CIS GCP 1.3.0 Benchmark Report
The CIS GCP 1.3.0 report co-exists with the older CIS benchmark reports for Google Cloud Platform (GCP). The older CIS benchmarks are deprecated and will eventually be removed. You should migrate to the latest report soon.
info
For information about compliance assessment differences between CIS GCP 1.2.0 and 1.3.0, see CIS GCP 1.2.0 to 1.3.0.
Changes to Benchmark Reports in the Lacework Console
Due to changes in the Lacework Console, visibility of and interaction with the CIS GCP 1.3.0 benchmark is different from previous CIS reports.
The notable changes are outlined below:
- All CIS 1.3.0 benchmark rules are enabled or disabled through the Policies page (see Enable the CIS GCP 1.3.0 Benchmark).
- The Compliance > GCP > Reports page does not list this report, but will continue to list and display results for the older CIS GCP benchmark reports.
- The Cloud Compliance Dashboard provides details for each assessment, including the CIS GCP 1.3.0 report.
- The Reports page lists all reports that have been run in your environment, including a 90 day history for each report type on all your integrated accounts. The summary for each report can be viewed in the Console, and downloaded in PDF format. See Reports for information.
tip
See Reports and Use Cases for Cloud Compliance Dashboard for guidance on viewing similar sections and data.
Prerequisites
The following articles describe how to integrate your GCP environment with the Lacework Compliance platform. Completing these will prepare your environment for the CIS GCP 1.3.0 benchmark.
- Prepare for GCP Integration
- Determine your GCP Integration Type - The setup for the Configuration integration type must be completed in order to use the Lacework Compliance platform.
- Choose one of the following options:
Previous Integrations using Terraform
If you have previously integrated GCP with Lacework using Terraform, re-run terraform init -upgrade
, followed by terraform apply
to upgrade modules.
important
The Cloud Asset Inventory and Essential Contacts endpoints are now required for the GCP resource collections to work with the new benchmark (see API List for a full list of APIs needed for GCP integrations).
As such, upgrade to the latest Terraform modules to ensure the necessary permissions are met.
Previous Integrations using the GCP Console
If you have previously integrated GCP with Lacework manually using the GCP Console, ensure that you enable the Cloud Asset Inventory and Essential Contacts APIs on projects that host the service account for the integrations (see API List for a full list of APIs needed for GCP integrations).
See How to Enable the APIs for guidance.
Enable the CIS GCP 1.3.0 Benchmark
All policies in the CIS GCP 1.3.0 benchmark are enabled by default. You can disable or enable them using one of the following methods outlined in this section.
Enable or Disable Policies through the Lacework Console
On the Policies page, use the framework:cis-gcp-1-3-0 tag to filter for CIS GCP 1.3.0 policies only.
You can enable or disable individual policies using its status toggle:
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
note
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Rules.
Bulk Enable or Disable Policies through the Lacework CLI
Enable or disable all the CIS GCP 1.3.0 policies by using the following commands in the Lacework CLI:
lacework policy enable --tag framework:cis-gcp-1-3-0
lacework policy disable --tag framework:cis-gcp-1-3-0
tip
If you have not set up the CLI before, see the Lacework CLI guide to get started.
Automated vs Manual Rules
Lacework automates compliance rules where possible. For some of the benchmark rules, it is not possible to automate the rule check in an GCP environment. These rules are called manual rules. You must verify such rules manually.
Manual Rules (that were deemed automated)
The following table outlines a number of CIS GCP 1.3.0 rules that cannot yet be automated (they were deemed as "automated" by CIS). As such, manual auditing of these rules in your GCP environment is required.
CIS GCP 1.3.0 Rule ID | Lacework Policy ID | Title |
---|---|---|
1.6 | lacework-global-236 | Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level. |
1.8 | lacework-global-294 | Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users. |
1.11 | lacework-global-295 | Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users. |
1.16 | lacework-global-243 | Ensure Essential Contacts is Configured for Organization. |
2.15 | lacework-global-299 | Ensure 'Access Approval' is 'Enabled'. |
info
Lacework intends to automate these rules in a future release except for Control ID 2.15 (lacework-global-299), which will stay as a manual rule.
