GCP CIS 1.2 Benchmark Report
Legacy Report
This is now a legacy report and will be deprecated on 28th February 2023. See Legacy Policies and Reports for a full list of policies and reports/assessments that will be deprecated.
Lacework advises that you start using the latest available reports/assessments.
The GCP CIS 1.2 benchmark report was added as of the v4.22 platform release. This report will continue to co-exist with the CIS 1.0 benchmark report for Google Cloud Platform. The CIS 1.0 benchmark will eventually be deprecated once all Lacework customers have had time to migrate to the latest report.
Prerequisites
The following articles describe how to integrate your GCP environment with the Lacework Compliance platform. Completing these will prepare your environment for the GCP CIS 1.2 benchmark.
Choose one of the following options:
- GCP Compliance Integration - Manually using the GCP Console
- This guide includes links to existing articles for creating the GCP Service Account, granting access, and enabling the required GCP APIs. Previous methods are now deprecated.
- GCP Compliance and Audit Log Integration - Terraform Using Google Cloud Shell
- This guide has been updated for the new 1.0 Terraform module.
- GCP Compliance and Audit Log Integration - Terraform From Any Supported Host
- This guide has been updated for the new 1.0 Terraform module.
Previous Integrations using the GCP Console
If you have previously integrated GCP with Lacework manually through the console, see the GCP CIS 1.2 Addition to the service account role.
Previous Integrations using Terraform
If you have previously integrated GCP with Lacework using Terraform, re-run terraform init -upgrade
, followed by terraform apply
to upgrade modules and automatically apply the new permission. This will ensure the correct permissions are in place to allow the CIS 1.2 report to complete.
Enable the GCP CIS 1.2 Benchmark
The GCP CIS 1.2 benchmark is released with all policies disabled.
On the Policies page, search for GCP_CIS12 to filter for GCP CIS 1.2 policies only.
You can enable or disable individual policies using its status toggle:
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
note
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Rules.
Automated vs Manual Rules
Lacework automates compliance rules where possible. For some of the benchmark rules, it is not possible to automate the rule check in an GCP environment. These rules are called manual rules. You must verify such rules manually.
Organization vs Project Level Rules
The majority of the GCP CIS benchmark rules are evaluated at the Project level, however, some are evaluated at the Organization level. As such, depending on your level of integration with GCP, these Organization level rules may not display.
In addition, some rules are fully 'Automated' while some are categorized as 'Manual'. 'Manual' rule types cannot be assessed end-to-end by Lacework platform, and must be left to the customer to follow the auditing procedure.
The following table is a list of all the Organization level GCP CIS benchmark rules:
Rule ID | Assessment Status | Category | Title |
---|---|---|---|
GCP_CIS_1_2 | Manual | Identity and Access Management | Ensure that multi-factor authentication is enabled for all non-service accounts. |
GCP_CIS12_1_1 | Manual | Identity and Access Management | Ensure that corporate login credentials are used. |
GCP_CIS12_1_2 | Manual | Identity and Access Management | Ensure that multi-factor authentication is enabled for all non-service accounts. |
GCP_CIS12_1_3 | Manual | Identity and Access Management | Ensure that Security Key Enforcement is enabled for all admin accounts. |
GCP_CIS12_2_1 | Automated | Logging and Monitoring | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project. |
GCP_CIS12_2_2 | Automated | Logging and Monitoring | Ensure that sinks are configured for all Log entries. |
GCP_CIS12_2_3 | Automated | Logging and Monitoring | Ensure that retention policies on log buckets are configured using Bucket Lock. |
For Organization level GCP rules, that are Automated - if any violations are found, you can obtain the results as follows:
- Go to the
Compliance > Cloud
screen - When grouped by policy, search for the rule text and click the policy to view the policy assessment and non-compliant resources.
In addition, the resources in violation will surface to the Alerts Dossier.
For Organization level GCP rules that are Manual - these rules do not appear in the Lacework Platform.
In addition, GCP_CIS12_1_1
has been incorrectly categorized as an 'Automated' rule in the GCP CIS 1.2.0 benchmark. This is recognized by CIS as incorrect and will be updated to 'Manual' in subsequent benchmarks.