Compliance Manager cloud controls
This document provides reference content for the built-in cloud controls thatare included in Compliance Manager. Cloud controls can apply toorganizations, folders, or projects.
Google Cloud cloud controls
Activate Security Command Center
Activate Security Command Center to evaluate security and data attack surfaces and help mitigate and remediate risks related to misconfigurations, vulnerabilities, and threats.
| Enforcement mode | Audit |
| Finding category | SCC_NOT_ACTIVATED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To activate Security Command Center, seeOverview of activating Security Command Center.
Activate Security Command Center for Continuous Monitoring
Use Security Command Center to define security policies and deploy and monitor them.
| Enforcement mode | Audit |
| Finding category | SECURITY_COMMAND_CENTER_NOT_ACTIVATED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
ActivateSecurity Command Center.
Create and deploy frameworks with cloud controls that align with your security policies.
Integrate with notification channels such asemail and chat.
Allocate Audit Log Storage Capacity
Allocate sufficient audit log storage capacity to accommodate audit logs
| Enforcement mode |
|
| Severity | LOW |
| Finding category | INSUFFICIENT_AUDIT_LOG_STORAGE |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Verify that you cansee audit logs.
Verify that logs are being exported to the Cloud Storage bucket.
Verify the retention period for yourlog buckets.
Verify log storage capacity. In the console, got toLogging > Metrics and enter the following:
custom.googleapis.com/log_storage_capacityVerify thealerting policy for low log storage in your bucket.
Verify thatstorage capacity is sufficient for the Cloud Storage bucket (the usage is less than 90%).
Review thebucket retention period to ensure that regular review and adjustment of log storage capacity is complete.
Apply Security Engineering Principles
Apply system security and privacy engineering principles in the specification, design, development, implementation, and modification of the system components.
| Enforcement mode | Audit |
| Finding category | MISSING_SECURITY_ENGINEERING_PRINCIPLES |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Address security requirements when building and applying security engineering principles to new development and operations of its data and information systems.
Include defense in depth at every phase of your system development life cycle, secure coding, security control tailoring, threat modeling, and risk management of your data and information system.
Assess Actions that Don't Require Identification or Authentication
Allow specific user actions without identification or authentication if they are deemed unnecessary, such as accessing public websites. The exception applies when identification and authentication have not occurred, not when they are simply not repeated.
| Enforcement mode | Audit |
| Finding category | ACTIONS_WITHOUT_IDENTIFICATION_AUTHENTICATION |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Review permissions assigned to service accounts, users, and roles.
Monitor service accounts, especially those with elevated privileges.
Review IAM allow policies to ensure only authorized entities have necessary permissions.
Reviewexternal IP addresses andfirewall rules to help prevent unauthorized access.
Identify the user actions that don't require identification or authentication.
Review system designs and use cases to understand the scenarios.
Evaluate potential risks and impact for exemption.
Document your rationale for exemptions.
Identify the security controls to mitigate potential risks.
Align exemptions with your organization's compliance requirements.
Assess the Availability of Compute and GKE Resources
Protect the availability of Compute VM instances and Google Kubernetes Engine (GKE) containers by allocating sufficient resources based on priority, quota, and security safeguards.
| Enforcement mode | Audit |
| Finding category | MISSING_RESOURCE_ASSESSMENT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Use Cloud Monitoring and otherobservability tools to monitor for demand and performance.
In theCloud Monitoring dashboard, review the VM configuration.
Review deployment scripts and orchestration tools to confirm that they allocate resources as intended.
ReviewGKE system metrics for resource allocations.
Assign Correct Bucket Label
Bucket labels let you create key:value pairs that are stored as part of the bucket's metadata. You can use these labels to help identify the purpose of the bucket to your organization.
| Enforcement mode | Audit |
| Finding category | BUCKET_LABEL_INCORRECT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set correct label for Cloud Storage buckets. For more information, seeAdd, modify, or remove a bucket's labels.
Authorize and Monitor Privileged Remote Access
Authorize the use of privileged commands execution and access to security information through remote access.
| Enforcement mode | Audit |
| Finding category | PRIVILEGED_REMOTE_ACCESS_NOT_AUTHORIZED_MONITORED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create custom roles for privileged access or considertemporary elevated access.
Grant only specific roles to service accounts for automated systems that require remote access.
Use SSH for remote access to VMs.
Enableaudit logging for services that store sensitive data.
Configure VPC Flow Logs to capture network traffic.
EnableBinary Authorization to enforce policies when deploying images.
UseSecret Manager to create and store secrets.
Configurealerting policies for unusual or unauthorized activities.
Authorize Wireless Access to Production Systems
Authorize wireless access to applications in production environments.
| Enforcement mode | Audit |
| Finding category | WIRELESS_ACCESS_PRODUCTION_SYSTEMS_NOT_AUTHORIZED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access to your systems. Authorize wireless access to your systems before you allow such connections.
Automate Account Management System
Ensure that you have IAM policy structures to automate IAM role assignments based on resources and context-specific conditions.
| Enforcement mode | Audit |
| Finding category | ACCOUNT_MANAGEMENT_SYSTEMS_NOT_SUPPORTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To retrieve log entries, seeList log entries.
To get a ServiceAccount, seeGet a ServiceAccount.
To get the definition of a role, seeGet Role Definition.
Automate Integrity Verification
Employ integrity verification tools to detect unauthorized changes to your software, firmware, and information.
| Enforcement mode | Audit |
| Finding category | IMPROPER_INTEGRITY_VERIFICATION_MECHANISMS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Configure your OS Policy to perform integrity verification. For more information, seeOS policy and OS policy assignment,Create an OS policy assignment, andManage OS policy assignments.
Create custom tools that regularly check the integrity of software and configurations.
Automate Near Real-time Event Analysis
Use automated tools to support near real-time analysis of events.
| Enforcement mode | Audit |
| Finding category | REAL_TIME_EVENT_ANALYSIS_NOT_AUTOMATED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement automated real-time event analysis:
UseCloud Monitoring andCloud Logging to collect, monitor, and analyze event data, such as system and application logs, performance metrics, and other relevant information.
Createcustom monitoring metrics in Cloud Monitoring to track specific parameters that are critical.
Set upalerting policies in Cloud Monitoring to receive notifications when metrics or logs indicate unusual or unauthorized activities.
Use Pub/Sub to create topics and subscriptions for real-time event processing. For more information, seePublish message overview andSubscription overview.
Avoid RSASHA1 for DNSSEC Signing
Don't use the RSASHA1 algorithm for key signing when enabling DNSSEC for Cloud DNS zones.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | RSASHA1_FOR_SIGNING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Replace the algorithm. For more information, seeUsing advanced signing options.
Block Administrator Roles from Service Accounts
A service account with Administrator, Owner, or Editor privileges has broad access to your Google Cloud environment, which can impact its security.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ADMIN_SERVICE_ACCOUNT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theIAM policy page in the Google Cloud console, clickEdit principal, and remove the excessive role or roles.
Block Automatic IAM Grants to Default Service Accounts
Use the "Disable Automatic IAM Grants for Default Service Accounts" (iam.automaticIamGrantsForDefaultServiceAccounts) organization policy constraint to prevent automatic role grants to default service accounts.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORG_POLICY_AUTOMATIC_IAM_GRANTS_TO_DEFAULT_SERVICE_ACCOUNTS_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To disable the automatic role grant, seeDisable automatic role grants to default service accounts.
Block Connections to Cassandra Ports from All IP Addresses
Block connections on TCP ports 7000, 70001, 7199, 8888, 9042, 9160, 61620, and 61621 from all IP addresses to help prevent unwanted traffic and attacks on Apache Cassandra services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_CASSANDRA_PORT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to portstcp:7000,tcp:70001,tcp:7199,tcp:8888,tcp:9042,tcp:9160,tcp:61620, andtcp:61621 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Connections to DNS Ports from All IP Addresses
Block connections on TCP port 53 or UDP port 53 from all IP addresses to help prevent undesired traffic and attacks on DNS services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_DNS_PORT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to portstcp:53 andudp:53 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Connections to Elasticsearch Ports from All IP Addresses
Block connections on TCP ports 9200 and 9300 from all IP addresses to help prevent undesired traffic and attacks on Elasticsearch services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_ELASTICSEARCH_PORT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to portstcp:9200 andtcp:9300 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Connections to FTP Ports from All IP Addresses
Block connections on TCP port 21 from all IP addresses to help prevent undesired traffic and attacks on FTP services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_FTP_PORT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to porttcp:21 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Connections to LDAP Ports from All IP Addresses
Block connections on TCP ports 389 and 636 and UDP port 389 from all IP addresses to help prevent undesired traffic and attacks on LDAP services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_LDAP_PORT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to portstcp:389,tcp:636, andudp:389 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Connections to Memcached Ports from All IP Addresses
Block connections on TCP ports 11211, 11214, and 11215 or UDP ports 11211, 11214, and 11215 from all IP addresses to help prevent undesired traffic and attacks on Memcached services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_MEMCACHED_PORT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to portstcp:11211,tcp:11214,tcp:11215,udp:11211,udp:11214, andudp:11215 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Connections to MongoDB Ports from All IP Addresses
Block connections on TCP ports 27017, 27018, and 27019 from all IP addresses to help prevent undesired traffic and attacks on MongoDB services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_MONGODB_PORT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to portstcp:27017,tcp:27018 andtcp:27019 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Connections to MySQL Ports from All IP Addresses
Block connections on TCP port 3306 from all IP addresses to help prevent undesired traffic and attacks on MySQL services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_MYSQL_PORT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to porttcp:3306 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Connections to NetBIOS Ports from All IP Addresses
Block connections from all IP addresses to TCP and UDP ports 137, 138, and 139 to help prevent undesired traffic and attacks on NetBIOS services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_NETBIOS_PORT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to portstcp:137-139 andudp:137-139 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Connections to Oracle Database Ports from All IP Addresses
Block connections from all IP addresses to TCP ports 1521, 2483, and 2484 or UDP ports 2483 and 2484 to help prevent undesired traffic and attacks to Oracle databases.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_ORACLEDB_PORT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to porttcp:1521,tcp:2483,tcp:2484,udp:2483, andudp:2484 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Connections to POP3 Server Ports from All IP Addresses
Block connections on TCP port 110 from all IP addresses to help prevent undesired traffic and attacks on POP3 services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_POP3_PORT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to porttcp:110 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access this port instead. For more information, seeUse VPC firewall rules.
Block Connections to PostgreSQL Server Ports from All IP Addresses
Block connections on TCP port 5432 from all IP addresses to help prevent undesired traffic and attacks on PostgreSQL services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_POSTGRESQL_PORT |
| Revision number | 1.2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to porttcp:5432 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access this port instead. For more information, seeUse VPC firewall rules.
Block Connections to Redis Server Ports from All IP Addresses
Block connections on TCP port 6379 from all IP addresses to help prevent undesired traffic and attacks on Redis services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_REDIS_PORT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to porttcp:6379 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access this port instead. For more information, seeUse VPC firewall rules.
Block Connections to SMTP Server Ports from All IP Addresses
Block connections on TCP port 25 from all IP addresses to help prevent undesired traffic and attacks on SMTP services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_SMTP_PORT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to porttcp:25 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access this port instead. For more information, seeUse VPC firewall rules.
Block Default VPC Network for Vertex AI Workbench Instances
Don't create Workbench instances in the default VPC network to help prevent the use of its over-permissive default firewall rules.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_WORKBENCH_DEFAULT_VPC_NETWORK_USED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't change the network on a Workbench instance after it's created. Delete the existing Workbench instances, create another VPC network, and create new instances that use the new VPC network.
Delete the instances. For instructions to shut down the instance before deleting it, seeShut down a Vertex AI Workbench instance.
Create a VPC network and subnet for the project. For instructions, seeCreate and manage VPC networks. For information about Workbench networking requirements, seeNetwork configuration options.
Create the instances. For instructions, seeCreate a Vertex AI Workbench instance. In theNetworking section, select the VPC network and subnet that you created.
Block External IP Address Access on Compute Engine VM Instances
Use the "Define allowed external IPs for VM instances" (compute.vmExternalIpAccess) organization policy constraint to block public access to your VMs.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | ORG_POLICY_EXTERNAL_IP_ACCESS_ALLOWED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To block external IP addresses on Compute Engine VM instances, seeRestrict external IP addresses to specific instances.
Block File Downloading in JupyterLab Console
Don't permit file downloading from the JupyterLab console in Workbench instances to reduce data exfiltration risks and help prevent malware distribution.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | VERTEX_AI_JUPYTERLAB_FILE_DOWNLOADING_ENABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Turn off file downloading for the instance.
In the Google Cloud console, go to theInstances page.
Click the instance that you want to configure.
In theSoftware and security tab, add the
notebook-disable-downloadsmetadata key and set the value toTRUE.
For more information, seeUpdate an instance's metadata.
Block Generic Access to CiscoSecure/WebSM Ports
Block incoming connections on TCP port 9090 from all IP addresses to help prevent undesired traffic and attacks on CiscoSecure/WebSM services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_CISCOSECURE_WEBSM_PORT |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to portstcp:9090 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Generic Access to Directory Service Ports
Block incoming connections on TCP port 445 or UDP port 445 from all IP addresses to help prevent undesired traffic and attacks on Directory Services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_DIRECTORY_SERVICES_PORT |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to portstcp:445 andudp:445 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Generic Access to HTTP Ports
Block incoming connections on TCP port 80 from all IP addresses to help prevent undesired traffic and attacks on HTTP services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_HTTP_PORT |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to porttcp:80 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access these ports instead. For more information, seeUse VPC firewall rules.
Block Generic Access to RDP Ports
Block incoming connections on TCP port 3389 or UDP port 3389 from all IP addresses to help prevent undesired traffic and attacks on RDP server.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_RDP_PORT |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Remove public access from the RDP port. Go to theFirewall policies page in the Google Cloud console and edit the firewall rule. UnderSource IP ranges; delete 0.0.0.0/0 and add specific IP addresses or IP ranges that you want to let connect to the instance. SelectTCP andUDP, and enter port3389 for both.
Block Generic Access to SSH Ports
Block incoming connections on TCP port 22 or SCTP port 22 from all IP addresses to help prevent undesired traffic and attacks on SSH server.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_SSH_PORT |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Remove public access from the SSH port. Go to theFirewall policies page in the Google Cloud console and edit the firewall rule. UnderSource IP ranges; delete 0.0.0.0/0 and add specific IP addresses or IP ranges that you want to let connect to the instance. SelectTCP andSCTP, and enter port22 for both.
Block Generic Access to Telnet Servers
Block incoming connections on TCP port 23 from all IP addresses to help prevent undesired traffic and attacks on Telnet services.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_TELNET_PORT |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to deny access to porttcp:23 from the source IP range0.0.0.0/0. Create a firewall rule that permits specific IP address ranges to access this port instead. For more information, seeUse VPC firewall rules.
Block Internet Access for Vertex AI Runtime Templates
Don't permit internet access in Colab Enterprise runtime templates to reduce the external attack surface and help prevent potential data exfiltration.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_RUNTIME_TEMPLATE_INTERNET_ACCESS_ENABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't change this setting after the runtime template is created. Delete the existing runtime template and create a new one with internet access turned off.
Delete the runtime template. For instructions, seeDelete a runtime template.
Create a runtime template. For instructions, seeCreate a runtime template. To turn off internet access, in theNetworking and security section, clearEnable public internet access.
Block Legacy Authorization on GKE Clusters
Disable Legacy Authorization to use role-based access control (RBAC). RBAC helps improve security by defining specific permissions at the cluster and namespace levels.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | LEGACY_AUTHORIZATION_ENABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theKubernetes Engine >Clusters page in the Google Cloud console. Select the cluster, clickEdit and selectDisabled from theLegacy Authorization dropdown list.
Block Overly Permissive Firewall Rules
Firewall rules that permit connections from all IP addresses, like 0.0.0.0/0, or from all ports expose resources to attacks from unintended sources. This control creates a violation for ingress firewall rules with "allow" actions if one of the following items are true: First, the source ranges includes 0.0.0.0/0 and allowed protocols don't specify ICMP and TCP protocols with port 443. Second, the allowed rule permits all protocols or permits TCP or UDP protocols without port restrictions.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | OPEN_FIREWALL |
| Revision number | 3 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theFirewall page in the Google Cloud console. Click the firewall rule name, then clickEdit. Edit the firewall rule to update access from the source IP range0.0.0.0/0 and add specific protocols and port ranges. For more information, seeUse VPC firewall rules.
Block Project-Wide SSH Keys on Compute Engine Instances
Project-wide SSH keys provide access to all VM instances within the project, which might lead to unauthorized access.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Block SSH keys on the VM instance. Go to theCompute Engine >VM instances page in the Google Cloud console. Click the instance name in the finding. On theVM instance details page, clickEdit. UnderSSH Keys, selectBlock project-wide SSH keys.
Block Public Access to BigQuery Datasets with Sensitive Data
Restrict public access to BigQuery datasets that contain sensitive data to avoid data exposure risks.
| Enforcement mode | Detective |
| Severity | CRITICAL |
| Finding category | SENSITIVE_DATA_PUBLIC_DATASET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
Remediation steps
Remove the principalsallUsers andallAuthenticatedUsers from the dataset permissions. For more information, seeRevoke access to a dataset.
Also implement your organization's incident response playbooks for handling sensitive data leaks.
Block Public Access to Cloud SQL Instances with Sensitive Data
Restrict public access to Cloud SQL instances that contain sensitive data to avoid data exposure risks.
| Enforcement mode | Detective |
| Severity | CRITICAL |
| Finding category | SENSITIVE_DATA_PUBLIC_SQL_INSTANCE |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
Remediation steps
Go to theCloud SQL Instances page in the Google Cloud console. Click the instance name. SelectConnections. UnderAuthorized networks, delete 0.0.0.0/0. Add the IP addresses or IP ranges that you want to let connect to your instance.
For more information, seeAuthorize with authorized networks.
Also implement your organization's incident response playbooks for handling sensitive data leaks.
Block Public Access to Cloud Storage Buckets with Sensitive Data
Data Security Posture Management (DSPM) system has detected publicly exposed sensitive data. This poses a data security risk and requires immediate attention.
| Enforcement mode | Detective |
| Severity | CRITICAL |
| Finding category | SENSITIVE_DATA_PUBLIC_BUCKET_ACL |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
Remediation steps
- Follow the remediation steps for the related findings -
- Public Bucket ACL finding
- High Sensitive Data finding
- Once any of the findings is resolved, this finding will automatically get resolved.
For more detailed information, view the user guide.
Block Public IP Address for Vertex AI Workbench Instances
Don't permit external IP addresses for Workbench instances to reduce exposure to the internet and minimize the risk of unauthorized access.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_WORKBENCH_PUBLIC_IP_ENABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
You can't change this setting after the Workbench instance is created. Delete the existing instance and create instances with the appropriate IP configuration.
Delete the instance. For instructions to shut down the instance before deleting it, seeShut down a Vertex AI Workbench instance.
In the Google Cloud console, go to theInstances page.
Create a new instance. In theNetworking section, clearAssign external IP address.
Consider setting the Define allowed external IPs for VM instances (
constraints/compute.vmExternalIpAccess) organization policy constraint at the organization level to prevent VM instances from using external IP addresses. For more information, seeRestrict external IP addresses to specific instances.
Block Public IP Addresses for AlloyDB Cluster Instances
AlloyDB for PostgreSQL database instances with private IP addresses help to reduce your organization's attack surface and improve network security.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ALLOYDB_PUBLIC_IP |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theAlloyDB >Clusters in the Google Cloud console. Click the cluster from theResource Name column, and edit the instance. Go toConnectivity, and clearEnable Public IP.
Block Public IP Addresses for Cloud SQL Instances
Don't assign public IP addresses to Cloud SQL database instances.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_PUBLIC_IP |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console. ClickConnections >Networking, and clear thePublic IP checkbox for the instance. Use a private IP address instead. For more information, seeConfiguring private IP for an existing instance.