Automated Rules (that were deemed manual)
In some cases, Lacework is able to automate certain CIS GCP 1.3.0 benchmark rules that were deemed as manual by CIS. The following table outlines these rules:
CIS GCP 1.3.0 Rule ID | Lacework Policy ID | Title |
---|---|---|
1.12 | lacework-global-296 | Ensure API Keys Are Not Created for a Project. |
1.13 | lacework-global-240 | Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps. |
1.14 | lacework-global-241 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access. |
1.15 | lacework-global-242 | Ensure API Keys Are Rotated Every 90 Days. |
3.4 | lacework-global-260 | Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC. |
3.5 | lacework-global-261 | Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC. |
3.9 | lacework-global-490 | Ensure No SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites. |
6.2.1 | lacework-global-312 | Ensure ‘Log_error_verbosity’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘DEFAULT’ or Stricter. |
6.2.4 | lacework-global-279 | Ensure ‘Log_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately. |
6.2.6 | lacework-global-281 | Ensure That the ‘Log_min_messages’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning'. |
7.1 | lacework-global-292 | Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible. |
7.3 | lacework-global-314 | Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets. |
Adjusted Rules
2.1 Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project
This rule has been split into three different policies to monitor at the project, folder, and organization levels separately.
The table below outlines each rule and their new title:
CIS GCP 1.3.0 Rule ID | Lacework Policy ID | Title |
---|---|---|
2.1 | lacework-global-245 | Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project. |
2.1 | lacework-global-487 | Ensure That Cloud Audit Logging Is Configured Properly Across All Users From a Folder. |
2.1 | lacework-global-488 | Ensure That Cloud Audit Logging Is Configured Properly Across All Users From an Organization. |
note
The policy catalog only retains one entry for this rule, which is lacework-global-245.
2.2 Ensure That Sinks Are Configured for All Log Entries
This rule has been split into two different policies to check the following regarding GCP sinks:
- There is at least one log sink with no filter configured (as this ensures all log entries are included).
- There is a destination that exists for the sink.
The table below outlines each rule and their new title:
CIS GCP 1.3.0 Rule ID | Lacework Policy ID | Title |
---|---|---|
2.2 | lacework-global-246 | Ensure That Sinks Are Configured for All Log Entries. |
2.2 | lacework-global-489 | Ensure That Sink Destinations Exist. |
note
The policy catalog only retains one entry for this rule, which is lacework-global-246.
3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
This rule has been split into two different policies to monitor HTTPS and SSL Proxy Load Balancers separately.
The table below outlines each rule and their new title:
CIS GCP 1.3.0 Rule ID | Lacework Policy ID | Title |
---|---|---|
3.9 | lacework-global-263 | Ensure No HTTPS Load Balancers Permit SSL Policies With Weak Cipher Suites. |
3.9 | lacework-global-490 | Ensure No SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites. |
note
The policy catalog only retains one entry for this rule, which is lacework-global-263.
4.4 Ensure Oslogin Is Enabled for a Project
This rule has been split into two different policies to check the following regarding OS Login:
- Checks for projects without OS Login enabled.
- Checks for VMs (instances) with OS Login disabled.
The table below outlines each rule and their new title:
CIS GCP 1.3.0 Rule ID | Lacework Policy ID | Title |
---|---|---|
4.4 | lacework-global-267 | Ensure Oslogin Is Enabled for a Project. |
4.4 | lacework-global-498 | Ensure Oslogin Is Not Disabled on Instances. |
note
The policy catalog only retains one entry for this rule, which is lacework-global-267.
Determining Active GCP API Keys for Certain Rules
For the following control IDs, Lacework pulls data on API keys from Google Cloud APIs. The data provided by Google returns active API keys, but also recently deleted API keys.
As such, the number of assessed resources in the policy assessment (and reports) may be greater than the number of API keys seen in your Google Cloud Console.
CIS GCP 1.3.0 Rule ID | Lacework Policy ID | Title |
---|---|---|
1.12 | lacework-global-296 | Ensure API Keys Are Not Created for a Project. |
1.13 | lacework-global-240 | Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps. |
1.14 | lacework-global-241 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access. |
1.15 | lacework-global-242 | Ensure API Keys Are Rotated Every 90 Days. |
Organization vs Project Level Rules
The majority of the CIS GCP benchmark rules are evaluated at the Project level, however, some are evaluated at the Organization level. As such, depending on your level of integration with GCP, these Organization level rules may not display.
Policy Mapping for CIS GCP 1.3.0
The CIS GCP 1.3.0 rules are mapped to Lacework global policies. See the following sections for the mappings used.
