Skip to main content

CIS GCP 1.3.0 Benchmark Report

The CIS GCP 1.3.0 report co-exists with the older CIS benchmark reports for Google Cloud Platform (GCP). The older CIS benchmarks are deprecated and will eventually be removed. You should migrate to the latest report soon.

info

For information about compliance assessment differences between CIS GCP 1.2.0 and 1.3.0, see CIS GCP 1.2.0 to 1.3.0.

Changes to Benchmark Reports in the Lacework Console

Due to changes in the Lacework Console, visibility of and interaction with the CIS GCP 1.3.0 benchmark is different from previous CIS reports.

The notable changes are outlined below:

  • All CIS 1.3.0 benchmark rules are enabled or disabled through the Policies page (see Enable the CIS GCP 1.3.0 Benchmark).
  • The Compliance > GCP > Reports page does not list this report, but will continue to list and display results for the older CIS GCP benchmark reports.
  • The Cloud Compliance Dashboard provides details for each assessment, including the CIS GCP 1.3.0 report.
  • The Reports page lists all reports that have been run in your environment, including a 90 day history for each report type on all your integrated accounts. The summary for each report can be viewed in the Console, and downloaded in PDF format. See Reports for information.
tip

See Reports and Use Cases for Cloud Compliance Dashboard for guidance on viewing similar sections and data.

Prerequisites

The following articles describe how to integrate your GCP environment with the Lacework Compliance platform. Completing these will prepare your environment for the CIS GCP 1.3.0 benchmark.

  1. Prepare for GCP Integration
  2. Choose one of the following options:
    1. GCP Compliance and Audit Log Integration - Terraform Using Google Cloud Shell
    2. GCP Compliance and Audit Log Integration - Terraform From Any Supported Host
    3. GCP Compliance Integration - Manually using the GCP Console

Previous Integrations using Terraform

If you have previously integrated GCP with Lacework using Terraform, re-run terraform init -upgrade, followed by terraform apply to upgrade modules.

important

The Cloud Asset Inventory and Essential Contacts endpoints are now required for the GCP resource collections to work with the new benchmark (see API List for a full list of APIs needed for GCP integrations).

As such, upgrade to the latest Terraform modules to ensure the necessary permissions are met.

Previous Integrations using the GCP Console

If you have previously integrated GCP with Lacework manually using the GCP Console, ensure that you enable the Cloud Asset Inventory and Essential Contacts APIs on projects that host the service account for the integrations (see API List for a full list of APIs needed for GCP integrations).

See How to Enable the APIs for guidance.

Enable the CIS GCP 1.3.0 Benchmark

All policies in the CIS GCP 1.3.0 benchmark are enabled by default. You can disable or enable them using one of the following methods outlined in this section.

Enable or Disable Policies through the Lacework Console

On the Policies page, use the framework:cis-gcp-1-3-0 tag to filter for CIS GCP 1.3.0 policies only.

You can enable or disable individual policies using its status toggle: policy-status-toggle.png

Alternatively, see Batch Update Policies to enable or disable multiple policies at once.

note

Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Rules.

Bulk Enable or Disable Policies through the Lacework CLI

Enable or disable all the CIS GCP 1.3.0 policies by using the following commands in the Lacework CLI:

Enable all policies
lacework policy enable --tag framework:cis-gcp-1-3-0
Disable all policies
lacework policy disable --tag framework:cis-gcp-1-3-0
tip

If you have not set up the CLI before, see the Lacework CLI guide to get started.

Automated vs Manual Rules

Lacework automates compliance rules where possible. For some of the benchmark rules, it is not possible to automate the rule check in an GCP environment. These rules are called manual rules. You must verify such rules manually.

Manual Rules (that were deemed automated)

The following table outlines a number of CIS GCP 1.3.0 rules that cannot yet be automated (they were deemed as "automated" by CIS). As such, manual auditing of these rules in your GCP environment is required.