Block Root Access on Vertex AI Workbench Instances
Don't permit root access on Workbench instances to help prevent unauthorized modification of critical system files or installation of malicious software.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | VERTEX_AI_WORKBENCH_ROOT_ACCESS_ENABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Turn off root access on the Workbench instance.
In the Google Cloud console, go to theInstances page.
Click the instance that you want to configure.
In theSoftware and security tab, clear theRoot access to the instance setting.
ClickSubmit.
Block Root Access on Vertex AI Workbench Instances
Use the "Disable root access on new Vertex AI Workbench user-managed notebooks and instances"ainotebooks.disableRootAccess organization policy constraint to help prevent newly created Vertex AI Workbench user-managed notebooks and instances from enabling root access.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORG_POLICY_ROOT_ACCESS_ON_VERTEXAI_ENABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set theDisable root access on new Vertex AI Workbench user-managed notebooks and instances (ainotebooks.disableRootAccess) organization policy constraint totrue to block root access on new Vertex AI Workbench user-managed notebooks and instances. For more information, seeUpdating policies with boolean rules.
Block Serial Ports for Compute Engine Instances
Serial console support on an instance poses a security risk as clients might connect from any IP address. Disabling serial ports helps protect from such exposures.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | COMPUTE_SERIAL_PORTS_ENABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Block serial ports. Go to theCompute Engine >VM instances page in the Google Cloud console. Click the VM instance name listed in the finding. On theVM instance details page, clickEdit. UnderRemote access, turn offEnable connecting to serial ports.
Block Service Account Key Creation
Use the "Disable service account key creation" (iam.disableServiceAccountKeyCreation) organization policy constraint to prevent the creation of service account external keys and Cloud Storage HMAC keys.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORG_POLICY_SERVICE_ACCOUNT_KEY_CREATION_ENABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To enforce the organization policy, seeDisable service account key creation.
Block Service Account Key Uploads
Use the "Disable Service Account Key Upload" (iam.disableServiceAccountKeyUpload) organization policy constraint to prevent the upload of public keys to service accounts.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORG_POLICY_SERVICE_ACCOUNT_KEY_UPLOAD_ENABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To enforce the organization policy, seeDisable service account key upload.
Block Terminal Access on Vertex AI Workbench Instances
Use the "Disable terminal on new Vertex AI Workbench instances" (ainotebooks.disableTerminal) organization policy constraint to help prevent the creation of Vertex AI Workbench instances with the terminal enabled.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | TERMINAL_ACCESS_ON_VERTEXAI_ENABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set theDisable terminal on new Vertex AI Workbench instances (ainotebooks.disableTerminal) organization policy constraint totrue to block the terminal on new Vertex AI Workbench instances. For more information, seeUpdating policies with boolean rules.
Centrally Track Remediation of Vulnerabilities
Ensures a centralized system is in place for tracking the remediation of identified security vulnerabilities.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_CENTRALIZED_REMEDIATION_OF_VULNERABILITIES |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement a centralized system to track, prioritize, and manage the mitigation and remediation of identified vulnerabilities. This can be achieved by establishing a well-defined internal process that leverages Security Command Center for identification, prioritization, and verification. For more information about workflows, see theSecurity Command Center documentation.
Conduct Role-specific Training
Ensure role-specific training is provided for high-risk roles.
| Enforcement mode | Audit |
| Severity | LOW |
| Finding category | MISSING_ROLE_SPECIFIC_TRAINING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Mandate role-specific training for high-risk roles, in particular for roles with privileged access. Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
Conduct Security Awareness Training
Ensure employees receive security awareness training.
| Enforcement mode | Audit |
| Severity | LOW |
| Finding category | MISSING_SECURITY_AWARENESS_TRAINING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Continuously educate your employees on cybersecurity measures, testing them regularly to ensure their knowledge is satisfactory.
Configure a Wireless Intrusion Detection Mechanism
Employ a wireless intrusion detection system to identify rogue wireless devices and detect attack attempts and potential system breaches.
| Enforcement mode | Audit |
| Finding category | WIRELESS_INTRUSION_DETECTION_MECHANISM_NOT_CONFIGURED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
This control doesn't apply to Google Cloud as Google doesn't use or permit wireless networks in our production environment. Additionally, access to Google's data centers is highly restricted and all unused ports are disabled on switches. During the inspection process for unauthorized wireless devices, the Google Security Team walks through data centers to ensure connected devices are authorized and meet Google configuration management requirements. Verify that you have set up appropriate wireless intrusion detection systems in your environment, if applicable.
Configure Access Controls for the Network Boundary
Control external communication over the network using firewall rules.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | MISSING_ACCESS_CONTROLS_NETWORK_BOUNDARY |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
- Verify these ports are blocked:
Cassandra: TCP 7000, 7001, 7199, 8888, 9042, 9160, 61620, 61621
CiscoSecure/WebSM: TCP 9090
Directory Services: TCP 445; UDP 445
DNS services: TCP 53; UDP 53
Elasticsearch: TCP 9200, 9300
FTP: TCP 21
HTTP: TCP 80
LDAP: TCP 389, 636; UDP 389
Memcached: TCP 11211, 11214, 11215; UDP 11211, 11214, 11215
MongoDB: TCP 27017-27019
MySQL: TCP 3306
NetBIOS13: TCP 137-139; UDP 137-139
OracleDB: TCP 1521, 2483, 2484; UDP 2483, 2484
POP3: TCP 110
PostgreSQL: TCP 5432
RDP: TCP 3389; UDP 3389
Redis: TCP 6379
SMTP: TCP 25
SSH: TCP 22; SCTP 22
Telnet: TCP 23
Verify SSL.
Verify NAT to instances without public IPs.
Configure logging and VPC Flow Logs.
Verify GKE network policy and Dataplane V2.
Verify VMs don’t have public IPs. For stopped instances, ensure network doesn’t permit external access.
Verify Compute Engine default service account isn’t used.
Configure Log Metrics and Alerts for Audit Logging Changes
Configure log metrics and alerts to monitor changes to IAM allow policies. Log metrics and alerts configured to monitor IAM allow policy changes helps to identify over-privileged users or suspicious activity.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | AUDIT_CONFIG_NOT_MONITORED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go toLogs-based Metrics within theLogging page in the Google Cloud console. ClickCreate metric. In theUser-defined metrics section, click inside theFilter box, selectFilter, and paste the following text, replacing the existing text: resource.type=global AND protoPayload.methodName=SetIamPolicy AND protoPayload.serviceData.policyDelta.auditConfigDeltas:* ClickCreate metric and set the alert policy.
Configure Log Metrics and Alerts for Cloud SQL Configuration Changes
Configure log metrics and alerts to monitor configuration changes for Cloud SQL instances. Monitoring changes helps detect misconfigurations.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | SQL_INSTANCE_NOT_MONITORED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go toLogs-based Metrics within theLogging page in the Google Cloud console. ClickCreate metric. In theUser-defined metrics section, click inside theFilter box, selectFilter, and paste the following text, replacing the existing text:protoPayload.methodName=cloudsql.instances.update ClickCreate metric and set the alert policy.
Configure Log Metrics and Alerts for Cloud Storage IAM Policy Changes
Log metrics and alerts configured to monitor Cloud Storage IAM permission changes helps to identify over-privileged users or suspicious activity.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | BUCKET_IAM_NOT_MONITORED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theLog-based Metrics page withinLogging in the Google Cloud console. ClickCreate metric in theUser-defined metrics section. In theUser-defined metrics section, click inside theFilter box, selectFilter, and paste the following text, replacing the existing text: resource.type=gcs_bucket AND protoPayload.methodName=storage.setIamPermissions After you create the metric, go to theActions menu and clickCreate alert from metric to set alert policies. For more information, seeLog-based metrics overview.
Configure Log Metrics and Alerts for Custom Role Changes
Configure log metrics and alerts to monitor custom role changes. Monitoring role creation, deletion, and update activities helps to identify over-privileged roles at early stages.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | CUSTOM_ROLE_NOT_MONITORED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go toLogs-based Metrics within theLogging page in the Google Cloud console. ClickCreate metric. In theUser-defined metrics section, click inside theFilter box, selectFilter, and paste the following text, replacing the existing text: resource.type=iam_role AND protoPayload.methodName=google.iam.admin.v1.CreateRole OR protoPayload.methodName=google.iam.admin.v1.DeleteRole OR protoPayload.methodName=google.iam.admin.v1.UpdateRole ClickCreate metric and set the alert policy.
Configure Log Metrics and Alerts for VPC Network Changes
Configure log metrics and alerts to monitor VPC network changes. Monitoring network changes helps detect incorrect or unauthorized changes to your network setup.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | NETWORK_NOT_MONITORED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theLogs-based Metrics page withinLogging in the Google Cloud console. ClickCreate metric. In theMetric type field, selectCounter. In theDetails section, setUnits to1. In theBuilder filter box, copy and paste the following text, replacing the existing text:resource.type=\"gce_network\" AND (protoPayload.methodName:\"compute.networks.insert\" OR protoPayload.methodName:\"compute.networks.patch\" OR protoPayload.methodName:\"compute.networks.delete\" OR protoPayload.methodName:\"compute.networks.removePeering\" OR protoPayload.methodName:\"compute.networks.addPeering\")
ClickCreate metric and set the alert policy.
Configure Log Metrics and Alerts for VPC Network Firewall Changes
Configure log metrics and alerts to monitor VPC network firewall rule changes. Monitoring VPC network firewall rule changes helps detect suspicious activity and helps to provide better insight into network access changes.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | FIREWALL_NOT_MONITORED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go toLogs-based Metrics within theLogging page in the Google Cloud console. ClickCreate metric. In theMetric type field, selectCounter. In theDetails section, setUnits to1. In theBuilder filter box, copy and paste the following text, replacing the existing text: resource.type=\"gce_firewall_rule\" AND (protoPayload.methodName:\"compute.firewalls.insert\" OR protoPayload.methodName:\"compute.firewalls.patch\" OR protoPayload.methodName:\"compute.firewalls.delete\") ClickCreate metric and set the alert policy.
Configure Log Metrics and Alerts for VPC Route Changes
Configure log metrics and alerts to monitor VPC network route changes. Monitoring VPC route changes is important for smooth VPC traffic flow.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | ROUTE_NOT_MONITORED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go toLogs-based Metrics within theLogging page in the Google Cloud console. ClickCreate metric. In theUser-defined metrics section, click inside the Filter box, select Filter, and paste the following text, replacing the existing text:resource.type="gce_route" AND (protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert") ClickCreate metric and set the alert policy.
Configure Log Sinks
Configure log sinks and export the log entries to extend storage periods.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | LOG_NOT_EXPORTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
SeeOverview of log exports andCreate a log sink.
Configure Model Armor to Detect PII on Model Outputs
Model Armor filters both input (prompts) and output (responses) to help prevent from exposure to or generation of malicious or sensitive content.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MODEL_ARMOR_PII_IN_OUTPUTS_DETECTION_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Configure Model Armor to help detect personal data in output types such as audio and video. For more information, seeModel Armor overview.
Configure Model Armor with Harmful Data Filters
Enable Model Armor to filter harmful data in prompts such as obscenity, extremism, or violence. Model Armor offers filters for content safety, addressing content that is sexually explicit or dangerous or that contains harassment or hate speech content.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MODEL_ARMOR_HARMFUL_DATA_FILTERS_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For more information, seeModel Armor overview.
Configure Model Armor with Sensitive Data Filters
Enable Model Armor to filter personally identifiable information (PII) or sensitive data in AI applications. To prevent unauthorized exposure in an LLM, Model Armor can discover, classify, and protect sensitive data.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | MODEL_ARMOR_SENSITIVE_DATA_FILTERS_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For more information, seeModel Armor overview.
Configure Network Devices to Fail in a Secure State
Configure all your managed boundary protection devices and systems to fail in a secure state.
| Enforcement mode | Audit |
| Finding category | NETWORK_DEVICES_NOT_CONFIGURED_SECURE_FAILURE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Configure all boundary protection devices such as VPC Service Controls, VPCs, firewalls, load balancers, proxy servers, and other security mechanisms that control traffic to and from your cloud resources to fail in a secure state.
Configure Network Traffic Monitoring
To best monitor network traffic, use separate subnetworks with managed interfaces to physically separate security tools, mechanisms, and support components from other internal system components.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | SECURITY_TOOLS_MECHANISMA_NOT_SEPARATED_PHYSICALLY |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Reviewfirewall rules and allowed and denied ports.
Verify SSL certificates.
Verify NAT configurations are set to provide outbound connectivity to instances without public IPs.
Verify logging.
Verify VPC Flow Logs.
Configure Remote Access Inactivity Timeout
Set the inactivity timeout for remote access sessions to 15 minutes or less. You can use theHTTP Keep Alive Timeout configuration to disconnect or disable remote access to your system.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | REMOTE_ACCESS_INACTIVITY_TIMEOUT_NOT_CONFIGURED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set thehttpKeepAliveTimeoutSec for Compute Engine instance's target HTTP proxies to less than or equal to 900 seconds. For more information, seeTarget proxies overview.
Configure Security Logging Policies for Google Cloud Services
Define and deploy a security logging policy.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | UNDEFINED_AUDIT_LOGGING_POLICY |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Enableaudit logging.
Create asecurity alerting policy file in YAML or JSON format. For example:
logging: auditLog: LOGS_BUCKET_NAME retentionPeriod: 30dApply the policy using Deployment Manager. For example:
gcloud deployment-manager deployments create POLICY_DEPLOYMENT_NAME --config=POLICY_FILE.yamlConfigure Cloud Storagebucket logging andretention policies.
Automate policy checks and enforcement using organization policy constraints.
Configure the Allowed Ingress Settings for Cloud Run Organization Policy Constraint
Configure the permitted ingress settings for Cloud Run using the "Allowed Ingress Settings (Cloud Run)" (constraints/run.allowedIngress) organization policy. When this constraint is enforced, services are required to have ingress settings that match one of the allowed values.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ALLOWED_INGRESS_ORG_POLICY |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Configure the the Allowed Ingress Settings (Cloud Run) constraint to ensure that Cloud Run services comply with the allowed ingress settings. For more information, seeConstraints for specific services.
Configure the Allowed VPC Egress Settings for Cloud Run Organization Policy Constraint
Configure the permitted VPC egress settings for Cloud Run using the "Allowed VPC Egress Settings (Cloud Run)" (constraints/run.allowedVPCEgress) organization policy constraint. When this constraint is enforced, services are required to have VPC egress settings that match one of the allowed values.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ALLOWED_VPC_EGRESS_ORG_POLICY |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Configure the Allowed VPC Egress Settings (Cloud Run) constraint to ensure that Cloud Run services comply with the allowed VPC egress settings. For more information, seeConstraints for specific services.
Configure the Disable VM Serial Port Logging to Stackdriver Organization Policy
Configure the Disable VM serial port logging to Stackdriver (constraints/compute.disableSerialPortLogging) organization policy to block serial port logging to Cloud Logging from Compute Engine VMs.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | DISABLED_SERIAL_PORT_ACCESS_ORG_POLICY |
| Revision number | 3 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Set theDisable VM serial port logging to Stackdriver organization policy toTrue and ensure that serial port logging to Cloud Logging from Compute Engine VMs is blocked. For more information, seeConstraints for specific services.
Configure the Disable VPC External IPv6 Usage Organization Policy
Configure the Disable VPC External IPv6 usage (constraints/compute.disableVpcExternalIpv6) organization policy to block VPC subnetworks from using external IPv6 addresses.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | DISABLE_VPC_EXTERNAL_IP_V6_ORG_POLICY |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Set theDisable VPC External IPv6 Usage organization policy toTrue and ensure that all VPC subnetworks don't use external IPv6 addresses. For more information, seeConstraints for specific services.
Configure the Disable VPC Internal IPv6 Usage Organization Policy
Configure the Disable VPC Internal IPv6 usage (constraints/compute.disableVpcInternalIpv6) organization policy to block VPC subnetworks from using internal IPv6 addresses. A subnetwork with an internal IPv6 address might be exposed to potential risks due to its current limited support.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | COMPUTE_INTERNAL_IP_V6_ORG_POLICY_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set theDisable VPC Internal IPv6 Usage organization policy toTrue and ensure that all VPC subnetworks don't use internal IPv6 addresses. For more information, seeConstraints for specific services.
Configure Vertex AI DLP Filter
Configure Data Loss Prevention (DLP) filters when using Gemini on Vertex AI.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | DLP_DATA_FILTERS_NOT_CONFIGURED_IN_VERTEX_AI |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For more information about using DLP filters in Vertex AI, seeSafety in Vertex AI.
Configure VPC Firewall Rules, Subnets, and VPN Gateway
Manage the flow of data by verifying VPC firewall rules, subnet configurations, and VPN gateway configuration.
| Enforcement mode | Audit |
| Finding category | VPC_FIREWALL_SUBNET_VPNGATEWAY_NOT_SETUP |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create isolated networks using VPC.
Define granularIPv4 subnet ranges and IPv6 subnet ranges.
Defineroutes andfirewall rules.
Configure aVPN gateway to your on-premises network.
Configure a global load balancer for your Google-managed services.
Configure Cloud NAT to connect to your API backend servers and clients.
Tune Cloud NAT and thebackend services for the load balancer to control the flow of traffic between your backend services and your users.
Configure VPC Network Peering or another inter-VPC communication method to enable communication between VPC networks and your projects.
Confirm FedRAMP Authorization of Services
Services must be FedRAMP authorized and securely configured.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | NON_FEDRAMP_AUTHORIZED_SERVICE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Conduct regular evaluations to confirm that services which handle or impact federal information are FedRAMP authorized and securely configured.
Control Integrations with External Systems
Establish policies to integrate applications on your system with external products and services.
| Enforcement mode | Audit |
| Finding category | INTEGRATIONS_EXTERNAL_SYSTEMS_NOT_CONTROLLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You must configure your applications to meet your compliance obligations.
Control Remote Device Connections
Prevent remote devices from simultaneously establishing non-remote connections with your system and accessing external networks through other connections.
| Enforcement mode | Audit |
| Finding category | REMOTE_DEVICE_CONNECTION_CONTROL_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Use firewall and border router ACLs to implement managed network interfaces and control inbound and outbound traffic. For more information, seeVPC firewall rules.
Correlate Audit Records
Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
| Enforcement mode | Audit |
| Finding category | UNCORRELATED_AUDIT_LOG_RECORDS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Correlate logs and review them in Log Explorer.
Create log-based metrics to capture trends and patterns.
Configure labels on log-based metrics to add additional information to the entries.
Create Alerts for Monitoring Security Command Center Errors
Alerts about Security Command Center provide visibility into your organization and notify you about issues with Security Command Center so you can take appropriate action.
| Enforcement mode | Audit |
| Finding category | SCC_MONITORING_ALERTS_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create an alerting policy in Cloud Logging to alert on errors related to the Security Command Center service agent. For instructions, seeConfigure alerts through Cloud Logging.
Create and Manage Asymmetric Keys
Manage asymmetric keys using NSA-approved key management, either through Public Key Infrastructure (PKI) or pre-positioned keying material protected by hardware security tokens.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | NONCOMPLIANT_ASYMMETRIC_KEY_MANAGEMENT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider theCertificate Authority Service for hardware-protected private keys which are FIPS 140-2 Level 3 validated.
Create Artifact Registry Cleanup Policies
Artifact Registry cleanup policies define criteria for automatically deleting artifact versions that you no longer need or keeping artifacts that you want to store indefinitely.
| Enforcement mode | Audit |
| Finding category | ARTIFACT_REGISTRY_CLEANUP_POLICY_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Define clear policies to maintain specific versions of policies and implement a cleanup policy to clear other artifacts. For more information, seeConfigure cleanup policies andEnabling service.
