Benchmark: Compute
Description
This benchmark provides a set of controls that detect Terraform GCP Compute Engine resources deviating from security best practices.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-terraform-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Compute.
Run this benchmark in your terminal:
powerpipe benchmark run terraform_gcp_compliance.benchmark.computeSnapshot and share results via Turbot Pipes:
powerpipe benchmark run terraform_gcp_compliance.benchmark.compute --shareControls
- Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
- Google compute firewall ingress does not allow unrestricted FTP port 20 access
- Google compute firewall ingress does not allow unrestricted FTP port 21 access
- Google compute firewall ingress does not allow unrestricted HTTP port 80 access
- Google compute firewall ingress does not allow unrestricted MySQL port 3306 access
- Google compute firewall ingress does not allow unrestricted RDP port 3389 access
- Google compute firewall ingress does not allow unrestricted SSH port 22 access
- Ensure 'Block Project-wide SSH keys' is enabled for VM instances
- Compute instance boot disk encryption should be enabled
- Ensure that Compute instances have Confidential Computing enabled
- Ensure that IP forwarding is not enabled on Instances
- Ensure OS login is enabled for a project
- Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
- Ensure Compute instances are launched with Shielded VM enabled
- Ensure that instances are not configured to use the default service account
- Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
- Ensure that Compute instances do not have public IP addresses
- Ensure that the default network does not exist in a project
- Ensure legacy networks do not exist for a project
- Cloud Armor prevents message lookup in Log4j2
- Ensure VPC Flow logs is enabled for every subnet in VPC Network
- Ensure Private Google Access is enabled for all subnetworks in VPC
- Compute Subnetworks should have Private IPv6 Google Access enabled