- Check if Cloud Storage buckets have Bucket Only Policy turned on
- Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'
- Ensure Instance IP assignment is set to private
- Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
- Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure that Cloud Storage buckets used for exporting logs are configured using bucket lock