Create GKE Clusters with Limited Privileges
Avoid broad access scopes for a Google Kubernetes Engine (GKE) node service account. This control checks node pools to determine whether they're using custom service accounts or, if the default service account is used, that all the OAuth scopes are part of the allowed list, which consists of https://www.googleapis.com/auth/devstorage.read_only, https://www.googleapis.com/auth/logging.write, and https://www.googleapis.com/auth/monitoring.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | OVER_PRIVILEGED_SCOPES |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Use custom service accounts or limit the OAuth access scope for GKE nodes. For more information, seeUse a least privileged service account andAccess scopes in GKE.
Create Inventory of Security Data Assets
Ensure security-relevant information (sensitive data, APIs, services, databases, and infrastructure components) are clearly documented and classified.
| Enforcement mode | Audit |
| Finding category | DATA_CLASSIFICATION_MISSING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Find and classify security-relevant data in Google Cloud, such as sensitive data and configuration data.
Create an inventory of the resources that aren’t publicly available. For example, APIs, services, databases, and infrastructure components.
Create Super Admin Login Alerts
Create alerts to receive notifications when a super administrator logs into their account.
| Enforcement mode | Audit |
| Finding category | SUPERADMIN_LOGIN_ALERT_NOT_FOUND |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create alerts when a super administrator logs into their account. For instructions, seeConfigure log-based alerting policies.
Define a Security Policy to Mitigate for DDoS Events
Create a security policy using Google Cloud Web Armor to mitigate DDoS risks to your applications.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | MISSING_SECURITY_POLICY_DDOS_EVENTS |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Configure asecurity policy for backend services.
Verify theload balancing scheme.
Reviewfirewall rules and allowed and denied ports.
*Verify theautoscaling policy for autoscalers.
Define Allowed Services for Service Perimeter
Define which services are available within the service perimeter to limit the set of services that are accessible from network endpoints inside your service perimeter.
| Enforcement mode | Audit |
| Finding category | SERVICE_PERIMETER_ALLOWED_SERVICES_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Add a list of services to your service perimeter. For more information, seeAdd a service to the VPC accessible services.
Define an Acquisition Contract
Define an acquisition contract for information systems, system components, or information system services.
| Enforcement mode | Audit |
| Finding category | UNDEFINED_ACQUISITION_CONTRACT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Meet all the requirements and criteria that apply to your regulatory frameworks when creating an acquisition contract. For example, outline comprehensive security and privacy requirements; and include functional needs, mechanism strength, necessary controls, and documentation. List needs for safeguarding documents, detailing system setups, and assigning security, privacy, and supply chain risk management duties. Specify acceptance criteria for the system in the contract.
Define Change Management Procedures
Document the change management procedures and ensure that they align with the regulatory guidelines.
| Enforcement mode | Audit |
| Severity | LOW |
| Finding category | MISSING_CHANGE_MANAGEMENT_PROCEDURE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Clearly define and outline the change management procedures for your applications and services.
Define Cloud Billing Budget Threshold
Budgets let you track your actual Google Cloud project costs against your planned costs. Set a budget amount and budget alert threshold rules that trigger email notifications.
| Enforcement mode | Audit |
| Finding category | CLOUD_BILLING_BUDGET_THRESHOLD_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set alerts and thresholds on your cloud project bills. SeeSet budget threshold rules and actions.
Define Cloud KMS Crypto Keys Protection Level
Set the protection level for Cloud KMS keys to SOFTWARE, HSM, EXTERNAL, or EXTERNAL_VPC.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | CRYPTOKEY_PROTECTION_LEVEL_DENIED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To set the protection level, seeProtection levels.
Define Cloud KMS Crypto Keys Purpose
Set the purpose of Cloud KMS keys to ENCRYPT_DECRYPT. The key's purpose defines its allowed cryptographic operations.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | CRYPTOKEY_PURPOSE_RESTRICTED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For information on the key purpose, seeKey purposes and algorithms andCryptoKeyPurpose.
Define Essential Contacts
Essential Contacts are individuals or groups designated to receive crucial Google Cloud notifications, ensuring personnel who are informed about critical events like security attacks, vulnerabilities, and data incidents.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | ESSENTIAL_CONTACTS_NOT_CONFIGURED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theIAM & Admin >Essential Contacts page in the Google Cloud console. Click+Add contact and enter all the details of the contact to designate essential contacts.
Define External Build Integrations for Cloud Build
Use the "Allowed Integrations (Cloud Build)" (cloudbuild.allowedIntegrations) organization policy constraint to define the external services (for example, GitHub) that can invoke build triggers for Cloud Build.
| Enforcement mode | Audit |
| Finding category | EXTERNAL_BUILD_INTEGRATION_NOT_DEFINED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To configure allowed webhooks for Cloud Build integrations of the project, seeSetting up organization policy for allowed integrations.
Define IsLive Attribute for Delete Action Lifestyle Rule on Bucket
A lifecycle rule defines actions based on object conditions. The isLive attribute is used with Object Versioning and applies to the live object version. Without versioning, all objects are live and match isLive:true.
| Enforcement mode | Audit |
| Finding category | LIFESTYLE_CONDITION_MISSING_ON_LIFESTYLE_BUCKET_ACTION |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set theisLive attribute totrue for a lifecycle rule with a Delete action on Cloud Storage buckets. SeeisLive.
Define Mobile Code Policies and Controls
Establish and enforce policies for mobile code usage that align with your compliance obligations.
| Enforcement mode | Audit |
| Finding category | UNDEFINED_MOBILE_CODE_POLICIES_CONTROLS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider the following:
Create a mobile code policy that defines what technologies are acceptable and unacceptable.
UseIAM allow policies to control access to your mobile code resources.
Use organization policy constraints to restrict resource deployments. For example, create acustom constraint that restricts the use of specific programming languages or libraries.
Configurefirewall rules that control communication. For example, restrict outbound traffic from mobile code to specific allowlisted destinations only.
Define Owner Labels for Cloud Storage Buckets
Verify the labels for the bucket owner and assign the right owner.
| Enforcement mode | Audit |
| Finding category | BUCKET_LABEL_OWNER_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Verify that the right owner is defined for the bucket and that the bucket has a label.
Define Recovery Time and Recovery Point Objectives
Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) to ensure minimal service disruption and data loss during incidents and contingencies.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_RTO_AND_RPO |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To remediate this finding, establish and document the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for the affected application or system.\n1. Conduct a Business Impact Analysis (BIA) to identify critical systems and the business impact of an outage.\n2. Based on the BIA, define the maximum acceptable downtime (RTO) and data loss (RPO) for the application.\n3. Document these RTO and RPO values in your organization's business continuity or disaster recovery plan.
Define Retention Period for Cloud Storage Buckets
Set a bucket retention policy to ensure objects are deleted after 90 days.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | STORAGE_BUCKET_RETENTION_PERIOD_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For Cloud Storage buckets, set the retention period greater than or equal to 90 days or 7776000.0 seconds. For more information, seeRetention periods.
Define Rotation Period for Cloud KMS Keys
Rotate the keys regularly to enhance security. Set the rotation period for Cloud KMS keys to 90 days.
| Enforcement mode | Audit |
| Finding category | KMS_KEY_NOT_ROTATED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For instructions, seeConfigure automatic rotation.
Define Secret Manager Replication Policy
Configure an automated replication policy to ensure that you back up secrets without a restriction on location.
| Enforcement mode | Audit |
| Finding category | SECRET_MANAGER_REPLICATION_POLICY_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To set a replication policy, seeChoose a replication policy.
Define Secret Manager Rotation Schedule
Secret Manager lets you schedule periodic rotations of your secrets by sending notifications to Pub/Sub topics associated with your secrets, based on the rotation frequency and time that you specify.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SECRET_MANAGER_ROTATION_SCHEDULE_NOT_SET |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For Secret Manager secrets, configure a rotation schedule. For more information, seeCreate rotation schedules in Secret Manager.
Define Security Policies
Ensure that security policies are documented.
| Enforcement mode | Audit |
| Severity | LOW |
| Finding category | MISSING_SECURITY_POLICIES |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create a detailed document that defines the security objectives and policies of all information resources for applications and services.
Define Service Perimeters in VPC Service Controls
Configure service perimeters at the organization level to help protect Google Cloud services and mitigate the risk of data exfiltration.
| Enforcement mode | Audit |
| Finding category | SERVICE_PERIMETER_NOT_DEFINED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't change the perimeter type after you create a service perimeter. Delete the existing perimeter, and create a new one with the perimeter type set toRegular. SeeCreate a service perimeter.
Define Set Storage Class Lifestyle Action on Bucket
Use the SetStorageClass action to change the storage class of an object and update the object's modification time when the object meets all conditions specified in the lifecycle rule. This action helps you optimize your storage costs.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | SET_STORAGE_CLASS_LIFESTYLE_ACTION_NOT_CONFIGURED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set the lifecycle rule action type toSetStorageClass for Cloud Storage buckets. For more information, seeSetStorageClass.
Define Storage Class Lifestyle Action
The lifecycle configuration defines the rules that change the storage class of an object depending on its age, current storage class, and name to protect your data.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | STORAGE_CLASS_TYPE_NOT_UPDATED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For Cloud Storage buckets, set the storage class within the lifecycle rule action toSTANDARD,NEARLINE,COLDLINE, orARCHIVE. For more information, seeChange an object's storage class.
Define the Maximum Number of Concurrent Sessions for System Accounts in Workforce Identity Pools
In the Workforce identity pools, define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof.
| Enforcement mode | Audit |
| Finding category | MAXIMUM_NUMBER_OF_CONCURRENT_SESSIONS_LIMIT_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create separate Workforce identity pools for privileged and non-privileged accounts.
Set the concurrent session limits (3 for privileged access; 2 for non-privileged access).
Review and adjust session limits regularly.
Communicate to users the session limits for their account types.
Monitor concurrent sessions and ensure compliance with session limits.
gcloud logging read "resource.type=global AND logName=projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity" --project=PROJECT_ID --format=jsonAutomate the closure of excess sessions and session limit enforcement.
Integrate session limits into your deployment pipelines..
Document the session limit policies.
Include session limits in access reviews and audits.
Define Vertex AI Access Mode
Use the "Define access mode for Vertex AI Workbench notebooks and instances" (ainotebooks.accessMode) organization policy constraint to define the modes of access allowed to Vertex AI Workbench notebooks and instances.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORG_POLICY_VERTEXAI_ACCESSMODE_NOT_DEFINED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Define an allow or deny list using theDefine access mode for Vertex AI Workbench notebooks and instances (ainotebooks.accessMode) constraint. The allow or deny list can specify multiple users with theservice-account mode or single-user access with thesingle-user mode. For more information, seeUpdating policies with list rules.
Define VoIP Usage Policy
Establish usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies.
| Enforcement mode | Audit |
| Finding category | UNDEFINED_VOIP_USAGE_POLICY |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create a VoIP usage policy that defines acceptable use of VoIP technologies.
Use organization policy constraints to restrict resource deployments. For example, create a custom constraint that allows only authorized personnel to deploy and manage VoIP resources.
Configurefirewall rules that control inbound and outbound traffic related to VoIP services.
Use IAM allow policies to control access to VoIP resources.
Enableaudit logging.
Activate Security Command Center.
Create alerts for unusual or unauthorized activities.
Configure Cloud Monitoring to monitor network traffic.
Perform vulnerability scanning and penetration testing on VoIP resources.
Use TLS for VoIP communication.
Implement best practices to prevent eavesdropping.
Create an incident response plan for VoIP incidents.
Define VPC Connector Egress For Cloud Run Functions
Use the "Require VPC Connector (Cloud Functions)" (constraints/cloudfunctions.requireVPCConnector) organization policy constraint to require Cloud Function (1st gen) to use a VPC connector.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORG_POLICY_REQUIRE_VPC_CONNECTOR_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set the value for theRequire VPC Connector (Cloud Functions) (constraints/cloudfunctions.requireVPCConnector) constraint totrue. For instructions, seeCreating and managing organization policies.
Define Worker Pools for Cloud Builds
Use the "Allowed Worker Pools (Cloud Build)" (cloudbuild.allowedWorkerPools) organization policy constraint to define allowed worker pools for builds in your project.
| Enforcement mode | Audit |
| Finding category | CLOUD_BUILD_WORKER_POOL_NOT_DEFINED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To create a private pool, seeCreating a new private pool. For permitted values, seeAllowed Worker Pools (Cloud Build).
Describe Design and Implementation Details of Security Controls
Ensure developers in your system provide the design and implementation details of the security controls employed.
| Enforcement mode | Audit |
| Finding category | DESIGN_IMPLEMENTATION_DETAILS_SECURITY_CONTROLS_MISSING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Describe design and implementation details of security controls with security-relevant external system interfaces, high-level design, low-level design, source code, or network and data flow diagrams.
Describe the Functional Properties of Security Controls
Ensure developers in your system document the functional properties of the security controls employed.
| Enforcement mode | Audit |
| Finding category | FUNCTIONAL_DESCRIPTIONS_SECURITY_CONTROLS_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure developers document the functional properties of security controls such as capabilities, functions, or mechanisms that are visible at the interfaces of the controls. Developers do not need to document functionality and data structures that are internal to the operation of the controls.
Detect IP Infringement in Training Data
Configure Vertex AI to help detect Intellectual Property (IP) infringement in training data and maintain compliance.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | IP_INFRINGEMENT_DETECTION_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure that Vertex AI can evaluate training data for intellectual property infringement. For more information, seeSafety in Vertex AI.
Detect Misinformation and Manipulation of Model Data
Configure Vertex AI to help detect misinformation or manipulation on model inputs and outputs.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISINFORMATION_DETECTION_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement tools and guidance to identify patterns that are associated with misinformation or manipulation in prompts and outputs. For more information, seeAvailable safety tools in Vertex AI for Gemini.
Detect Obscenity, Extremism, Violence, and CBRN in Training Data
Configure Vertex AI to help detect harmful training data including obscenity, extremism, violence, and chemical, biological, radiological, or nuclear (CBRN) information.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | HARMFUL_TRAINING_DATA_DETECTION_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure that Vertex AI can evaluate training data for extremism, violence, or CBRN information. For more information, seeSafety and content filters.
Determine High-level Security and Privacy Needs
Determine high-level security and privacy requirements during the planning phase.
| Enforcement mode | Audit |
| Finding category | SECURITY_PRIVACY_NEEDS_NOT_IDENTIFIED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Identify your high-level security and privacy requirements for the system or system service.
Determine, document, and allocate the resources that are required to protect the system or system service.
Budget for security and privacy.
Develop a Recovery Plan
Develop and maintain a recovery plan that aligns with the defined recovery objectives.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_RECOVERY_PLAN |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Define a contingency plan that identifies critical functions, recovery objectives, restoration priorities, metrics, contingency roles, contact information, and ensure essential function maintenance during disruption or failure. Plan to resume essential mission and business functions within a defined time period of contingency plan activation.
Develop Documentation for System Security
Develop and maintain administrator documentation for the information system, system component, or information system services.
| Enforcement mode | Audit |
| Finding category | SYSTEM_SECURITY_DOCUMENTATION_MISSING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create documentation that describes: • Secure configuration, installation, and operation of the system • Effective use and maintenance of security functions • Known vulnerabilities regarding configuration and use of administrative functions • User-accessible security functions and how to use those functions • How users can interact with the system • What users are responsible for In addition, protect documentation in accordance with your risk management strategy and distribute documentation appropriately.
Develop System and Communications Protection Policy and Procedures
Develop, document, and disseminate policies related to systems and communications.
| Enforcement mode | Audit |
| Finding category | UNDEFINED_SYSTEM_COMMUNICATIONS_PROTECTION_POLICY_PROCEDURES |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create your own policies to meet your compliance obligations.
Develop System and Services Acquisition Policy and Procedures
Develop, maintain, and disseminate a system and services acquisition policy and procedures.
| Enforcement mode | Audit |
| Finding category | SYSTEM_SERVICES_ACQUISITION_POLICY_PROCEDURES_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Develop, document, and disseminate to organization-defined personnel or roles:
A system and services acquisition policy that is defined at an organization-level, mission or business process-level, or at system-level. The policy must address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The policy must be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls.
Designate an organization-defined official to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures.
Review and update the current system and services acquisition policies and procedures as per organization-defined frequencies and events.
Disable Alpha Features on GKE Clusters
Google Kubernetes Engine (GKE) Alpha clusters are used to experiment with workloads before they're released, and are auto-deleted after 30 days. For production workloads, create a cluster with alpha features disabled.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ALPHA_CLUSTER_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theKubernetes Engine >Clusters page in the Google Cloud console. ClickCreate and configure the new cluster. Under theFeatures tab, ensureEnable Kubernetes alpha features in this cluster is disabled. Proceed with migrating the workloads. Delete the cluster that has alpha features enabled.
Disable Client Certificate Authentication for GKE
When creating clusters, don't generate client certificates for legacy authentication to the Kubernetes API server.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | GKE_AUTH_CLIENT_CERTS_ENABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Disable authentication using client certificates for your cluster. For more information, seeDisable authentication with a client certificate.
Disable File Downloads on Vertex AI Workbench Instances
Enforce the "Disable file downloads on new Vertex AI Workbench instances" (ainotebooks.disableFileDownloads) organization policy constraint for projects and folders to help prevent the creation of Vertex AI Workbench instances with the file download option enabled.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORG_POLICYFILE_DOWNLOADS_ON_VERTEXAI_ENABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set theDisable file downloads on new Vertex AI Workbench instances (ainotebooks.disableFileDownloads) organization policy constraint totrue to turn off file downloads on new Vertex AI Workbench user-managed notebooks and instances. For more information, seeUpdating policies with boolean rules.
Disable Legacy Metadata Server Endpoints on Compute Engine
Disable legacy metadata server endpoints for all VMs in your project. Disabling Legacy metadata helps to enforce Compute Engine's instance metadata query headers and makes it harder for attackers to access instance metadata.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | LEGACY_METADATA_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
In the Google Cloud console, go theMetadata page. Setdisable-legacy-endpoints toTRUE. For more information, seeSet custom project metadata.
Disable Suspicious Accounts Automatically
Automatically disable or secure accounts with privileged access in response to suspicious activity.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | SUSPICIOUS_ACCOUNTS_NOT_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Configure logging and monitoring for automated deactivation of suspicious accounts or secure privileged accounts to help prevent suspicious activities. For more information, seeCreate metric-threshold alerting policies andMonitor for credential compromise.
Document and Manage Software Supply Chain Security Risk Management
Document risk management decisions for software supply chain security.
| Enforcement mode | Audit |
| Severity | LOW |
| Finding category | MISSING_SOFTWARE_SUPPLY_CHAIN_RISK_MANAGEMENT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure risk management is documented and is an integral part of the continuous monitoring strategy that includes effectiveness monitoring, compliance monitoring, and change monitoring.
Document Information Resource Implementations
Document the methods that are used to evaluate information resource implementations.
| Enforcement mode | Audit |
| Severity | LOW |
| Finding category | MISSING_INFORMATION_RESOURCE_IMPLEMENTATION_DOCUMENTATION |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Document each assessment method that was used for evaluating compliance with a FedRAMP 20x KSI.
Don't Use Kubernetes Web UI
The Kubernetes web UI (dashboard) increases the attack surface. Instead, use the Google Cloud console.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | WEB_UI_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Disable the Kubernetes dashboard. Go to theKubernetes clusters page in the Google Cloud console. Edit the cluster settings, clickAdd-ons, and then disable theKubernetes dashboard add-on. For more information, seeDisable the Kubernetes dashboard.
Don't Use Legacy Networks
Legacy networks are not recommended and can no longer be created. Instead, use VPC networks, which offer a software-defined structure that enhances control and helps improve operational efficiency.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | LEGACY_NETWORK |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create a VPC network and delete the legacy network. Go to theVPC networks page in the Google Cloud console. ClickCreate Network to create a VPC network. Return to theVPC networks page, clicklegacy_network from the list of networks. Delete the legacy network.