CIS GCP 1.3.0 Rule IDLacework Policy IDTitle
1.6lacework-global-236Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level.
1.8lacework-global-294Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users.
1.11lacework-global-295Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users.
1.16lacework-global-243Ensure Essential Contacts is Configured for Organization.
2.15lacework-global-299Ensure 'Access Approval' is 'Enabled'.
info

Lacework intends to automate these rules in a future release except for Control ID 2.15 (lacework-global-299), which will stay as a manual rule.

Automated Rules (that were deemed manual)

In some cases, Lacework is able to automate certain CIS GCP 1.3.0 benchmark rules that were deemed as manual by CIS. The following table outlines these rules:

CIS GCP 1.3.0 Rule IDLacework Policy IDTitle
1.12lacework-global-296Ensure API Keys Are Not Created for a Project.
1.13lacework-global-240Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps.
1.14lacework-global-241Ensure API Keys Are Restricted to Only APIs That Application Needs Access.
1.15lacework-global-242Ensure API Keys Are Rotated Every 90 Days.
3.4lacework-global-260Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC.
3.5lacework-global-261Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC.
3.9lacework-global-490Ensure No SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites.
6.2.1lacework-global-312Ensure ‘Log_error_verbosity’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘DEFAULT’ or Stricter.
6.2.4lacework-global-279Ensure ‘Log_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately.
6.2.6lacework-global-281Ensure That the ‘Log_min_messages’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning'.
7.1lacework-global-292Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible.
7.3lacework-global-314Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets.

Adjusted Rules

2.1 Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project

This rule has been split into three different policies to monitor at the project, folder, and organization levels separately.

The table below outlines each rule and their new title:

CIS GCP 1.3.0 Rule IDLacework Policy IDTitle
2.1lacework-global-245Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project.
2.1lacework-global-487Ensure That Cloud Audit Logging Is Configured Properly Across All Users From a Folder.
2.1lacework-global-488Ensure That Cloud Audit Logging Is Configured Properly Across All Users From an Organization.
note

The policy catalog only retains one entry for this rule, which is lacework-global-245.

2.2 Ensure That Sinks Are Configured for All Log Entries

This rule has been split into two different policies to check the following regarding GCP sinks:

  1. There is at least one log sink with no filter configured (as this ensures all log entries are included).
  2. There is a destination that exists for the sink.

The table below outlines each rule and their new title:

CIS GCP 1.3.0 Rule IDLacework Policy IDTitle
2.2lacework-global-246Ensure That Sinks Are Configured for All Log Entries.
2.2lacework-global-489Ensure That Sink Destinations Exist.
note

The policy catalog only retains one entry for this rule, which is lacework-global-246.

3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites

This rule has been split into two different policies to monitor HTTPS and SSL Proxy Load Balancers separately.

The table below outlines each rule and their new title:

CIS GCP 1.3.0 Rule IDLacework Policy IDTitle
3.9lacework-global-263Ensure No HTTPS Load Balancers Permit SSL Policies With Weak Cipher Suites.
3.9lacework-global-490Ensure No SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites.
note

The policy catalog only retains one entry for this rule, which is lacework-global-263.

4.4 Ensure Oslogin Is Enabled for a Project

This rule has been split into two different policies to check the following regarding OS Login:

  1. Checks for projects without OS Login enabled.
  2. Checks for VMs (instances) with OS Login disabled.

The table below outlines each rule and their new title:

CIS GCP 1.3.0 Rule IDLacework Policy IDTitle
4.4lacework-global-267Ensure Oslogin Is Enabled for a Project.
4.4lacework-global-498Ensure Oslogin Is Not Disabled on Instances.
note

The policy catalog only retains one entry for this rule, which is lacework-global-267.

Determining Active GCP API Keys for Certain Rules

For the following control IDs, Lacework pulls data on API keys from Google Cloud APIs. The data provided by Google returns active API keys, but also recently deleted API keys.

As such, the number of assessed resources in the policy assessment (and reports) may be greater than the number of API keys seen in your Google Cloud Console.

CIS GCP 1.3.0 Rule IDLacework Policy IDTitle
1.12lacework-global-296Ensure API Keys Are Not Created for a Project.
1.13lacework-global-240Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps.
1.14lacework-global-241Ensure API Keys Are Restricted to Only APIs That Application Needs Access.
1.15lacework-global-242Ensure API Keys Are Rotated Every 90 Days.

