Skip to main content

GCP CIS 1.2 Benchmark Report

Legacy Report

This is now a legacy report and will be deprecated on 28th February 2023. See Legacy Policies and Reports for a full list of policies and reports/assessments that will be deprecated.

Lacework advises that you start using the latest available reports/assessments.

The GCP CIS 1.2 benchmark report was added as of the v4.22 platform release. This report will continue to co-exist with the CIS 1.0 benchmark report for Google Cloud Platform. The CIS 1.0 benchmark will eventually be deprecated once all Lacework customers have had time to migrate to the latest report.

Prerequisites

The following articles describe how to integrate your GCP environment with the Lacework Compliance platform. Completing these will prepare your environment for the GCP CIS 1.2 benchmark.

Choose one of the following options:

  1. GCP Compliance Integration - Manually using the GCP Console
    • This guide includes links to existing articles for creating the GCP Service Account, granting access, and enabling the required GCP APIs. Previous methods are now deprecated.
  2. GCP Compliance and Audit Log Integration - Terraform Using Google Cloud Shell
    • This guide has been updated for the new 1.0 Terraform module.
  3. GCP Compliance and Audit Log Integration - Terraform From Any Supported Host
    • This guide has been updated for the new 1.0 Terraform module.

Previous Integrations using the GCP Console

If you have previously integrated GCP with Lacework manually through the console, see the GCP CIS 1.2 Addition to the service account role.

Previous Integrations using Terraform

If you have previously integrated GCP with Lacework using Terraform, re-run terraform init -upgrade, followed by terraform apply to upgrade modules and automatically apply the new permission. This will ensure the correct permissions are in place to allow the CIS 1.2 report to complete.

Enable the GCP CIS 1.2 Benchmark

The GCP CIS 1.2 benchmark is released with all policies disabled.

On the Policies page, search for GCP_CIS12 to filter for GCP CIS 1.2 policies only.

You can enable or disable individual policies using its status toggle: policy-status-toggle.png

Alternatively, see Batch Update Policies to enable or disable multiple policies at once.

note

Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Rules.

Automated vs Manual Rules

Lacework automates compliance rules where possible. For some of the benchmark rules, it is not possible to automate the rule check in an GCP environment. These rules are called manual rules. You must verify such rules manually.

Organization vs Project Level Rules

The majority of the GCP CIS benchmark rules are evaluated at the Project level, however, some are evaluated at the Organization level. As such, depending on your level of integration with GCP, these Organization level rules may not display.

In addition, some rules are fully 'Automated' while some are categorized as 'Manual'. 'Manual' rule types cannot be assessed end-to-end by Lacework platform, and must be left to the customer to follow the auditing procedure.

The following table is a list of all the Organization level GCP CIS benchmark rules:

Rule IDAssessment StatusCategoryTitle
GCP_CIS_1_2ManualIdentity and Access ManagementEnsure that multi-factor authentication is enabled for all non-service accounts.
GCP_CIS12_1_1ManualIdentity and Access ManagementEnsure that corporate login credentials are used.
GCP_CIS12_1_2ManualIdentity and Access ManagementEnsure that multi-factor authentication is enabled for all non-service accounts.
GCP_CIS12_1_3ManualIdentity and Access ManagementEnsure that Security Key Enforcement is enabled for all admin accounts.
GCP_CIS12_2_1AutomatedLogging and MonitoringEnsure that Cloud Audit Logging is configured properly across all services and all users from a project.
GCP_CIS12_2_2AutomatedLogging and MonitoringEnsure that sinks are configured for all Log entries.
GCP_CIS12_2_3AutomatedLogging and MonitoringEnsure that retention policies on log buckets are configured using Bucket Lock.

For Organization level GCP rules, that are Automated - if any violations are found, you can obtain the results as follows:

  • Go to the Compliance > Cloud screen
  • When grouped by policy, search for the rule text and click the policy to view the policy assessment and non-compliant resources.

In addition, the resources in violation will surface to the Alerts Dossier.

For Organization level GCP rules that are Manual - these rules do not appear in the Lacework Platform.

In addition, GCP_CIS12_1_1 has been incorrectly categorized as an 'Automated' rule in the GCP CIS 1.2.0 benchmark. This is recognized by CIS as incorrect and will be updated to 'Manual' in subsequent benchmarks.