Don't Use User Connections Flag for SQL Server
Don't configure the user connections flag for a SQL Server instance. SQL Server automatically adjusts user connections if you don't use this flag.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | SQL_USER_CONNECTIONS_CONFIGURED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and delete theUser connections database flag for the SQL Server instance.
Don't Use User Options Flag for SQL Server
Don't configure the user options flag for a SQL Server instance. Using the flag might cause unexpected results.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_USER_OPTIONS_CONFIGURED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and delete theUser options database flag for the SQL Server instance.
Employ Dynamic Code Analysis Tools
Employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
| Enforcement mode | Audit |
| Finding category | MISSING_DYNAMIC_CODE_ANALYSIS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Use a dynamic code analysis tool to identify common flaws and document the results of the analysis.
Employ Monthly Checks for Flaw Remediation Status
Employ monthly automated checks to determine the flaw remediation status of information system components.
| Enforcement mode | Audit |
| Finding category | IMPROPER_FLAW_REMEDIATION_STATUS_CHECKS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement and manage a flaw remediation system. You can useSecurity Command Center andPatch feature in VM Manager to implement certain malicious code protection mechanisms.
Employ Spam Protection Mechanisms
Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages.
| Enforcement mode | Audit |
| Finding category | SPAM_PROTECTION_MECHANISMS_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement spam protection mechanisms such as reCAPTCHA Enterprise, Cloud Armor, or Web Risk API to protect your systems from unsolicited messages.
Employ Static Code Analysis Tools
Employ static code analysis tools and web scanning tools to identify common flaws and document the results of the analysis.
| Enforcement mode | Audit |
| Finding category | MISSING_STATIC_CODE_ANALYSIS_TOOLS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Use static code review tools and web security scanners that match your programming languages.
Use theWeb Security Scanner to check vulnerabilities in App Engine, GKE, and Compute Engine web applications.
ActivateSecurity Command Center for additional vulnerability and threat detection capabilities.
UseCloud Build to manage build security.
Enable 3625 Trace Database Flag for SQL Server
Turn on the 3625 (trace flag) for SQL Server to control information returned to non-sysadmin users.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_TRACE_FLAG_3625 |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Turn on the trace flag. Go to theSQL >Instances page in the Google Cloud console and set the3625 (trace flag) flag toOn for the SQL Server instance.
Enable Access Transparency
Access Transparency logs when Google Cloud employees access your projects for support. Enabling it logs who accesses your information, when, and why.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | ACCESS_TRANSPARENCY_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To enable access transparency, in the Google Cloud console, select your organization or a specific project. Go toIAM & Admin > Settings, and clickEnable Access Transparency.
Enable Account Monitoring for Atypical Usage
Monitor accounts for atypical usage, such as accessing the Google Cloud console at unusual times or from inconsistent locations, and report these instances to designated personnel or roles.
| Enforcement mode | Audit |
| Finding category | ATYPICAL_USAGE_ACCOUNT_MONITORING_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable audit logging. For instructions, seeEnable Data Access audit logs. For more information on checking for atypical usage, seeMonitor for credential compromise.
Enable AlloyDB Automated Backups on Cluster
Automatic backups help to prevent data loss. Enable them to start automated backups for the AlloyDB for PostgreSQL cluster.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ALLOYDB_AUTO_BACKUP_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To enable automated backup on AlloyDB for PostgreSQL clusters, seeEnable and configure automated backups.
Enable AlloyDB Backups on Cluster
AlloyDB backups help to prevent data loss. Enable continuous or automated backups for the AlloyDB for PostgreSQL primary cluster. This control doesn't apply to secondary clusters.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ALLOYDB_BACKUPS_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theAlloyDB for PostgreSQL clusters page in the Google Cloud console. Click the cluster in theResource Name column. Go toData protection, and set up a backup policy. For more information, seeManage continuous backup and recovery.
Enable Artifact Analysis Vulnerability Scanning
Vulnerability scanning in Artifact Analysis helps to check your container images for known vulnerabilities.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ARTIFACT_ANALYSIS_VULNERABILITY_SCANNING_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To understand artifact analysis and enable vulnerability scanning, seeArtifact analysis and vulnerability scanning andScan OS packages automatically.
Enable Audit Logs Bucket Enumeration
Enable audit logs monitoring for enumeration of Cloud Storage buckets by service accounts to help investigate if a malicious actor has gained access to a service account.
| Enforcement mode | Audit |
| Finding category | SERVICE_ACCOUNT_STORAGE_BUCKET_ENUMERATION |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Monitor Audit Logs and look for enumeration of Cloud Storage buckets by service accounts. SeeConfigure Data Access audit logs with the Google Cloud console.
Enable Audit Logs for All Services
Enable Data Access audit logs with the DATA_READ, DATA_WRITE, and ADMIN_READ permissions for the services in use, or for all services.
| Enforcement mode | Audit |
| Finding category | AUDIT_LOGS_ENABLEMENT_ALLSERVICES_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To configure all data access services, seeConfigure Data Access audit logs with the Google Cloud console.
Enable Audit Logs for Google Cloud Services
Enable audit logs for services such as Compute Engine and Cloud Storage.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | AUDIT_LOGS_NOT_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Enableaudit logging.
Define a retention period for yourlog buckets.
UseCloud Logging libraries in your application code to create custom log entries.
Monitor logs using Cloud Monitoring or Cloud Logging dashboards.
Grant only necessary IAM roles to service accounts that are associated with applications.
Regularly review logs to detect and respond to suspicious activity.
Enable Auto Repair for GKE Clusters
The auto repair feature in Google Kubernetes Engine (GKE) clusters makes periodic checks on the health state of each node and helps to keep them in a healthy state.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | AUTO_REPAIR_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable the auto-repair option for the node pools. Go to theKubernetes Engine >Clusters page in the Google Cloud console. Click the cluster name and go to theNodes tab. For each node pool, click its name to access its details page and then selectEdit. In theManagement section, ensure theEnable auto-repair checkbox is selected.
Enable Auto Upgrade on GKE Clusters
The auto upgrade feature in Google Kubernetes Engine (GKE) clusters helps to keep clusters and node pools on the latest stable Kubernetes version.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | AUTO_UPGRADE_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable the auto-upgrade option for the node pools. Go to theKubernetes Engine >Clusters page in the Google Cloud console. Click the cluster name and go to theNodes tab. For each node pool, click its name to access its details page and then selectEdit. In theManagement section, selectEnable auto-upgrade.
Enable Automatic Backups for Cloud SQL Databases
Turn on automatic backups for your Cloud SQL instances and set a start backup time to help prevent data loss. This control doesn't apply to on-premises instances or read replicas.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | AUTO_BACKUP_DISABLED |
| Revision number | 3 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Enable automatic backups on your Cloud SQL instances. For more information, seeCreate and manage on-demand and automatic backups.
Enable Automatic Upgrades for Vertex AI WorkBench Instances
Enable automatic upgrades for Workbench instances to ensure access to the latest features, framework updates, and security patches.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_WORKBENCH_AUTO_UPGRADE_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable auto-upgrade for Workbench instances.
In the Google Cloud console, go to theInstances page.
Click the instance that you want to configure.
On the Instance details page, select theEnvironment auto-upgrade setting. Choose whether to upgrade your instance weekly or monthly.
ClickSubmit.
Enable Cloud Asset Inventory Service
Cloud Asset Inventory provides a comprehensive view of Google Cloud resources. It lets you view view, search, export, monitor, and analyze your Google Cloud asset metadata to enhance security analysis, resource change tracking, and compliance auditing.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | CLOUD_ASSET_API_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
EnableCloud Asset API in theLibrary page ofAPIs & Services in the Google Cloud console.
Enable Cloud DNS Logs Monitoring
Monitoring Cloud DNS logs provides visibility to DNS names within the VPC network and lets you monitor for anomalous domain names.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | DNS_LOGGING_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theVPC Network >VPC networks page in the Google Cloud console. Select the VPC network, go to theDNS configuration tab, and either edit the existingDNS server policy to enable DNS logging or create a server policy if one doesn't exist.
Enable Cloud Logging on GKE Clusters
Cloud Logging on Google Kubernetes Engine (GKE) clusters gives you access logs for all requests made on a specific cluster and storage logs with information about the storage used by that cluster.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | CLUSTER_LOGGING_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theKubernetes Engine >Clusters page in the Google Cloud console. Click the cluster name. In theFeatures section, click theEdit icon againstLogging. In theComponents drop-down list, add the components for which you want to enable logging.
Enable Cloud Monitoring on GKE Clusters
Cloud Monitoring on Google Kubernetes Engine (GKE) clusters helps investigate security issues and track cluster usage by providing security and usage information.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | CLUSTER_MONITORING_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theKubernetes Engine >Clusters page in the Google Cloud console. Select the cluster. In theFeatures section, click theEdit icon againstCloud Monitoring. In theComponents drop-down list, add the components for which you want to enable monitoring.
Enable CMEK for AlloyDB Clusters
Enabling customer-managed encryption keys (CMEK) in the AlloyDB cluster to gain more control over data encryption and key management.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ALLOYDB_CMEK_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a AlloyDB cluster after it's been created. Delete the cluster and create a new cluster with CMEK enabled. To enable AlloyDB CMEK, seeEnable CMEK.
Enable CMEK for BigQuery Datasets
Require customer-managed encryption keys (CMEK) for BigQuery datasets to gain more control over data encryption and key management.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | DATASET_CMEK_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a dataset after it's been created. Go to theBigQuery page in the Google Cloud console andcreate a dataset. To enable CMEK on the new dataset,set a default CMEK key. Copy the original tables to your new CMEK-enabled dataset, and then delete the original datasets.
Enable CMEK for BigQuery Tables
The control provides the governance for the encryption key configuration for keys that protect the sensitive data for BigQuery tables. Using the control, you can detect when the data that is in scope is not protected by Customer Managed Encryption Key (CMEK). The CMEK gives you ownership and control of the keys that protect your sensitive data at rest in Google Cloud.
| Enforcement mode | Detective |
| Severity | HIGH |
| Finding category | BIGQUERY_TABLE_CMEK_DISABLED |
| Category name in the API | CC_CATEGORY_DATA_SECURITY |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure that the table is configured to use a default CMEK key. Please seehttps://cloud.google.com/bigquery/docs/customer-managed-encryption#switch-encryption.
Enable CMEK for BigQuery Tables
Require customer-managed encryption keys (CMEK) for BigQuery tables to gain more control over data encryption and key management.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | BIGQUERY_TABLE_CMEK_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a BigQuery table after it's been created. Create a new table with CMEK enabled, move the data over, and delete the original table. Go to the BigQuery page in the Google Cloud console and create a table. To enable CMEK on the new table, set a default CMEK key. Copy original data to your new CMEK-enabled table, and then delete the original table. For more information, seeCreate a table protected by Cloud KMS.
Enable CMEK for Cloud SQL Databases
Require customer-managed encryption keys (CMEK) for Cloud SQL database instances to gain more control over data encryption and key management.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_CMEK_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Cloud SQL database after it's been created. Create a new database with CMEK enabled, move the data over, and delete the original database. For more information, seeCloud SQL for MySQL,Cloud SQL for PostgreSQL, andCloud SQL for SQL Server.
Enable CMEK for Cloud Storage Buckets
Require customer-managed encryption keys (CMEK) for Cloud Storage buckets to gain more control over data encryption and key management.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | BUCKET_CMEK_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theCloud Storage >Buckets page in the Google Cloud console. In the list of buckets, click the name of the bucket and then click theConfiguration tab. EditEncryption type and enable CMEK for the bucket. For more information, seeUse customer-managed encryption keys.
Enable CMEK for Vertex AI Custom Jobs
Require customer-managed encryption keys (CMEK) on Vertex AI custom training jobs to gain more control over the encryption of job inputs and outputs.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_CUSTOM_JOB_CMEK_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Vertex AI custom training job after it's been created. Delete the job and create a new job with CMEK enabled.
Delete the existing custom job on theTraining pipelines page.
Create a new custom job. For instructions, see (Create a custom training job)[https://cloud.google.com/vertex-ai/docs/training/create-custom-job]. When creating the custom job, enter the name of the Cloud KMS key in the *encryptionSpec field.
For more information about CMEK support in Vertex AI, seeCustomer-managed encryption keys (CMEK).
Enable CMEK for Vertex AI Datasets
Require customer-managed encryption keys (CMEK) for Vertex AI datasets to gain more control over data encryption and key management.
| Enforcement mode | Detective |
| Severity | MEDIUM |
| Finding category | VERTEX_AI_DATASET_CMEK_DISABLED |
| Category names in the API |
|
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Vertex AI dataset after it's been created. Delete the dataset and create a new dataset with CMEK enabled.
Delete the existing dataset. For instructions, seeDelete a dataset or annotation set.
Create a new dataset. In the Google Cloud console, go to theVertex AI Datasets page.
ClickCreate dataset.
In the dataset creation details, expandAdvanced options.
SelectCloud KMS key and provide your CMEK.
ClickCreate.
For more information about CMEK support in Vertex AI, seeCustomer-managed encryption keys (CMEK).
Enable CMEK for Vertex AI Endpoints
Require customer-managed encryption keys (CMEK) for Vertex AI endpoints to gain more control over the encryption of deployed models and control data access.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_ENDPOINT_CMEK_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Vertex AI endpoint after it's been created. Delete the endpoint and create a new endpoint with CMEK enabled.
Delete the existing endpoint. For instructions, seeUndeploy a model and delete the endpoint.
Create a new endpoint. In the Google Cloud console, navigate to theVertex AI Endpoints page.
ClickCreate endpoint.
In theDefine Your Endpoint section, expandAdvanced options.
SelectCloud KMS key and provide your CMEK.
ClickCreate.
For more information about CMEK support in Vertex AI, seeCustomer-managed encryption keys (CMEK).
Enable CMEK for Vertex AI Featurestore
Require customer-managed encryption keys (CMEK) for Vertex AI featurestore to gain more control over data encryption and access.
| Enforcement mode | Detective |
| Severity | MEDIUM |
| Finding category | VERTEX_AI_FEATURESTORE_CMEK_DISABLED |
| Category names in the API |
|
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Vertex AI featurestore after it's been created. Delete the featurestore and create a new featurestore with CMEK enabled.
Delete the featurestore. For instructions, see (Delete a featurestore)[https://cloud.google.com/vertex-ai/docs/featurestore/managing-featurestores#delete_a_featurestore].
Create a featurestore that uses CMEK. For instructions, seeCreate a featurestore that uses a CMEK.
For more information about CMEK support in Vertex AI, seeCustomer-managed encryption keys (CMEK).
Enable CMEK for Vertex AI Hyperparameter Tuning Jobs
Require customer-managed encryption keys (CMEK) on hyperparameter tuning jobs to gain more control over the encryption of model training data and job configuration.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_HYPERPARAMETER_TUNING_JOB_CMEK_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Vertex AI hyperparameter tuning job after it's been created. Delete this job and create a new job with CMEK enabled.
Delete the existing tuning job. For instructions, see (Delete a hyperparameter tuning job)[https://cloud.google.com/vertex-ai/docs/training/using-hyperparameter-tuning#delete_a_hyperparameter_tuning_job].
Create a new hyperparameter tuning job. For instructions, see (Create a hyperparameter tuning job)[https://cloud.google.com/vertex-ai/docs/training/using-hyperparameter-tuning]. When creating the hyperparameter tuning job, enter the name of the Cloud KMS key in theencryptionSpec field.
For more information about CMEK support in Vertex AI, seeCustomer-managed encryption keys (CMEK).
Enable CMEK for Vertex AI Metadata Stores
Require customer-managed encryption keys (CMEK) for Vertex AI metadata stores to gain more control over the encryption of metadata and control access.
| Enforcement mode | Detective |
| Severity | MEDIUM |
| Finding category | VERTEX_AI_METADATA_STORE_CMEK_DISABLED |
| Category names in the API |
|
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Vertex AI metadata store after it's been created. Delete the store and create a new store with CMEK enabled.
Delete the metadata store. For instructions, seeMethod: metadataStores.delete.
Create a metadata store. For instructions, seeConfigure your project's metadata store. To enable CMEK, enter the Cloud KMS key name in theencryptionSpec field.
For more information about CMEK support in Vertex AI, seeCustomer-managed encryption keys (CMEK).
Enable CMEK for Vertex AI Models
Require customer-managed encryption keys (CMEK) for Vertex AI models to gain more control over data encryption and key management.
| Enforcement mode | Detective |
| Severity | MEDIUM |
| Finding category | VERTEX_AI_MODEL_CMEK_DISABLED |
| Category names in the API |
|
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Vertex AI model after it's been created. Delete the model and create a new model with CMEK enabled.
Delete the existing model. For instructions, seeDelete a model from Vertex AI Model Registry.
Create a new model. In the Google Cloud console, go to theVertex AI Models page.
ClickCreate model.
In the model details, expandAdvanced options.
SelectCloud KMS key and provide your CMEK.
ClickCreate.
For more information about CMEK support in Vertex AI, seeCustomer-managed encryption keys (CMEK).
Enable CMEK for Vertex AI Notebook Runtime Templates
Require customer-managed encryption keys (CMEK) for Colab Enterprise runtime templates to help secure runtime environments and associated data.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_WORKBENCH_RUNTIME_TEMPLATE_CMEK_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Colab Enterprise notebook runtime template after it's been created. Delete the runtime template and create a new runtime template with CMEK enabled.
Delete the runtime template. For instructions, seeDelete a runtime template.
Create a runtime template. For instructions, seeCreate a runtime template. To enable CMEK, enter the Cloud KMS key name in theencryptionSpec field.
For more information about CMEK support in Vertex AI, seeCustomer-managed encryption keys (CMEK).
Enable CMEK for Vertex AI TensorBoard
Require customer-managed encryption keys (CMEK) for Vertex AI TensorBoard to gain more control over the encryption of experiment data and model visualizations.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_TENSORBOARD_CMEK_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Vertex AI TensorBoard after it's been created. Delete the TensorBoard and create a new TensorBoard with CMEK enabled.
Delete the TensorBoard. For instructions, seeDelete a TensorBoard instance.
Create a TensorBoard. For instructions, seeSet up Vertex AI TensorBoard. To enable CMEK, enter the Cloud KMS key name in theencryptionSpec field.
For more information about CMEK support in Vertex AI, seeCustomer-managed encryption keys (CMEK).
Enable CMEK for Vertex AI Training Pipelines
Require customer-managed encryption keys (CMEK) on Vertex AI training pipelines to gain more control over the encryption of training data and resulting artifacts.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_TRAINING_PIPELINE_CMEK_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Vertex AI training pipeline after it's been created. Delete the pipeline and create a new pipeline with CMEK enabled.
Delete the existing training pipeline from theVertex AI Training Pipelines page.
Create a new training pipeline. In the Google Cloud console, go to the**Vertex AI Training Pipelines page.
ClickCreate training pipeline.
In theModel Details section, expandAdvanced options.
SelectCloud KMS key and provide your CMEK.
ClickCreate.
For more information about CMEK support in Vertex AI, seeCustomer-managed encryption keys (CMEK).
Enable CMEK for Vertex AI Workbench Instances
Require customer-managed encryption keys (CMEK) for Vertex AI Workbench instances to gain more control over data encryption.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_INSTANCE_DISK_CMEK_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Vertex AI Workbench instance disk after it's been created. Delete the existing instance and create a new instance with CMEK enabled.
Delete the instance. For instructions to shut down the instance before deleting it, seeShut down a Vertex AI Workbench instance.
Create an instance. For instructions, seeCreate a Vertex AI Workbench instance with CMEK. To enable CMEK, enter the Cloud KMS key name in thediskEncryption field.
For more information about CMEK support in Vertex AI, seeCustomer-managed encryption keys (CMEK).
Enable CMEK on Compute Engine Persistent Disks
Require customer-managed encryption keys (CMEK) for Persistent Disks to encrypt your data on the VM, providing enhanced control over data encryption and key management.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | DISK_CMEK_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Persistent Disk after it's been created. Delete the disk and create a new disk with CMEK enabled. Go toDisks within theCompute Engine page in the Google Cloud console. From theManage disk page, delete the disk, and create a CMEK-enabled Persistent Disk. For more information, seeEncrypt a new persistent disk with your own keys.