Organization vs Project Level Rules

The majority of the CIS GCP benchmark rules are evaluated at the Project level, however, some are evaluated at the Organization level. As such, depending on your level of integration with GCP, these Organization level rules may not display.

Policy Mapping for CIS GCP 1.3.0

The CIS GCP 1.3.0 rules are mapped to Lacework global policies. See the following sections for the mappings used.

1. Identity and Access Management (IAM)

CIS GCP 1.3.0 Rule IDLacework Policy ID
1.1lacework-global-232
1.2lacework-global-233
1.3lacework-global-293
1.4lacework-global-234
1.5lacework-global-235
1.6lacework-global-236
1.7lacework-global-237
1.8lacework-global-294
1.9lacework-global-238
1.10lacework-global-239
1.11lacework-global-295
1.12lacework-global-296
1.13lacework-global-240
1.14lacework-global-241
1.15lacework-global-242
1.16lacework-global-243
1.17lacework-global-297
1.18lacework-global-244

2. Logging and Monitoring

CIS GCP 1.3.0 Rule IDLacework Policy ID
2.1lacework-global-245 (Project)
lacework-global-487 (Folder)
lacework-global-488 (Organization)
2.2lacework-global-246 (Configuration)
lacework-global-489 (Existence)
2.3lacework-global-298
2.4lacework-global-247
2.5lacework-global-248
2.6lacework-global-249
2.7lacework-global-250
2.8lacework-global-251
2.9lacework-global-252
2.10lacework-global-253
2.11lacework-global-254
2.12lacework-global-255
2.13lacework-global-256
2.14lacework-global-257
2.15lacework-global-299

3. Networking

CIS GCP 1.3.0 Rule IDLacework Policy ID
3.1lacework-global-300
3.2lacework-global-258
3.3lacework-global-259
3.4lacework-global-260
3.5lacework-global-261
3.6lacework-global-301
3.7lacework-global-302
3.8lacework-global-262
3.9lacework-global-263 (HTTPS)
lacework-global-490 (SSL Proxy)
3.10lacework-global-303

4. Virtual Machines

CIS GCP 1.3.0 Rule IDLacework Policy ID
4.1lacework-global-264
4.2lacework-global-265
4.3lacework-global-266
4.4lacework-global-267 (Project)
lacework-global-498 (Instances)
4.5lacework-global-268
4.6lacework-global-269
4.7lacework-global-304
4.8lacework-global-305
4.9lacework-global-306
4.10lacework-global-307
4.11lacework-global-308
4.12lacework-global-309

5. Storage

CIS GCP 1.3.0 Rule IDLacework Policy ID
5.1lacework-global-270
5.2lacework-global-310

6. Cloud SQL Database Services

CIS GCP 1.3.0 Rule IDLacework Policy ID
6.4lacework-global-271
6.5lacework-global-272
6.6lacework-global-311
6.7lacework-global-273

6.1 MySQL Database

CIS GCP 1.3.0 Rule IDLacework Policy ID
6.1.1lacework-global-274
6.1.2lacework-global-275
6.1.3lacework-global-276

6.2 PostgreSQL Database

CIS GCP 1.3.0 Rule IDLacework Policy ID
6.2.1lacework-global-312
6.2.2lacework-global-277
6.2.3lacework-global-278
6.2.4lacework-global-279
6.2.5lacework-global-280
6.2.6lacework-global-281
6.2.7lacework-global-282
6.2.8lacework-global-283
6.2.9lacework-global-284

6.3 SQL Server

CIS GCP 1.3.0 Rule IDLacework Policy ID
6.3.1lacework-global-285
6.3.2lacework-global-286
6.3.3lacework-global-287
6.3.4lacework-global-288
6.3.5lacework-global-289
6.3.6lacework-global-290
6.3.7lacework-global-291

7. BigQuery

CIS GCP 1.3.0 Rule IDLacework Policy ID
7.1lacework-global-292
7.2lacework-global-313
7.3lacework-global-314