1. Identity and Access Management (IAM)
CIS GCP 1.3.0 Rule ID | Lacework Policy ID |
---|---|
1.1 | lacework-global-232 |
1.2 | lacework-global-233 |
1.3 | lacework-global-293 |
1.4 | lacework-global-234 |
1.5 | lacework-global-235 |
1.6 | lacework-global-236 |
1.7 | lacework-global-237 |
1.8 | lacework-global-294 |
1.9 | lacework-global-238 |
1.10 | lacework-global-239 |
1.11 | lacework-global-295 |
1.12 | lacework-global-296 |
1.13 | lacework-global-240 |
1.14 | lacework-global-241 |
1.15 | lacework-global-242 |
1.16 | lacework-global-243 |
1.17 | lacework-global-297 |
1.18 | lacework-global-244 |
2. Logging and Monitoring
CIS GCP 1.3.0 Rule ID | Lacework Policy ID |
---|---|
2.1 | lacework-global-245 (Project) lacework-global-487 (Folder) lacework-global-488 (Organization) |
2.2 | lacework-global-246 (Configuration) lacework-global-489 (Existence) |
2.3 | lacework-global-298 |
2.4 | lacework-global-247 |
2.5 | lacework-global-248 |
2.6 | lacework-global-249 |
2.7 | lacework-global-250 |
2.8 | lacework-global-251 |
2.9 | lacework-global-252 |
2.10 | lacework-global-253 |
2.11 | lacework-global-254 |
2.12 | lacework-global-255 |
2.13 | lacework-global-256 |
2.14 | lacework-global-257 |
2.15 | lacework-global-299 |
3. Networking
CIS GCP 1.3.0 Rule ID | Lacework Policy ID |
---|---|
3.1 | lacework-global-300 |
3.2 | lacework-global-258 |
3.3 | lacework-global-259 |
3.4 | lacework-global-260 |
3.5 | lacework-global-261 |
3.6 | lacework-global-301 |
3.7 | lacework-global-302 |
3.8 | lacework-global-262 |
3.9 | lacework-global-263 (HTTPS) lacework-global-490 (SSL Proxy) |
3.10 | lacework-global-303 |
4. Virtual Machines
CIS GCP 1.3.0 Rule ID | Lacework Policy ID |
---|---|
4.1 | lacework-global-264 |
4.2 | lacework-global-265 |
4.3 | lacework-global-266 |
4.4 | lacework-global-267 (Project) lacework-global-498 (Instances) |
4.5 | lacework-global-268 |
4.6 | lacework-global-269 |
4.7 | lacework-global-304 |
4.8 | lacework-global-305 |
4.9 | lacework-global-306 |
4.10 | lacework-global-307 |
4.11 | lacework-global-308 |
4.12 | lacework-global-309 |
5. Storage
CIS GCP 1.3.0 Rule ID | Lacework Policy ID |
---|---|
5.1 | lacework-global-270 |
5.2 | lacework-global-310 |
6. Cloud SQL Database Services
CIS GCP 1.3.0 Rule ID | Lacework Policy ID |
---|---|
6.4 | lacework-global-271 |
6.5 | lacework-global-272 |
6.6 | lacework-global-311 |
6.7 | lacework-global-273 |
6.1 MySQL Database
CIS GCP 1.3.0 Rule ID | Lacework Policy ID |
---|---|
6.1.1 | lacework-global-274 |
6.1.2 | lacework-global-275 |
6.1.3 | lacework-global-276 |
6.2 PostgreSQL Database
CIS GCP 1.3.0 Rule ID | Lacework Policy ID |
---|---|
6.2.1 | lacework-global-312 |
6.2.2 | lacework-global-277 |
6.2.3 | lacework-global-278 |
6.2.4 | lacework-global-279 |
6.2.5 | lacework-global-280 |
6.2.6 | lacework-global-281 |
6.2.7 | lacework-global-282 |
6.2.8 | lacework-global-283 |
6.2.9 | lacework-global-284 |
6.3 SQL Server
CIS GCP 1.3.0 Rule ID | Lacework Policy ID |
---|---|
6.3.1 | lacework-global-285 |
6.3.2 | lacework-global-286 |
6.3.3 | lacework-global-287 |
6.3.4 | lacework-global-288 |
6.3.5 | lacework-global-289 |
6.3.6 | lacework-global-290 |
6.3.7 | lacework-global-291 |
7. BigQuery
CIS GCP 1.3.0 Rule ID | Lacework Policy ID |
---|---|
7.1 | lacework-global-292 |
7.2 | lacework-global-313 |
7.3 | lacework-global-314 |