Enable CMEK on GKE Node Pool Boot Disks
Require customer-managed encryption keys (CMEK) for the boot disks for GKE node pools to gain more control over data encryption and key management.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | NODEPOOL_BOOT_CMEK_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You cannot enable CMEKs for node boot disks on an existing cluster. Create a new node pool with CMEK enabled, migrate your workloads, and delete the older node pool. Go to theKubernetes Engine >Clusters page in the Google Cloud console. Click the cluster name. In theNodes tab, create new node pools with CMEK enabled. Migrate your workloads from the existing non-conforming node pool to the new node pools and then remove the old node pool. For more information, seeCreate a node pool with CMEK-protected node boot disks.
Enable Confidential Computing for Compute Engine Instances
Confidential Computing is the protection of data in use. It uses a hardware-based Trusted Execution Environment (TEE) to create secure and isolated environments that help prevent unauthorized access.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | CONFIDENTIAL_COMPUTING_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable Confidential Computing on a VM instance after it's been created. Delete the current VM instance and create a Confidential VM from theVM instances page ofCompute Engine. For more information, seeCreate a Confidential VM instance.
Enable Control Plane Authorized Networks on GKE Clusters
Use authorized networks to help improve cluster security by blocking unauthorized IP addresses from accessing your cluster's control plane.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | MASTER_AUTHORIZED_NETWORKS_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Configure authorized networks for the cluster. Go to theClusters >Kubernetes Engine in the Google Cloud console. Select the cluster and clickEdit. SelectEnabled on theControl Plane Authorized Networks drop-down list. ClickAdd authorized network and specify the authorized networks.
Enable CSEK On Compute Engine Persistent Disks
Require customer-supplied encryption keys (CSEK) to use your own encryption keys with Compute Engine. Only users who provide the correct key can access resources protected by a CSEK.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | DISK_CSEK_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CSEK on a Persistent Disk after it's been created. Delete the disk and create a new disk with CSEK enabled. Go toDisks within theCompute Engine page in the Google Cloud console. From theManage disk page, delete the disk, and create a CSEK-enabled disk. For more information, seeEncrypt disks with customer-supplied encryption keys.
Enable Data Lineage API
Enable the Data Lineage API to better track data flow through generative AI systems.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | DATA_LINEAGE_API_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable data lineage for Google Cloud projects. For more information, seeAbout data lineage.
Enable Data Write Audit Logs for Organization Policy
Ensure that Organization Policy Service audit logs for the DATA_WRITE permission type are enabled for all users.
| Enforcement mode | Audit |
| Finding category | ORGPOLICY_AUDIT_LOGS_DATA_WRITE_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure that you can monitor Data Access logs for organization policy constraint changes. To enable the DATA_WRITE permission, seeConfigure Data Access audit logs with the Google Cloud console.
Enable Delete to Trash Feature for Vertex AI Workbench Instances
Enable the Delete to Trash metadata feature for Workbench instances to provide a crucial recovery safety net and help prevent accidental data loss.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_WORKBENCH_DELETE_TO_TRASH_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable delete to trash for the existing instance.
In the Google Cloud console, go to theInstances page.
Click the instance that you want to configure.
In theSoftware and security tab, add the
notebook-enable-delete-to-trashmetadata key and set the value toTRUE.
For more information, seeUpdate an instance's metadata.
Enable DNSSEC for Cloud DNS
Domain Name System Security Extensions (DNSSEC) helps prevent attackers from signing in to DNS records in your Cloud DNS zones.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | DNSSEC_DISABLED |
| Revision number | 3 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Enable DNSSEC for Cloud DNS zones. Go to theNetwork Services >Cloud DNS page in the Google Cloud console and enableDNSSEC for the Cloud DNS zones. For more information, seeEnable DNSSEC for existing managed public zones.
Enable Encryption for Mobile Devices
Configure full-device encryption or container encryption to protect the confidentiality and integrity of information stored on mobile devices.
| Enforcement mode | Audit |
| Finding category | MOBILE_DEVICES_ENCRYPTION_NOT_ENABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Enable full-device encryption. For Android devices, use device settings. On iOS devices, full-device encryption is enabled by default when a passcode is set.
Implement a mobile device management solution that enforces encryption. Consideradvanced mobile management.
To encrypt containers for BYOD or work profiles, use a mobile device management solution.
On Google Cloud,Grant IAM roles to mobile device users.
Enable Encryption on GKE Clusters
Enable application-layer secrets encryption on a Google Kubernetes Engine (GKE) cluster to create an additional layer of security for sensitive workloads.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | CLUSTER_SECRETS_ENCRYPTION_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Determine whether to use an existing Cloud KMS key or create a new key. For more information, seeCreating a Cloud KMS key. Next,enable application-layer secrets encryption.
Enable Enhanced IAM Audit Logging
Enable audit logs for the IAM API, Security Token Service API, and Service Account Credentials API. Include the ADMIN_READ, DATA_READ, and DATA_WRITE types.
| Enforcement mode | Audit |
| Finding category | IAM_AUDITLOG_PRIVILEGED_ACCESS_MANAGEMENT_VIOLATION |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
EnableDATA_READ,DATA_WRITE, andADMIN_READ for the following APIs:iam.googleapis.com,iamcredentials.googleapis.com, andsts.googleapis.com. For more information, see the following:
Enable Firewall Rule Logging
Firewall rules logging lets you audit, verify, and analyze the effects of your firewall rules, and provide an early warning that the network is being used in an unapproved manner.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | FIREWALL_RULE_LOGGING_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theVPC Network >Firewall page in the Google Cloud console. For more information, seeEnable firewall rules logging.
Enable Flow Logs for VPC Subnet
VPC Flow Logs provides information that you can use for network monitoring, forensics, real-time security analysis, and expense optimization. This control doesn't check whether VPC Flow Logs are enabled for Serverless VPC Access or Cloud Load Balancing subnets.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED |
| Revision number | 3 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Enable flow logs for the VPC network. Go to theVPC Network >VPC networks page in the Google Cloud console. Click the network name. On theVPC network details page, click theSubnets tab. Click the subnet name and edit it to enableFlow logs.
Enable Idle Shutdown for Vertex AI Runtime Templates
Enable automatic idle shutdown in Colab Enterprise runtime templates to optimize cloud costs, improve resource management, and enhance security.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_RUNTIME_TEMPLATE_IDLE_SHUTDOWN_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't change this setting after the runtime template is created. Delete the existing runtime template and create a new one with idle shutdown turned on.
Delete the runtime template. For instructions, seeDelete a runtime template.
Create a runtime template. For instructions, seeCreate a runtime template. To turn on idle shutdown, in theConfigure compute section, selectEnable idle shutdown.
For more information, seeIdle shutdown.
Enable Integrity Monitoring for Vertex AI Workbench Instances
Enable integrity monitoring on Workbench instances to continuously attest the boot integrity of your VMs against a trusted baseline.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_WORKBENCH_INTEGRITY_MONITORING_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable integrity monitoring for the Workbench instance.
- Stop your WorkBench instance:
gcloud workbenck instances stop INSTANCE_NAME --location=LOCATION --format="yaml(state)"
- Enable the vTPM feature:
gcloud workbench instances update INSTANCE_NAME --location=LOCATION --shielded-vtpm true --format="yaml(gceSetup.shieldedInstanceConfig.enableVtpm)"
- Enable integrity monitoring:
gcloud workbench instances update INSTANCE_NAME --location=LOCATION --shielded-integrity-monitoring true --format="yaml(gceSetup.shieldedInstanceConfig.enableIntegrityMonitoring)"
- Restart the instance:
gcloud workbench instances start INSTANCE_NAME --location=LOCATION --format="yaml(state)"
Enable Integrity Monitoring on GKE Clusters
Integrity monitoring lets you respond to integrity failures and help prevent compromised nodes from being deployed into the cluster.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | INTEGRITY_MONITORING_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable integrity monitoring on a GKE node pool after it's been created. Create a new node pool with integrity monitoring enabled, migrate your workloads, and delete the older node pool. Go to theKubernetes Engine >Clusters page in the Google Cloud console. Click the cluster name. ClickAdd Node Pool. In theSecurity tab, selectEnable integrity monitoring and clickCreate. Migrate your workloads from the existing non-conforming node pool to the new node pools and then remove the old node pool.
Enable integrity verification of software and firmware components
Enforce software and firmware integrity verification to detect unauthorized changes using developer-provided tools, techniques, and mechanisms.
| Enforcement mode | Audit |
| Finding category | MISSING_FIRMWARE_INTEGRITY_VERIFICATION_CONTROLS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Mandate integrity verification of software and firmware components for critical risk information systems, system components, or information system services. Examples of critical risk systems, system components, or information system services include validating the integrity of the BIOS and other firmware updates.
Enable Intranode Visibility for GKE Clusters
Intranode visibility makes Pod-to-Pod traffic visible for monitoring and lets you use VPC flow logging or other VPC features to monitor or control intranode traffic.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | INTRANODE_VISIBILITY_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theKubernetes Engine >Clusters page in the Google Cloud console. In theNetworking section, clickEdit intranode visibility in theIntranode visibility row, and selectEnable Intranode visibility.
Enable IP Alias Range for GKE Clusters
Google Cloud alias IP ranges let you assign ranges of internal IP addresses as aliases, so your cluster is scalable and interacts better with Google Cloud products and entities.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | IP_ALIAS_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For instructions on how to create a cluster enabled with alias IP range, seeCreate a VPC-native cluster.
Enable Load Balancer Logging
Logging for a Cloud Load Balancing backend service provides visibility into the HTTP(S) network traffic towards your web applications.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | LOAD_BALANCER_LOGGING_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To enable logging on a backend service, seeEnabling logging on an existing backend service.
Enable Log Checkpoints Flag for PostgreSQL
Turn on the log_checkpoints flag for PostgreSQL to log checkpoints and restart points.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_LOG_CHECKPOINTS_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and set thelog_checkpoints database flag toOn for the instance.
Enable Log Connections Flag for PostgreSQL
Turn on the log_connections flag for the PostgreSQL instance.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_LOG_CONNECTIONS_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Turn thelog_connections flag on. Go to theSQL >Instances page in the Google Cloud console and set thelog_connections database flag toOn for the instance.
Enable Log Disconnections Flag for PostgreSQL
Turn on the log_disconnections flag for the PostgreSQL instance. When set, end-of-session events are logged.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_LOG_DISCONNECTIONS_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Turn thelogs_disconnections flag on. Go to theSQL >Instances page in the Google Cloud console and set thelog_disconnections database flag toOn for the instance.
Enable Log Duration Flag for PostgreSQL instance
Set the log_duration flag to log the duration of every completed statement.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_LOG_DURATION_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and set thelog_duration database flag toOn for the instance.
Enable Log Error Verbosity Flag for PostgreSQL
Turn on verbose or default logging using the log_error_verbosity flag for the PostgreSQL instance. When set, the flag controls detail in logged messages.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_LOG_ERROR_VERBOSITY |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set thelog_error_verbosity flag. Go to theSQL >Instances page in the Google Cloud console and set thelog_error_verbosity database flag todefault orverbose for the instance.
Enable Log Events Data Sharing
The Google Admin console lets you share log events data from your Google Workspace or Cloud Identity with services in Google Cloud. Turn on log events sharing to view this data in Cloud Audit logs.
| Enforcement mode | Audit |
| Finding category | LOG_EVENTS_DATA_SHARING_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To change data sharing options for Google Cloud audit logs in the Google Admin console, go toMenu > Account > Account settings > Legal and compliance > Sharing options. For more information, seeShare data with Google Cloud services.
Enable Log Locks Wait Flag for PostgreSQL instance
Turn on the log_lock_waits flag for PostgreSQL to generate log entries for unusually long session waits.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_LOG_LOCK_WAITS_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and set thelog_lock_waits database flag toOn for the Cloud SQL instance.
Enable Log Min Error Statement Flag for PostgreSQL
Configure the log_min_error_statement flag as per your organization's logging policy for the PostgreSQL instance. This flag controls logging of SQL statements that cause errors.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_LOG_MIN_ERROR_STATEMENT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and set thelog_min_error_statement database flag for the Cloud SQL instance. The value of this flag must be set as per your organization's logging policy. Possible values are info, notice, warning, error, debug1, debug2, debug3, debug4, and debug5.
Enable Log Min Messages Flag for PostgreSQL
Set the log_min_messages flag to warning or lower levels for the PostgreSQL instance. This flag controls message levels recorded in logs.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | SQL_LOG_MIN_MESSAGES_INCORRECT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set thelog_min_messages flag. Go to theSQL >Instances page in the Google Cloud console and set thelog_min_messages database flag for the Cloud SQL instance to one of Notice, Info, Debug1, Debug2, Debug3, Debug4, or Debug5.
Enable Log Statement Flag for PostgreSQL
Set the log_statement flag to ddl for the PostgreSQL instance. When set to ddl, all data definition statements are logged for forensic analysis.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | SQL_LOG_STATEMENT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and set thelog_statement database flag toddl for the Cloud SQL instance.
Enable Log Temp Files Flag for PostgreSQL instance
Set the log_temp_files flag to 0 for PostgreSQL. When set to 0, all temp files are logged.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_LOG_TEMP_FILES |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and set thelog_temp_files database flag to0 for the Cloud SQL instance.
Enable Network Policy on GKE Clusters
Restrict network connections between pods with a NetworkPolicy resource which acts as a pod-level firewall and only permits explicitly allowed connections.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | NETWORK_POLICY_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theKubernetes Engine >Clusters page in the Google Cloud console. Click the cluster name, and in theNetworking section, edit theCalico Kubernetes Network policy to enable it for both the control plane and nodes.
Enable Object Versioning on Buckets
Versioning lets you track changes to objects and to enable recovery of specific versions of an object.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | OBJECT_VERSIONING_DISABLED_ON_BUCKETS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To enable versioning for Cloud Storage buckets, seeSet Object Versioning on a bucket.
Enable OS Login
Enable OS Login to centralize SSH key management with Identity and Access Management (IAM).
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | OS_LOGIN_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Enable OS Login. Go to theMetadata page for the Compute Engine from the Google Cloud console. ClickEdit and add an item with the key set toenable-oslogin, value set toTRUE.
Enable OS Login for All Instances at Project Level
Enable OS Login to centralize SSH key management with Identity and Access Management (IAM).
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | OS_LOGIN_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Enable OS Login for the project. On theMetadata page in the Google Cloud console, add the keyenable-oslogin and valueTRUE. For more information, seeEnable OS Login for all VMs in a project.
Enable PodSecurityPolicies for GKE Clusters
Define and authorize a PodSecurityPolicy to validate requests to create and update pods on a Google Kubernetes Engine (GKE) cluster. This control checks whether the GKE cluster version is 1.25 or later because PodSecurityPolicy is deprecated. If the GKE cluster version is less than 1.25, the securityPostureConfig.mode must be BASIC or ENTERPRISE.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | POD_SECURITY_POLICY_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Enable the PodSecurityPolicy controller on the GKE clusters. For more information, seePodSecurityPolicy.
Enable Private Clusters for GKE
Use private clusters in Google Kubernetes Engine (GKE) to limit outbound internet access and node discoverability.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | PRIVATE_CLUSTER_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't change an existing cluster into a private cluster. Create a private cluster, move your workloads, and delete the older cluster. Go to theKubernetes clusters page in the Google Cloud console and create a cluster withPrivate cluster turned on. For more information, seeCreate a private cluster. Migrate your workloads and then remove the old cluster.
Enable Private Google Access for VPC Subnets
Allow VM instances with only internal (private) IP addresses to reach Google public APIs with Private Google Access.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | PRIVATE_GOOGLE_ACCESS_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable Private Google Access for the subnets that don't have access to Google public APIs and services. For more information, seeEnable Private Google Access.
Enable Private Google Access on an instance
Private Google Access enables VM instances with only private, internal IP addresses to reach the public IP addresses of Google APIs and services. Configuring cluster hosts to use only private IPs helps improve security.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable Private Google Access on the cluster. Complete the following steps:
- Go to theVPC Network >VPC networks page in the Google Cloud console.
- Click the network name.
- On theVPC network details page, clickSubnets tab.
- Click the subnet name associated with the Kubernetes cluster in the finding.
- On theSubnet details page, clickEdit.
- UnderPrivate Google Access, selectOn.
Enable Provenance Tracking of Synthetic Datasets
Attach labels to synthetic data so that you can track their provenance.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | LABELS_NOT_ENABLED_FOR_SYNTHETIC_VERTEX_AI_DATASETS |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Use labels to track synthetic Vertex AI datasets. For more information, seeAdding labels to resources andTags and labels.
Enable Response Grounding in Vertex AI
Use grounding techniques to connect model output to verifiable sources of information so that the model produces outputs based on reliable data and reduces the possibility of producing misinformation.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | VERTEX_AI_GROUNDING_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Configure Vertex AI grounding features to ground responses For more information, seeGrounding overview.
Enable SDP for Data Discovery
The Sensitive Data Protection (SDP) discovery service helps you protect data across your organization by identifying where sensitive and high-risk data resides.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SDP_TO_DISCOVER_DATA_DISABLED |
| Revision number | 3 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Use SDP to discover the data and address critical findings. For instructions on using SDP, seeInspect Google Cloud storage and databases for sensitive data.
Enable Secure Boot for Shielded GKE Nodes
Enable Secure Boot to authenticate the boot components of your node VMs, such as the kernel and the bootloader, during the boot process.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | NODEPOOL_SECURE_BOOT_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create a node pool with Secure Boot and migrate your workloads from the existing non-conforming node pools to the new node pools. After moving the workloads, delete the original non-conforming node pool. For more information, seeSecure boot.
Enable Secure Boot for Vertex AI Runtime Templates
Enable secure boot in Colab Enterprise runtime templates to help prevent unauthorized code execution and help protect operating system integrity.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_RUNTIME_TEMPLATE_SECURE_BOOT_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't change this setting after the runtime template is created. Delete the existing runtime template and create a new one with secure boot enabled.
Delete the runtime template. For instructions, seeDelete a runtime template.
Create a runtime template. For instructions, seeCreate a runtime template. To enable secure boot, in theConfigure compute section, selectSecure Boot.
Enable Secure Boot for Vertex AI Workbench Instances
Enable secure boot for Workbench instances to help prevent the execution of unauthorized or malicious software during the boot process.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_WORKBENCH_SECURE_BOOT_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable secure boot.
- Stop your WorkBench instance:
gcloud workbenck instances stop INSTANCE_NAME --location=LOCATION --format="yaml(state)"
- Enable the secure boot feature:
```gcloud workbench instances update INSTANCE_NAME --location=LOCATION --shielded-secure-boot true --format="yaml(gceSetup.shieldedInstanceConfig.enableSecureBoot)"``
- Restart the instance:
gcloud workbench instances start INSTANCE_NAME --location=LOCATION --format="yaml(state)"
Enable Secure Boot on Compute Engine Instances
Secure Boot helps to protect VM instances against advanced threats such as rootkits and bootkits. This control doesn't apply to GKE instances, Compute Engine disks that have GPU accelerators and don't use Container-Optimized OS, Compute Engine guest operating systems that don't use Unified Extensible Firmware Interface (UEFI), or Serverless VPC Access resources.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | COMPUTE_SECURE_BOOT_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Turn on Secure Boot. Go to theCompute Engine >VM instances page in the Google Cloud console. Select the instance name. On theVM instance details page, stop the instance. ClickEdit. Enable Secure Boot underShielded VM, and start the instance.
Enable Sensitive Data Protection to Detect PII in Training Data
Enable Sensitive Data Protection data for Vertex AI datasets and configure the inspection template to detect personally identifiable information (PII) and sensitive personally identifiable information (SPII) infotypes. Also set the profiling frequency to minimize the risks that are associated with linking AI-generated content back to individual human subjects.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SDP_DISABLED_FOR_VERTEX_DATASETS |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For more information, seeEnable sensitive data discovery for Vertex AI.
