Benchmark: CC5.2.3
Description
Entity's Senior Management reviews and approves the state of the Information Security program including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select CC5.2.3.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.soc_2_2017_cc_5_2_3
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.soc_2_2017_cc_5_2_3 --share
Controls
- Ensure 'log_error_verbosity' database flag for Alloy DB instance is set to 'DEFAULT' or stricter
- Ensure 'log_min_error_statement' database flag for Alloy DB instance is set to 'Error' or stricter
- Ensure that the 'Log_min_messages' Flag for a Alloy DB Instance is set at minimum to 'Warning'
- Ensure that Compute instances do not have public IP addresses
- Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- Ensure that Separation of duties is enforced while assigning service account related roles to users
- Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
- Ensure that Separation of duties is enforced while assigning KMS related roles to users
- Check if BigQuery datasets are publicly readable
- Check if Cloud Storage buckets have Bucket Only Policy turned on
- Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'
- Ensure Instance IP assignment is set to private
- Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
- Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
- Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
- Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
- Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
- Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
- Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
- Check if Cloud SQL instances are world readable
- Ensure that Cloud Storage buckets used for exporting logs are configured using bucket lock
- Ensure that Cloud Storage bucket is not anonymously or publicly accessible