Enable Shielded GKE Nodes on a Cluster
Shielded Google Kubernetes Engine (GKE) nodes help to protect against Pod vulnerabilities by preventing attackers from accessing cluster secrets.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | CLUSTER_SHIELDED_NODES_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable Shielded GKE nodes for the cluster. Go to theClusters page ofKubernetes Engine in the Google Cloud console. Select the cluster from the list. UnderSecurity, editShielded GKE nodes and select theEnable Shielded GKE nodes checkbox.
Enable Shielded VM for Compute Engine Instances
Ensure Compute Engine instances are created with Shielded VM enabled.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SHIELDED_VM_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Enable Shielded VM for the instance. For more information, seeEnable Shielded VM options.
Enable Skip Show Database Flag for MySQL
Turn on the skip_show_database flag for the MySQL instance to prevent users without privilege from using SHOW DATABASES.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_SKIP_SHOW_DATABASE_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Turn on theskip_show_database flag. Go to theSQL >Instances page in the Google Cloud console and set theskip_show_database flag toOn for the MySQL instance.
Enable SSL Encryption On AlloyDB Instances
Enforce Secure Sockets Layer (SSL) to permit only authenticated and encrypted connections to AlloyDB instances.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | ALLOYDB_SSL_NOT_ENFORCED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enforce SSL for the AlloyDB cluster. Go to theAlloyDB >Clusters page in the Google Cloud console. Click the cluster from theResource Name column, and edit the primary instance. EnableOnly allow SSL connections.
Enable Subnet Flow Logs
Monitor sub network flows using VPC Flow Logs for security analysis, forensics, and expense optimization.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | FLOW_LOGS_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To configure VPC Flow Logs for a subnet, seeEnable VPC Flow Logs for a subnet.
Enable System Use Notifications on VMs
Implement system use notifications (messages or warning banners) before users log in. The notifications are retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system.
| Enforcement mode | Audit |
| Finding category | SYSTEM_USE_NOTIFICATIONS_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create a banner text file and transfer it to your VMs using the Secure Copy Protocol (SCP) file transfer utility. For example:gcloud compute scp banner.txt YOUR_VM_NAME:~ --zone YOUR_INSTANCE_ZONE For more information, seeTransfer files to Linux VMs.
Enable the Confidential VM Organization Policy Constraint
To help protect against memory attacks, enable the Restrict Non-Confidential Computing (compute.restrictNonConfidentialComputing) organization policy constraint so that each virtual machine (VM) is a Confidential VM.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORG_POLICY_CONFIDENTIAL_VM_POLICY |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable the Restrict Non-Confidential Computing organization policy. For instructions, seeEnforce Confidential VM use.
Enable the Restrict Authorized Networks on Cloud SQL Instances Organization Policy Constraint
Enable the Restrict Authorized Networks on Cloud SQL instances (constraints/sql.restrictAuthorizedNetworks) organization policy constraint to restrict adding Authorized Networks for unproxied database access to Cloud SQL instances.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | RESTRICT_AUTHORIZED_NETWORKS_ORG_POLICY |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Enable the Restrict Authorized Networks on Cloud SQL instances constraint in theOrganization Policies page from the Google Cloud console. For more information, seeOrganization policy constraints andCreating and managing organization policies.
Enable Uniform Bucket-Level Access on Cloud Storage Buckets
When uniform bucket-level access is enabled, only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects that it contains.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | BUCKET_POLICY_ONLY_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theCloud Storage >Buckets in the Google Cloud console. In the list of buckets, click the name of the bucket and then click theConfiguration tab. In thePermissions section, clickEdit access control model, and selectUniform. For more information, seeUniform bucket-level access.
Enable Vertex AI Copyright Data Filters
Enable Vertex AI copyright data filter when using Gemini on Vertex AI.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | COPYRIGHT_DATA_FILTERS_NOT_IN_USE_IN_VERTEX_AI |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Use the non-configurable filters in Vertex AI for Gemini to help prevent the generation of copyrighted content (recitation). For more information,seeSafety in Vertex AI.
Enable VPC Flow Logs for Compute Engine Instances
VPC Flow Logs provides you visibility into network throughput and performance.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | COMPUTE_VPC_ADVANCED_FLOW_LOGS_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To configure VPC Flow Logs, seeConfigure VPC Flow Logs.
Enable vTPM on Vertex AI Workbench Instances
Enable the virtual trusted platform module (vTPM) on Workbench instances to safeguard the boot process and gain more control over encryption.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_WORKBENCH_VTPM_DISABLED |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable vTPM for the Vertex AI Workbench instance.
- Stop your WorkBench instance:
gcloud workbenck instances stop INSTANCE_NAME --location=LOCATION --format="yaml(state)"
- Enable the vTPM feature:
gcloud workbench instances update INSTANCE_NAME --location=LOCATION --shielded-vtpm true --format="yaml(gceSetup.shieldedInstanceConfig.enableVtpm)"
- Restart the instance:
gcloud workbench instances start INSTANCE_NAME --location=LOCATION --format="yaml(state)"
Enable Workload Identity Federation for GKE on clusters
Access Google Cloud services from within Google Kubernetes Engine (GKE) using Workload Identity Federation for GKE for improved security and manageability.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | WORKLOAD_IDENTITY_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable Workload Identity Federation for GKE. For more information, seeEnable Workload Identity Federation for GKE on clusters and node pools.
Encrypt Data at Rest with CMEK
Encrypt data at rest with customer-managed encryption keys (CMEK).
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | DATA_AT_REST_CMEK_ENCRYPTION_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Check the encryption status for Cloud Storage buckets and ensure the KMS key name is set. For Compute Engine instances, thekmsKeyName for instance and attached disks must not be empty. For Cloud SQL instances, thekmsKeyName withindiskEncryptionConfiguration must not be empty.
Encrypt Pub/Sub topic with CMEK
Encrypt a Pub/Sub topic with customer-managed encryption keys (CMEKs) to gain more control over data encryption and key management.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | PUBSUB_CMEK_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Pub/Sub topic after it's been created. Delete the topic and create a new topic with CMEK enabled. In the Google Cloud console, go to the Pub/SubTopics page. Delete and recreate the Pub/Sub topic with CMEK. For more information, seeDelete topics andConfigure a topic with CMEK.
Enforce 2-Step Verification for Super Admin Accounts
Google recommends using Titan security keys as the second factor for Super Admin accounts. The Titan security key helps protect against unauthorized access.
| Enforcement mode | Audit |
| Finding category | SUPER_ADMIN_ACCOUNTS_MFA_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To enforce 2-Step Verification, sign in to the Google Admin console (admin.google.com), navigate toSecurity >Authentication > ** 2-Step Verification**, and turn on enforcement for the organizational unit or group containing the super administrators.
Enforce CMEK
Use customer-managed encryption keys (CMEKs) for increased ownership and control of the keys that protect your data at rest in Google Cloud.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | CMEK_NOT_ENFORCED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Configure CMEK across your services.
Consider theCertificate Authority Service for hardware-protected private keys which are FIPS 140-2 Level 3 validated.
Enforce CMEK for Supported Services
Use the "Restrict which services may create resources without CMEK" (gcp.restrictNonCmekServices) organization policy constraint to define which Google Cloud services must use customer-managed encryption keys (CMEKs).
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORGPOLICY_RESTRICT_NON_CMEK_SERVICES_VIOLATED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To configure this constraint, seeRequire CMEK protection.
Enforce Compute Session Inactive Policy
Monitor user inactivity on Compute Engine instances and end sessions after a session has been inactive for 30 minutes.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | COMPUTE_SESSION_INACTIVITY_POLICY_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set the [
httpkeepAliveTimeoutSecattribute]https://cloud.google.com/load-balancing/docs/https/setup-global-ext-https-compute#update-keepalive-timeout) to the session timout.Verify you’re monitoring user activity for your Compute Engine VMs. For example, the following script sets a metadata flag (terminate-session=true) if the idle time exceeds 30 minutes:
!/bin/ # Logic to check user activity if [ $(idle_time_minutes) -gt 30 ]; then gcloud compute instances add-metadata INSTANCE_NAME --metadata terminate-session=true fiVerify session termination scripts are implemented. For example, the following script ends the session based on your conditions:
!/bin/ # Logic to terminate the user session # (This may involve logging out the user, killing user processes, etc.) # Clear the metadata flag gcloud compute instances add-metadata INSTANCE_NAME --metadata terminate-session=false
Enforce Configuration Management for IAC
Ensure configuration management for your infrastructure as code (IAC) during system, component, or service development. Consider version control and change tracking.
| Enforcement mode | Audit |
| Finding category | MISSING_IAC_CONFIGURATION_MANAGEMENT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Use Deployment Manager or Terraform to define and manage your IAC files. Use a Git repository to track changes and for version control.
Implement a change management process that includes code reviews and approvals.
Create a change implementation process and use IAM to ensure only authorized personnel can modify configuration items.
Document approved changes and implement logging and monitoring.
Track security issues and resolutions using vulnerability scanning, Security Command Center, monitoring alerting policies, and reporting practices.
Enforce Deny All Egress Firewall Rule
The deny-all egress firewall rule helps to prevent unwanted outbound network connections.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | EGRESS_DENY_RULE_NOT_SET |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set the firewall rule to deny egress traffic.
Go toFirewall >VPC Network page in the Google Cloud console.
ClickCreate firewall rule.
ForDirection of traffic, selectEgress.
InAction on match field, selectDeny.
In theTargets drop-down menu, selectAll instances in the network.
In theDestination filter drop-down menu, selectIP ranges, and type
0.0.0.0/0into theDestination IP ranges box.InProtocols and ports field, selectDeny all.
ClickDisable Rule.
InEnforcement, selectEnabled and clickCreate.
For more information, seeAdd a firewall rule to deny egress traffic originating from all other VPC networks.
Enforce Domain Restricted Sharing
Configure the "Domain restricted sharing" (iam.allowedPolicyMemberDomains) organization policy constraint to allow principals only from specified customer or organization IDs to be added to IAM policies. This policy lets you limit resource sharing based on a domain or organization resource.
| Enforcement mode | Audit |
| Finding category | ORG_POLICY_ALLOWED_IAM_MEMBER_DOMAINS_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Verify that theDomain restricted sharing (iam.allowedPolicyMemberDomains) constraint is set to your customer ID. Only principals that belong to the allowed customer IDs can be added to IAM policies. For more information, seeRestricting identities by domain.
Enforce HTTPS Traffic Only
Configure your HTTP(S) load balancers to permit only HTTPS traffic to maintain data integrity and secure communications against tampering.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | HTTP_LOAD_BALANCER |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Restrict traffic to HTTPS only. Go to theNetwork Services >Load balancing page in the Google Cloud console. In theTarget proxies tab, select the target proxy and configure it to use HTTPS traffic only. For more information, seeTarget proxies.
Enforce IAM Least Privilege
Maintain the principle of least privilege by assigning Org-Policy IAM to a restricted number of security professionals.
| Enforcement mode | Audit |
| Finding category | IAM_LEAST_PRIVILEGE_ORGPOLICY_VIOLATED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Assign Org-Policy IAM to a limited number of security professionals to maintain least privilege.
Enforce Least Privilege
Ensure that access controls in Google Cloud abide by the principle of least privilege.
| Enforcement mode | Audit |
| Finding category | ACCESS_CONTROL_BY_LEAST_PRIVILEGE_POLICY_NEEDS_REVIEW |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Review best practices inLeast privilege.
Automate enforcement using Deployment Manager or Terraform.
Enforce Least Privilege Guide
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
| Enforcement mode | Audit |
| Finding category | LEAST_PRIVILEGE_GUIDE_NOT_IMPLEMENTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Define the minimum permissions required for tasks.
Identify the users and roles that require administrator permissions.
Create asecurity group for administrators.
Grant IAM roles to the security group.
Limit Google Cloud console access to the security group only.
Use IAM conditions to restrict access based on specific criteria.
Review access regularly using IAM recommender or Access Approval.
ConfigureMFA for users in the security group.
ImplementIAM best practices.
Analyze and adjust IAM roles regularly.
Enforce Password for MySQL Database
Set a strong password for accounts connecting to MySQL database instances.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | SQL_NO_ROOT_PASSWORD |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console, select the instance, and set the password for the user.
Enforce Public Access Prevention
Use the "Enforce Public Access Prevention" (storage.publicAccessPrevention) organization policy constraint to help prevent Cloud Storage buckets and objects from being accidentally exposed to the public.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | ORGPOLICY_PUBLIC_ACCESS_PREVENTION_NOT_SET |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Configure public access prevention for Cloud Storage Buckets at the project and folder levels. For instructions, seeUse public access prevention.
Enforce Separation of Duties
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion.
| Enforcement mode | Audit |
| Finding category | SEPARATION_OF_DUTIES_NOT_IMPLEMENTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
ReviewIAM best practices.
Define your separation-of-duties policy.
Create groups, whereappropriate.
Find andgrant roles to your groups.
Regularlyanalyze and adjust assigned roles.
Usecustom roles, where necessary.
Enforce Session Lock Policy
Enforce session lock policies after 15 minutes of user activity. Session locks temporarily prevent logical access to organizational systems when users are away but don't want to log out.
| Enforcement mode | Audit |
| Finding category | SESSION_LOCK_POLICY_NOT_ENFORCED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Define criteria for your session lock policy.
Configure session locks in your Workforce identity pool.
gcloud iam workforce-pools update WORKFORCE_POOL_ID --location=LOCATION --session-duration=900sCreate scripts to monitor user activity and session lockouts.
Require reauthentication after a session locks. * Lock sessions on user request.
Notify users about the session lock policy.
Enable monitoring for session lock events and user-initiated requests.
gcloud logging read "resource.type=global AND logName=projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity" --project=PROJECT_ID --format=jsonAutomate the session unlock process using authentication.
Include the session lock configuration in your deployment pipelines.
Document the process for reestablishing access.
Enforce SSL Encryption for Remote Access
Implement cryptographic mechanisms to help protect the confidentiality and integrity of remote access sessions.
| Enforcement mode | Audit |
| Finding category | REMOTE_ACCESS_PROTECTION_OF_CONFIDENTIALITY_AND_INTEGRITY_POLICY_VIOLATED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following.
Verify theSSL certificates in use.
UseSSH or HTTPS for remote access. For more information, seeSecurely connecting to VM instances.
Encrypt the connection between your on-premises network and Google Cloud. For example, enableHA VPN over Cloud Interconnect for IPsec encryption.
Configure SSL to encrypt application traffic between clients and servers.
Enforce SSL for all Incoming Database Connections
Use SSL for all incoming connections to your SQL database instance to secure data in transit. This control doesn't apply to on-premises databases or external instances.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | SSL_NOT_ENFORCED |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and select the instance. On theConnections tab, click eitherAllow only SSL connections orRequire trusted client certificates. If you choseRequire trusted client certificates, create a new client certificate. For more information, seeCreate a new client certificate.
Enforce Two-Step Verification
Two-step verification (2SV) helps to protect accounts from unauthorized access and against compromised login credentials.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MFA_NOT_ENFORCED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enforce 2-Step Verification (2SV) for all organizational units in the Google Admin console. For more information, seeProtect your business with 2-Step Verification.
Enforce Vertex AI Environment Options
Use the "Restrict environment options on new Vertex AI Workbench user-managed notebooks" (ainotebooks.environmentOptions) organization policy constraint to define the allowed VM and container image options for creating new Vertex AI Workbench notebooks and instances.
| Enforcement mode | Audit |
| Finding category | ORG_POLICY_VERTEXAI_ENVIRONMENT_OPTIONS_NOT_SET |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set theRestrict environment options on new Vertex AI Workbench user-managed notebooks (ainotebooks.environmentOptions) organization policy for both projects and folders. The expected format for VM instances isainotebooks-vm/PROJECT_ID/IMAGE_TYPE/CONSTRAINED_VALUE. Replace IMAGE_TYPE with image-family or image-name.
The expected format for container images must be ainotebooks-container/CONTAINER_REPOSITORY:TAG.
Ensure Minimum TLS 1.2 Version
Enforce minimum TLS 1.2 in the SSL policies for Google Cloud and ensure organizational policies block older TLS versions.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | MINIMUM_TLS_1.2_NOT_ENFORCED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For more information, seeRestrict TLS Versions inOrganization policy constraints.
Establish an SLA for Flaw Remediation
Measure the time between flaw identification and flaw remediation and set benchmarks for corrective actions.
| Enforcement mode | Audit |
| Finding category | IMPROPER_FLAW_REMEDIATION_SLA |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider the following:
Define and implement an SLA for your flaw remediation cycle.
Establish benchmarks as appropriate.
ConsiderSecurity Command Center to implement benchmarks.
Evaluate Data Bias in Training Data on Vertex AI
Evaluate data bias in training data on Vertex AI.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | DATA_BIAS_IN_TRAINING_DATA |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Use Vertex AI data bias metrics to evaluate training data. For more information, seeData bias metrics for Vertex AI.
Evaluate Risk and Impact of Changes
Review the risk and impact of changes.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_REVIEW_OF_RISK_AND_IMPACT_OF_CHANGES |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Evaluate the risk and potential impact of any changes on your applications and services.
Evaluate Synthetic Data for Data Quality
Assess synthetic data to ensure its responsible use and data quality.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | SYNTHETIC_DATA_QUALITY_NOT_CHECKED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure that re-identification risk, bias, and homogenization for synthetic data is measured. For more information, seeModel Armor filters andMeasuring re-identification and disclosure risk.
Extract External IP Addresses for VM Instances
Identify external IP addresses that are assigned to Compute Engine VM instances.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_REVIEW_OF_COMPUTE_EXTERNAL_IPS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Evaluate all Compute Engine VM instances to ensure that external IP addresses are assigned only when necessary. Unintended external IPs can create security risks, as they expose your instances directly to the internet. For more information, seeView the network configuration for an instance.
Generate After Action Reports
Verify that after-action reports are generated.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_AFTER_ACTION_REPORTS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create after-action reports and integrate the lessons learned into the operations of your applications and services periodically.
Generate Auditable Events
Generate audit events for all components of the production environment and applications.
| Enforcement mode | Audit |
| Finding category | AUDIT_EVENTS_NOT_GENERATED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enableaudit logging.
Use IAM allow policies to control access to logs and log configurations. Grant different users read-only access and admin access to audit logs.
Create asecurity alerting policy file in YAML or JSON format that defines which events are audited and the retention period. For example:
logging: auditLog: LOGS_BUCKET_NAME retentionPeriod: 30dApply the policy using Deployment Manager. For example: ``` gcloud deployment-manager deployments create POLICY_DEPLOYMENT_NAME --config=POLICY_FILE.yaml
Review log entries to ensure that expected auditable events are being logged.
Automate log analysis using Cloud Monitoring, or other analysis tools.
Regularly review the security alerting policy and IAM roles.
Govern the Maximum Retention Period for Sensitive Data
Specify the maximum retention period (based on creation date or last modification date) for sensitive data for selected resources that support the control.
| Enforcement mode | Detective |
| Severity | HIGH |
| Finding category | DATA_SECURITY_POSTURE_DELETION_VIOLATION |
| Category name in the API | CC_CATEGORY_DATA_SECURITY |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Parameters
Required union field Required. Set the permitted maximum retention period. Set it to one of the following values:
| |
|
Set the maximum allowed age (in seconds) from the asset's creation time. |
|
Set the maximum allowed age (in seconds) from the asset's last modification time. |
Remediation steps
Complete the following:
Delete the sensitive data that's passed its retention date. For example,Delete the BigQuery dataset orDelete a Vertex AI dataset.
Update retention periods for supported products to match the parameter in this control. For example,Update BigQuery dataset properties orManage BigQuery featurestores.
For more information about how this control works, seeGovern the Maximum Retention Period for Sensitive Data.
Guidance for Immutable Infrastructure on Google Cloud
Provide guidance for deploying immutable infrastructure on Google Cloud.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_IMMUTABLE_INFRASTRUCTURE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement immutable infrastructure using an end-to-end CI/CD pipeline, leveraging services such as Artifact Registry, Cloud Build, and Kubernetes Engine. For detailed guidance, refer to the measurement guide.
Identify SDLC Functions and Services
Identify the functions, ports, protocols, and services intended for organizational use early in the system development life cycle (SDLC).
| Enforcement mode | Audit |
| Finding category | SDLC_FUNCTIONS_SERVICES_NOT_IDENTIFIED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Require developers to document the functions, ports, protocols, and services required for the SDLC lifecycle.
Identify Supply Chain Risks
Identify and prioritize potential risks to the supply chains that are used by your applications and services.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_SUPPLY_CHAIN_RISK_MANAGEMENT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Assess supply chain risks that might impact confidentiality, integrity, or availability of a system and its information. Employ risk mitigation strategies and update the supply chain risk assessment whenever there are significant changes in the supply chain.
Identify Third-Party Information Resources
Identify all third-party information resources to understand, monitor, and manage supply chain risks.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_THIRD_PARTY_INFORMATION_RESOURCES |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Verify the third-party individuals or systems that transfer information to your applications and services.
Implement Alerting for Incidence Response
Define indicators of security compromise and alert the appropriate personnel or roles when they are detected.
| Enforcement mode | Audit |
| Finding category | INSUFFICIENT_ALERTING_FOR_INCIDENT_RESPONSE |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Configure alerts to the appropriate personnel so that they can respond to indicators of compromise.
Implement Audit Lifecycle Management
Implement audit record review, analysis, and reporting processes to establish an audit lifecycle management process for your systems.
| Enforcement mode | Audit |
| Finding category | AUDIT_LIFECYCLE_MANAGEMENT_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Enableaudit logging, including for Cloud Storage.
Create metrics to capture relevant events.
Configurealerting policies for your metrics.
Createnotification channels to receive alerts.
Regularlyanalyze logs for anomalies.
Considerexporting logs through Pub/Sub for integration with other systems.
Integrate logs with a SIEM.
Create an incident response plan for anomalies.
Regularly review and updatealerting policies.
Enable Security Command Center.
Implement Authorized Decision Makers for Access Requests
Permit authorized individuals to integrate applications on your system with external products and services.
| Enforcement mode | Audit |
| Finding category | AUTHORIZED_DECISION_MAKERS_NOT_IMPLEMENTED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Identify the personnel in your organization who can make access authorization decisions. Set up mechanisms that can help them make these decisions.
Implement Best Practices for Cloud Deployments
Adhere to the recommended guidelines and best practices for cloud-native resources deployments.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_BEST_PRACTICE_IMPLEMENTATION |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement cloud information resources in accordance with Google's documented guidance and best practices that provides specific, informed guidance on helping secure Google Cloud deployments and describe recommended configurations, architectures, suggested settings, and other operational advice.
Implement Centralized Intrusion Detection
Connect and configure individual intrusion detection tools into an information system-wide intrusion detection system.
| Enforcement mode | Audit |
| Finding category | INTRUSION_DETECTION_NOT_CENTRALIZED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider the following:
Connect and configure individual intrusion detection tools into an information system-wide intrusion detection system.
Explore implementingSecurity Command Center.
Implement Centralized Security Monitoring
Monitor information systems to detect attacks and indicators of potential attacks, identify unauthorized use of information systems, and deploy monitoring devices.
| Enforcement mode | Audit |
| Finding category | SECURITY_MONITORING_NOT_CENTRALIZED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider the following:
Identify what unauthorized use means. Consider legal and regulatory requirements.
Deploy monitoring devices across your system.
Use Cloud Logging and Cloud Monitoring to analyze logs and metrics, and implement alerts.
Enable VPC Flow Logs.
Consider Google Cloud Armor and Security Scanner to protect web applications.
Configure firewall rules with allowed and denied ports.
Implement a SIEM such as Security Command Center.
Use IAM allow policies to control access.
Implement Google Cloud security best practices, such as the CIS GCP Benchmark.
Enable audit logging.
Implement certificate lifecycle management
Use a certificate policy or an approved service provider to issue public key certificates. Perform end-to-end key management for encrypted network connections.
| Enforcement mode | Audit |
| Finding category | CERTIFICATE_LIFECYCLE_MANAGEMENT_NOT_IMPLEMENTED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider the following:
Issue public key certificates using certificate policies or obtain public key certificates from an approved vendor. Consider theCertificate Authority Service for hardware-protected private keys which are FIPS 140-2 Level 3 validated.
Use Cloud KMS to create and manage your keys.
Configure SSL certificates for your web servers that are running on VMs, GKE clusters, or Google App Engine.
Implement Continuous Network Traffic Monitoring
Monitor inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | CONTINUOUS_NETWORK_TRAFFIC_MONITORING_NOT_IMPLEMENTED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider the following:
EnableVPC Flow Logs.
Reviewfirewall rules and allowed and denied ports.
Verify logging.
Implement Data Classification and Segmentation
Separate information flows logically or physically using organization-defined mechanisms and/or techniques to accomplish required separations by types of information. Enforcing the separation of information flows by type helps to enhance protection by ensuring that information is not commingled while in transit.
| Enforcement mode | Audit |
| Finding category | DATA_CLASSIFICATION_SEGMENTATION_NOT_IMPLEMENTED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Define how you’ll classify your data based on severity and segmentation requirements.
Create VPC networks to isolate different components. For example, create VPC networks for specific data flows.
Usesubnets to logically segment data flows.
Createfirewall rules that control traffic between different subnets.
Enable VPC Network Peering or Cloud VPN to communicate between different VPC networks.
GrantIAM allow policies to specific users to control access to data.
Configure Sensitive Data Protection.
Use Cloud KMS keys to protect sensitive data.
Implement Error Handling Mechanism
Configure applications to generate error messages that provide sufficient information for corrective actions.
| Enforcement mode | Audit |
| Finding category | ERROR_HANDLING_MECHANISM_NOT_IMPLEMENTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider the following:
Build applications to generate appropriate error messages. ConsiderCloud Logging for your log management system.
UseIAM allow policies to control who can see error messages.
Implement Event Logging for Google Cloud Services
Implement event logging for all Google Cloud services to capture event logs, API calls, and actions that modify the environment.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | EVENT_LOGS_NOT_ENABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Review Admin Activity audit logs.
Enable audit logging.
Configureusage logs for Cloud Storage buckets.
Export logs for analysis to BigQuery.
Export Admin Activity audit logs to Cloud Storage.
Use IAM allow policies to control access to logs and log configurations.
Regularly review logs using your log analysis tool (for example, Cloud Logging or BigQuery).
ImplementIAM best practices to secure access to your resources and audit logs.
Review audit logs regularly.
Ensure application logs include timestamps and other information for traceability.
Uselogging filters to identify successful and unsuccessful events.
Review logs for failed data access events.
Implement Host-based Intrusion and Detection Systems
Implement Cloud IDS, which lets you set up host intrusion prevention and intrusion detection systems. Or, minimally, a host-based firewall at defined systems and components.
| Enforcement mode | Audit |
| Finding category | HOST_BASED_INTRUSION_DETECTION_NOT_IMPLEMENTED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Onboard your projects to Cloud IDS and secure the cloud resources. For more information, seeConfigure Cloud IDS. Optionally, use third-party tools to implement host intrusion prevention systems (HIPS) and host intrusion detection systems (HIDS) on your workloads.
Implement Host-based Monitoring Mechanism
Implement host-based monitoring mechanisms in your environment.
| Enforcement mode | Audit |
| Finding category | HOST_BASED_MONITORING_NOT_IMPLEMENTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement host-based monitoring mechanisms:
Use CloudMonitoring andCloud Logging to collect, monitor, and analyze host-based data, such as system and application logs, performance metrics, and other relevant information.
Createcustom monitoring metrics in Cloud Monitoring to track specific host-based parameters that are critical.
Set upalerting policies in Cloud Monitoring to receive notifications when host-based metrics or logs indicate unusual or unauthorized activities.
Implement On-Demand Audit Log Access
Implement an on-demand audit record review, analysis, and reporting requirement capability.
| Enforcement mode | Audit |
| Finding category | ON_DEMAND_AUDIT_LOG_ACCESS_NOT_IMPLEMENTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Enableaudit logging.
Export audit logs to Cloud Storage, BigQuery, or Pub/Sub for further analysis.
Original content integrity is maintained by Cloud Audit Logs.
UseIAM allow policies to control access to logs and log configurations.
Enable Security Command Center.
Implement Remote Access Policy
Establish and document usage restrictions, configuration requirements, and implementation guidance for permitted remote access.
| Enforcement mode | Audit |
| Finding category | REMOTE_ACCESS_POLICY_NOT_IMPLEMENTED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Define and configure usage restrictions, connection requirements, and implementation guidance for each type of remote access allowed. For example, consider VPNs to ensure authorization of remote access to your systems.Remote access methods include, for example, dial-up, broadband, and wireless.
Implement Secure Development Lifecycle
Manage information systems with integrated security processes.
| Enforcement mode | Audit |
| Finding category | THREAT_DEFENSE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Manage the information system using methods such as secure SDLC.
Define and document your information security roles and responsibilities throughout the system development life cycle.
Identify individuals that have information security roles and responsibilities.
Integrate your risk management process into system development life cycle activities.
Implement Secure Domain Name Resolution Service
Use DNS Security Extensions (DNSSEC) to add an extra layer of security to your DNS resolution. Enforce secure connections to prevent DNS-related attacks.
| Enforcement mode | Audit |
| Finding category | WEAK_DOMAIN_NAME_RESOLUTION_SERVICE |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable DNSSEC.
Use Cloud DNS.
Enforce HTTPS between web browsers and Google Cloud services.
Use SSL certificates from trusted CAs.
Consider web servers to use HTTPS.
Configure web applications to use secure URLs.
Configure end user devices to use trusted DNS servers.
Use the IP addresses for trusted DNS servers in the network settings for each device.
For corporate networks, configure a private DNS resolver.
Implement firewall rules and network security groups.
Consider VPC Service Controls.
Regularly perform audits and vulnerability assessments.
Use Cloud Logging and Cloud Monitoring to detect and respond to incidents.
Use Google's security best practices.
Train personnel on security protocols.
Regularly review your SSL certificates.
Implement fault tolerance by setting up multiple instances of your DNS.
Assign private IP addresses to your instances.
Use IAM allow policies to control access.
Implement Security Alert Advisory Management
Implement procedures for end-to-end management of security alerts, advisories, and directives.
| Enforcement mode | Audit |
| Finding category | SECURITY_ALERT_ADVISORY_MANAGEMENT_NOT_IMPLEMENTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement procedures to:
- Receive information system security alerts, advisories, and directives on an ongoing basis.
- Generate internal security alerts, advisories, and directives as deemed necessary.
- Disseminate security alerts, advisories, and directives to include system security personnel and administrators with configuration/patch-management responsibilities.
- Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.
Implement Security Audits and Monitoring
Employ automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes.
| Enforcement mode | Audit |
| Finding category | SECURITY_AUDIT_PROCESSES_NOT_INTEGRATED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable audit logging including for Cloud Storage.
Export logs to Cloud Storage, BigQuery, or Pub/Sub for further analysis.
Configure alerting policies for exported logs.
Createnotification channels to receive alerts.
Consider exporting logs through Pub/Sub for integration with other systems.
Automate log analysis using Cloud Storage, BigQuery, or other analysis tools.
Enable Security Command Center.
Automate incident response using tools like Cloud Functions to trigger automated responses to detected issues. For example:
gcloud functions deploy my-incident-response --runtime=nodejs20 --trigger-topic=audit-alerts --allow-unauthenticatedRegularly review and update alerting policies.
Develop custom scripts for incident investigation and response.
Implement Security Event Correlation
Employ mechanisms to correlate information from monitoring tools deployed throughout your information system.
| Enforcement mode | Audit |
| Finding category | SECURITY_EVENTS_CORRELATION_MISSING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Verify that you can correlate various events across your systems. Consider tools such as Google SecOps or Security Command Center.
Implement Software Development Lifecycle Security Considerations
Develop and manage Software Development Lifecycle (SDLC) that incorporates information security and privacy considerations. Define, document, and assign information security and privacy roles and responsibilities throughout the SDLC and enforce separation of duties through access control mechanisms and identity management activities.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_SDLC_SECURITY |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Build security considerations into the Software Development Lifecycle (SDLC) and align with Cybersecurity and Infrastructure Security Agency's (CISA) Secure By Design principles.
Implement Zero-Trust Principles
Evaluate system architecture to identify the applicable zero-trust principles.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_ZERO_TRUST_PRINCIPLES |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Design and implement a zero-trust architecture for all applications and services that includes enforcing technical checks (robust authentication, granular authorization, certificate validation, and endpoint verification) to establish and maintain context awareness.For more information, seeBeyondCorp Enterprise,IAM,Cloud KMS, andCertificate Manager.
Import Google Workspace Audit Logs
Google Workspace lets you share its logs with the Google Cloud logging service. Google Workspace collects Login logs, Admin logs, and Group logs.
| Enforcement mode | Audit |
| Finding category | IMPORT_GOOGLE_WORKSPACE_LOGS_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To import Google Workspace audit logs, seeShare audit logs with Google Cloud.
Incorporate Integrity Monitoring into Incident Response
Incorporate unauthorized security-relevant changes to your systems into the organizational incident response capability.
| Enforcement mode | Audit |
| Finding category | INCIDENT_RESPONSE_WITHOUT_INTEGRITY_MONITORING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure that you can detect unauthorized security-related changes and respond accordingly:
Create anOS policy and include integrity verification and response actions when unauthorized changes are detected.
Monitor for file integrity and unauthorized changes using various tools.
Regularly review and monitor the results and reports.
Inspect the External Load Balancer and SSL Connections
Ensure communications at the external boundary and at key internal boundaries use managed interfaces and are monitored and controlled.
| Enforcement mode | Audit |
| Finding category | EXTERNAL_LOADBALANCER_SSL_NOT_INSPECTED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Verify theload balancing scheme.
Reviewfirewall rules and allowed and denied ports.
Verifyforwarding rules have appropriate targets.
Verifyroutes for all services.
Verify SSL certificates.
Label Dataset Sensitivity Based on Sensitive Data Protection Findings
Ensure training data has the relevant labels for sensitive data to prevent the use of personally identifiable information (PII) or sensitive data in training.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | LABELS_NOT_ENABLED_FOR_VERTEX_AI_DATASETS |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Use labels to track sensitive Vertex AI datasets. For more information, seeAdding labels to resources andTags and labels.
Limit KMS Crypto Keys Users to Three
Limit the number of principal users that can use cryptographic keys to three or less.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | TOO_MANY_KMS_USERS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSecurity >Key Management page in the Google Cloud console. Next, click the key ring that contains the key, and then clickShow Info Panel. Reduce the number of principals having permissions to encrypt, decrypt, or sign data to three or less. To revoke permissions, clickDelete. The following predefined roles grant permissions to encrypt, decrypt, or sign data using cryptographic keys:roles/owner,roles/cloudkms.cryptoKeyEncrypterDecrypter,roles/cloudkms.cryptoKeyEncrypter,roles/cloudkms.cryptoKeyDecrypter,roles/cloudkms.signer, androles/cloudkms.signerVerifier. For more information, seePermissions and roles.
Limit Super Admin Accounts
Google recommends limiting the number of super administrators to two or three users and avoiding their use for daily tasks to enhance security. Super administrators have broad permissions, so limiting their number helps reduce the potential attack surface. You can configure alerts in Cloud Logging to track super administrator activity.
| Enforcement mode | Audit |
| Finding category | EXCESSIVE_SUPER_ADMIN_ACCOUNTS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To remediate this finding, reduce the number of super administrators to a minimum. Follow the principle of least privilege and use less permissive roles for daily administrative tasks. For more information, see thebest practices for administrator accounts.
Lock Storage Bucket Retention Policies
Use the Bucket Lock feature to permanently lock retention policies on buckets.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | STORAGE_BUCKET_LOCKED_RETENTION_POLICY_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To lock the retention policy on a bucket, seeLock a bucket.
Maintain a Vulnerability Disclosure Program
Define and implement a process for tracking and reporting vulnerability identification and remediation activities. Establish communication channels for receiving reports of vulnerabilities in systems and information resources, including personnel.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_VULNERABILITY_DISCLOSURE_PROGRAM |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create a vulnerability disclosure program that is well-documented, actionable, and integrated with your internal security and development teams.
Maintain Resource Inventory
Keep the resource inventory up-to-date.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | INVENTORY_NOT_MAINTAINED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Maintain an up-to-date inventory of all information resources, including deployed assets, software, and services, or the code that defines them. For more information, seeCloud Asset Inventory overview,Artifact Registry overview,Deployment Manager Fundamentals, andOverview of Terraform on Google Cloud.
Maintain Resource Isolation
Implement resource isolation using a combination of VPC networks, firewall rules, a CI/CD pipeline, Google Kubernetes Engine (GKE), and IAM.
| Enforcement mode | Audit |
| Finding category | RESOURCE_ISOLATION_NOT_MAINTAINED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider the following:
Use VPC networks to logically isolate resources.
Use firewall rules to control network traffic.
Implement a CI/CD pipeline using Cloud Build with version control systems like GitHub.
Use GKE for resource scheduling and management.
Use IAM allow policies to control access.
Isolate containers using Docker and container registries.
Manage Access to Audit Logs
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
| Enforcement mode | Audit |
| Finding category | AUDIT_LOG_ACCESS_NOT_MANAGED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Enableaudit logging, including for Cloud Storage.
UseIAM allow policies to control access to logs and log configurations.
Enableuniform bucket-level access on the bucket that stores audit logs.
Implement access controls in your application code to restrict access to audit functionality.
Manage Access to Google Cloud Resources from Mobile Devices
Manage access to Google Cloud resources from mobile devices.
| Enforcement mode | Audit |
| Finding category | ACCESS_FROM_MOBILE_DEVICES_NOT_MANAGED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Create custom roles for mobile device access.
Enable Cloud Identity Aware Proxy for mobile device access.
Implement endpoint verification for mobile devices and enforce context awareness. SeeChrome Enterprise Premium overview.
Implement adevice management solution that enforces security policies on mobile devices.
Create aVPN tunnel for your mobile devices.
Createfirewall rules to permit mobile traffic. For example:
gcloud compute firewall-rules create allow-mobile --allow=tcp:80,tcp:443 --source-ranges=MOBILE_IP_RANGEImplementOAuth and API access controls.
Enableaudit logging.
Manage Configurations Centrally
Implement and centrally manage configurations to align with security objectives for all information resources.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_CENTRAL_CONFIGS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Evaluate your system environments to identify the most effective way to centrally manage the configurations. Implement automated audits. Review and update the baseline configuration of the systems and retain previous configurations. Maintain system documentation. Implement required security alerts, advisories, and directives. Conduct regular inspection of systems or components.
Manage Data Handling and Retention
Manage data handling and data retention for information on Google Cloud as required by your business regulatory requirements.
| Enforcement mode | Audit |
| Finding category | DATA_HANDLING_RETENTION_MECHANISM_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Admin Activity and System Event audit logs are retained for 400 days, while Data Access audit logs are retained for 30 days by default. Move the audit logs to another storage location at the end of this period. Explore and use any product inStorage andDatabase that meet your data retention needs.
Manage Malicious Code Protection Mechanisms
Automate patching and updates for code protection. Regularly scan for and quarantine malicious code, and address false positives.
| Enforcement mode | Audit |
| Finding category | INSUFFICIENT_MALICIOUS_CODE_PROTECTION_MECHANISMS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement and manage a code protection system. You can useSecurity Command Center andPatch feature in VM Manager to implement certain malicious code protection mechanisms.
Manage Publicly Accessible Content
Review and manage the data that's posted on publicly accessible systems that are hosted on Google Cloud.
| Enforcement mode | Audit |
| Finding category | MISSING_STRATEGY_PUBLIC_CONTENT_ACCESS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Designate individuals who are authorized to post information onto a publicly accessible information system.
Train authorized individuals to ensure that publicly accessible information doesn’t contain nonpublic information.
Review the proposed content before posting it to the publicly accessible information system to ensure that nonpublic information is not included.
Regularly review the content on the publicly accessible information system for nonpublic information and remove such information, if discovered.
Manage System Integrity Policies and Procedures
Manage the development, documentation, and dissemination of system and information integrity policies and procedures.
| Enforcement mode | Audit |
| Finding category | IMPROPER_SYSTEM_INTEGRITY_POLICY_MANAGEMENT |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider the following:
Document and maintain relevant security policies for your organization.
Designate an organization-defined official to manage the development, documentation, and dissemination of the system and information integrity policy and procedures.
Monitor the Threat Environment and Review Audit Logs
Security teams must monitor the threat environment and review audit logs for the production environment.
| Enforcement mode | Audit |
| Finding category | REGULAR_THREAT_MONITORING_NOT_ENABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure that your security team reviews and updates audited events annually or whenever there is a change in the threat environment for your system or applications.
Monitor Third-Party Information Resources for Upstream Vulnerabilities
Monitor third-party software components, libraries, or information resources that your services use.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_THIRD_PARTY_MONITORING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Establish a process to continuously monitor third-party software information resources for upstream vulnerabilities. This can include contractual notification requirements or active monitoring services.
Perform Authenticated Vulnerability Scans
Use authenticated vulnerability scans.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_AUTHENTICATED_SCANS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure that authenticated vulnerability scanning is performed on information resources. For more information, seeSetting up custom scans using Web Security Scanner.
Perform Integrity Checks Every Month
Perform integrity checks of software, firmware, and information at startup, at specific security-relevant events, and at minimum once a month.
| Enforcement mode | Audit |
| Finding category | IRREGULAR_INTEGRITY_CHECKS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Configure your OS policy to perform integrity verification of your system every month. For more information, seeOS policy and OS policy assignment,Create an OS policy assignment, andManage OS policy assignments.
Perform System Backups
Maintain continuous backup of your systems.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_SYSTEM_BACKUPS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure that the system backups are aligned with recovery objectives and performed at regular intervals.For more information on Google backup services, seeCloud SQL,Spanner,Bigtable,Cloud Storage,Filestore, andBigQuery.
Perform Threat Modeling and Vulnerability Analyses
Perform threat modeling and vulnerability analyses during development and testing phases of a system or its components.
| Enforcement mode | Audit |
| Finding category | THREAT_MODELING_VULNERABILITY_ANALYSIS_NOT_PERFORMED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Create the requirements for threat and vulnerability analysis and testing.
Grant appropriate IAM roles to developers.
Define and communicate your security standards.
Encourage developers to use Google Cloud threat and analysis tools (such as Security Command Center, Google Threat Intelligence, Google SecOps, and Cloud NGFW).
For vulnerability testing, useWeb Security Scanner.
For penetration testing, collaborate with qualified testing teams or use third-party tools.
Plan Security Assessments and Remediation
Develop and implement ongoing security and privacy control assessments. Set up a remediation process to resolve any findings.
| Enforcement mode | Audit |
| Finding category | SECURITY_ASSESSMENTS_REMEDIATIONS_MISSING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Create a security assessment plan.
Perform unit, integration, system, and regression testing.
Document the security assessment plan execution and the results of the security testing.
Establish a verifiable flaw remediation process.
Address any security flaws identified during testing or evaluation.
Prevent IP Forwarding on Compute Engine Instances
Don't permit IP forwarding of data packets for your VMs to prevent potential data loss or unauthorized disclosure. Preventing IP forwarding restricts the routing of data packets.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | IP_FORWARDING_ENABLED |
| Revision number | 3 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
You can't turn off IP forwarding for an existing VM instance. Delete the VM and create a new VM with IP forwarding turned off. Go to theCompute Engine >VM instances page in the Google Cloud console. Click the instance name. Select the instance name and delete it. Create a new instance. To ensure IP forwarding is turned off, go toManagement, disks, networking, SSH keys and clickNetworking. In theNetwork interfaces section, clickEdit and ensureIP forwarding is turned off.
Prevent Nested Virtualization for Compute Engine VMs
Use the "Disable VM nested virtualization" (compute.disableNestedVirtualization) organization policy constraint to turn off hardware-accelerated nested virtualization for all Compute Engine VMs. Turning off nested virtualization can reduce the attack surface and improve the overall security posture of the Google Cloud environment.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | COMPUTE_NESTED_VIRTUALIZATION_CONSTRAINT_ENABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Set theDisable VM nested virtualization (constraints/compute.disableNestedVirtualization) organization policy constraint totrue. For more information, seeManage the nested virtualization constraint.
Protect System Memory
Implement appropriate failsafe measures to protect system memory from unauthorized code execution.
| Enforcement mode | Audit |
| Finding category | MISSING_CONTROL_TO_PROTECT_SYSTEM_MEMORY |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
This control does not apply to Google Cloud. Verify that you have appropriate fail-safe procedures to protect memory from unauthorized code execution for your systems.
Provide Dedicated Resources for Security
Determine, document, and allocate the resources required for security and privacy. Resource allocation must include funding for staff, system and services acquisition, sustainment, and supply chain-related risks.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_DEDICATED_SECURITY_RESOURCES |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Maintain a dedicated staff and budget for security, with executive support, that is aligned with the size, complexity, scope, and risk of the service offering.
Remove Inactive Accounts
Verify that all inactive accounts are removed from Google Cloud.
| Enforcement mode | Audit |
| Finding category | INACTIVE_ACCOUNTS_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Find unused service accounts and remove them. SeeIdentify and disable unused service accounts. ConsiderFind unused service accounts.
Remove Temporary Accounts
Verify that access for any account that's meant to be temporary is removed within 24 hours.
| Enforcement mode | Audit |
| Finding category | TEMPORARY_ACCOUNTS_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Review the service accounts and remove the roles that are meant to be temporary. For instructions, seeList and edit service accounts andRevoke a single IAM role.Configure temporary access for your accounts, where possible.Monitor service account usage.
Report Security Incidents to US-CERT
Adhere to the incident reporting guidelines defined by FedRAMP.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_INCIDENT_REPORTS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Report security incident information to CISA when suspected incidents are detected within Google Cloud. Ensure that your contact information in the Google Cloud console is accurate and up-to-date to receive email notifications from Google regarding any customer-impacting data incidents.
Require Additional Logging for Sensitive Buckets
Logging access to a sensitive data bucket helps provide audit traceability from who gained access and when, which might be used when appropriate due to the high volume of logs the buckets generate.
| Enforcement mode | Audit |
| Finding category | AUDIT_LOGS_FOR_SENSITIVE_BUCKETS_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable additional logging around particular storage objects based on their use case. For more information, seeCloud Audit Logs with Cloud Storage.
Require Audit Logging for Privileged Activities
Require audit logs for privileged activities such as data access and IAM conditions.
| Enforcement mode | Audit |
| Finding category | AUDIT_LOGS_FOR_PRIVILEGED_ACTIVITIES_NOT_IMPLEMENTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Enable IAM audit logging for data access and IAM conditions (implemented using policy bindings).
Require Auto Upgrade Schedule Set for Vertex AI Workbench
Use the "Require automatic scheduled upgrades on new Vertex AI Workbench user-managed notebooks and instances" (ainotebooks.requireAutoUpgradeSchedule) organization policy constraint to benefit from framework updates, package updates, and bug fixes.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | ORG_POLICY_AUTO_UPGRADE_SCHEDULE_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set theRequire automatic scheduled upgrades on new Vertex AI Workbench user-managed notebooks and instances (ainotebooks.requireAutoUpgradeSchedule) value totrue to require automatic scheduled upgrades on new Vertex AI Workbench user-managed notebooks and instances. For more information, seeUpdating policies with boolean rules.
Require Automated Testing and Validation of Changes
Implement automated testing and validation of changes before deploying applications and services.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_AUTOMATED_TESTING_OF_CHANGES |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement automated testing and validation procedure for application and service changes before deployment.Consider using the following services:Cloud Build,Artifact Registry,Cloud Deploy, andBinary Authorization.
Require Binary Authorization on a Cluster
Binary Authorization helps to enhance supply chain security by ensuring only signed container images are deployed.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | BINARY_AUTHORIZATION_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable Binary Authorization on the cluster. Go to theKubernetes Engine >Clusters page in the Google Cloud console. In theSecurity section, edit theBinary authorization row and enable it.
Require Cloud Storage Bucket Logging
Enable access logs and storage information for your Cloud Storage buckets to help investigate security issues and monitor storage consumption.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | BUCKET_LOGGING_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
For instructions to set up logging for a bucket, seeUsage logs & storage logs.
Require CMEK for BigQuery Datasets with Sensitive Data
Use customer-managed encryption keys (CMEKs) for BigQuery datasets that store highly sensitive data. CMEK gives you more control over data access, as the encryption keys are created and managed by you in Cloud KMS.
| Enforcement mode | Detective |
| Severity | CRITICAL |
| Finding category | SENSITIVE_DATA_DATASET_CMEK_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
Remediation steps
You can't enable CMEK on a BigQuery dataset after it's been created. Go to theBigQuery page in the Google Cloud console andcreate a dataset. To enable CMEK on the new dataset,set a default CMEK key. Copy original tables to your new CMEK-enabled dataset, and then delete the original datasets.
Require CMEK for BigQuery Tables with Sensitive Data
Use customer-managed encryption keys (CMEKs) for BigQuery tables that store highly sensitive data. CMEK gives you more control over data access, as the encryption keys are created and managed by you in Cloud KMS.
| Enforcement mode | Detective |
| Severity | CRITICAL |
| Finding category | SENSITIVE_DATA_BIGQUERY_TABLE_CMEK_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
Remediation steps
You can't enable CMEK on a BigQuery table after it's been created. Create a new table with CMEK enabled, move the data over, and delete the original table. Go to theBigQuery page in the Google Cloud console andcreate a table. Copy original tables to your new CMEK-enabled table, and then delete the original table.
Require CMEK for Cloud SQL Instances with Sensitive Data
Use customer-managed encryption keys (CMEKs) for Cloud SQL instances that store highly sensitive data. CMEK gives you more control over data access, as the encryption keys are created and managed by you in Cloud KMS.
| Enforcement mode | Detective |
| Severity | CRITICAL |
| Finding category | SENSITIVE_DATA_SQL_CMEK_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
Remediation steps
You can't enable CMEK on a Cloud SQL instance after it's been created. Create a new database with CMEK enabled, move the data over, and delete the original database. For more information, seeCloud SQL for MySQL,Cloud SQL for PostgreSQL, andCloud SQL for SQL Server.
Require CMEK on Dataproc Clusters
A Dataproc cluster with customer-managed encryption keys (CMEK) gives you more control over data encryption and key management.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | DATAPROC_CMEK_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
You can't enable CMEK on a Dataproc cluster after it's been created. Create a new cluster with CMEK enabled, migrate your workloads, and delete the older cluster. To create a new cluster, go to theDataproc >Clusters page in the Google Cloud console. ClickCreate Cluster to recreate the Dataproc cluster. In theManage security section, clickEncryption and selectCustomer-managed key to enable CMEK. After the cluster is created, migrate your workloads from the older cluster to the new cluster, and delete the older cluster.
Require Container-Optimized OS for a GKE Cluster
Google recommends Container-Optimized OS for containers due to its enhanced security, minimal OS footprint, and automatic updates for quick vulnerability patching.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | COS_NOT_USED |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Enable Container-Optimized OS for the cluster. Go to theKubernetes clusters page in the Google Cloud console. Click the cluster's name. Click theNodes tab. For each node pool, click the name to open its details page. ClickEdit. UnderNodes > Image type, clickChange. SelectContainer-Optimized OS and clickChange.
Require Documentation for Models
Document the model and explain it to ensure responsible use and proper governance.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | DOCUMENTATION_FOR_MODELS_NOT_DEFINED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Document the AI model details. Ensure the documentation includes the following: proposed use and organizational value, assumptions, and limitations; data collection methodologies; data provenance; data quality; model architecture (for example, convolutional neural network and transformers); optimization objectives; training algorithms; reinforcement learning from human feedback (RLHF) approaches; fine-tuning or retrieval-augmented generation approaches; evaluation data; ethical considerations; and legal and regulatory requirements.
Require Documentation for Training Data
Establish and document policies to curate training data and trace the origin and provenance of AI-generated content.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | DOCUMENTATION_FOR_TRAINING_DATA_NOT_DEFINED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Document training curation policies, sources, and types of training data and their origins, and potential biases present in the data that's related to the AI application. Document its content provenance, architecture, training process of the pre-trained model including information on hyperparameters, training duration, and any fine-tuning processes that were applied.
Require GKE Sandbox for GKE clusters
Configure GKE Sandbox to help protect the host kernel on your nodes.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | GKE_SANDBOX_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Update your GKE cluster to use GKE Sandbox. For more information, seeEnable GKE Sandbox on an existing Standard cluster.
Require Incident Logs
Maintain logs for your incidents.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_INCIDENT_LOGS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Maintain a detailed log of all incidents and regularly review these logs to identify patterns and potential vulnerabilities.
Require Least Privilege
Use Cloud IAM to implement least privilege.
| Enforcement mode | Audit |
| Finding category | LEAST_PRIVILEGE_NOT_IMPLEMENTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
SeeCloud IAM to help achieve least privilege.For viewing permissions and predefined roles, seePermissions andPre-defined roles.
Require Object Versioning for Cloud Storage Buckets
Log buckets that use Object Versioning support the retrieval of deleted or overwritten objects that helps to protect data from accidental deletion.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | OBJECT_VERSIONING_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Update the bucket to use Object Versioning. In the Google Cloud console, go to theBuckets page. Select the bucket. In theProtection tab, configure object versioning. SeeSet Object Versioning on a bucket.
Require OS Login on Compute Engine Instances
OS Login centralizes SSH key management with IAM and disables metadata-based SSH key configuration on all project instances.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | INSTANCE_OS_LOGIN_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Turn on OS Login for the VM instance. Go to theCompute Engine >VM instances page in the Google Cloud console. Click the instance name. On theInstance details page, clickStop. Edit the instance and setenable-oslogin toTrue in theCustom metadata section. For more information, seeSet up OS Login.
Require Private Nodes in GKE Clusters
Ensure that GKE clusters use private nodes to prevent external clients from accessing the nodes.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | GKE_PRIVATE_NODES_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Update your cluster to use private nodes. For more information, seeEnable private nodes.
Require Procedures to Handle Training Data
Develop procedures for handling training data to help protect the data from potential risks.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | PROCEDURES_FOR_TRAINING_DATA_NOT_DEFINED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Develop and implement policies for the collection and retention of training data. Maintain a minimum quality of data with privacy and AI-specific risks in mind and conduct appropriate diligence on training data.
Require Rotation of API Key
Rotating API keys at least every 90 days reduces risk from stolen API keys that can be used to access data on a compromised or terminated account.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | API_KEY_NOT_ROTATED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theAPIs & Services >Credentials page in the Google Cloud console. UnderAPI Keys, edit each key using theActions menu. On theEdit API key page, clickRotate key if the creation date is older than 90 days.
Require Security Hardening
Adhere to the security best practices to harden configurations.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_RECOMMENDED_HARDENING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Use the following services to ensure that the cloud information resources are implemented based on the best practices and documented guidance:Security Command Center, CIS Benchmarks, andCloud Security Best Practices Center.
Require Service Account Key Rotation
Rotate your service account keys every 90 days or less to help protect data if a key gets compromised.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SERVICE_ACCOUNT_KEY_NOT_ROTATED |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Rotate your service account key. For instructions, seeService account key rotation. When possible, avoid using service account keys. For other options, seeChoose the right authentication method for your use case.
Require Unique Super Admin Account
Use a unique email address for super administrator accounts to manage and track administrator actions.
| Enforcement mode | Audit |
| Finding category | DEDICATED_SUPERADMIN_ACCOUNT_NOT_CONFIGURED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Verify that the super admin accounts use unique email addresses that aren't specific to a user. For more information, seeSuper administrator account best practices.
Require Workload Identity Federation for GKE and the GKE Metadata Server
Enable Workload Identity Federation for GKE with the GKE metadata server. Workload Identity Federation for GKE uses IAM policies to grant Kubernetes workloads in your GKE cluster access to specific Google Cloud APIs without needing manual configuration or less secure methods.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | GKE_METADATA_SERVER_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Move your applications to use Workload Identity Federation for GKE. For more information, seeMigrate existing workloads to Workload Identity Federation for GKE.
Restrict Access Control Points for Authorized and Managed Remote Access
Route remote access through authorized and managed network access control points to help reduce the attack surface for organizations.
| Enforcement mode | Audit |
| Finding category | ACCESS_CONTROL_POINTS_TO_ROUTE_REMOTE_ACCESS_UNRESTRICTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider Dedicated Interconnect to isolate your organization's data and traffic from the internet.
Configure Cloud VPN to further protect information in transit.
Implement Cloud Load Balancing for additional encryption protection to applications.
Enable Cloud Identity Aware Proxy to manage and restrict remote access to applications.
Implement endpoint verification for devices that connect to Google Cloud services and enforce context awareness. SeeChrome Enterprise Premium overview.
Implement adevice management solution that enforces security policies on devices that access Google Cloud resources.
Enforce security keys for user authentication and use hardware security keys (such as Titan Security Keys) for multi-factor authentication.
Restrict Access to Audit Logs
Restrict access to audit management information to privileged users.
| Enforcement mode | Audit |
| Finding category | UNRESTRICTED_ACCESS_TO_AUDIT_LOGS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
UseIAM allow policies to control access to logs and log configurations. Grant different users read-only access and admin access to audit logs.
Createcustom roles, if required.
Enableuniform bucket-level access on the bucket that stores audit logs.
Implement a request and approval process for accessing audit logs.
Create a machine ACL system group and grant it viewer access to the project where your audit logs are stored.
Configure appropriate access for your auditing tools.
Monitor access to your audit logs.
ImplementIAM best practices to secure access to your audit logs.
Restrict Access to Sensitive Data to Permitted Users
Restrict access to sensitive data to specified principal sets. Supported principal types are user accounts or groups. To use this cloud control, you must enable Data Access audit logging for products that support the control.
| Enforcement mode | Detective |
| Severity | HIGH |
| Finding category | DATA_SECURITY_POSTURE_ACCESS_VIOLATION |
| Category name in the API | CC_CATEGORY_DATA_SECURITY |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Parameters
|
Optional. Optional. Restrict access to sensitive data to selected users and groups. If empty, all access is flagged as violations to this control. To add a user or group, prefix their email address with "principal://goog/subject/" for users and "principalSet://goog/group/" for groups. |
Remediation steps
Determine whether the principal should be permitted access and complete one of the following actions:
To help prevent access from these principals in the future, update IAM allow policies or IAM deny policies. SeeManage access to projects, folders, and organizations andDeny policies.
To permit access from these principals in the future, update the cloud control parameter to include the principal. SeeApply a framework.
For more information about how this control works, seeRestrict Access to Sensitive Data to Permitted Users.
Restrict API Access to Google Cloud APIs for Compute Engine Instances
Compute Engine instances that use the default service account and have full access to all Google Cloud APIs are overly permissive. This control retrieves the scopes field in the serviceAccounts property to check whether a default service account is used and if it is assigned the cloud-platform scope.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | FULL_API_ACCESS |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Reset the access permissions to APIs for the VM instance. Go to theCompute Engine >VM instances page in the Google Cloud console. Click the instance name. ClickEdit. Navigate toSecurity and access >Service accounts, selectCompute Engine default service account. In theAccess scopes section, selectSet access for each API, setCloud Platform toNone. Enable the specific APIs that the default VM service account requires access to.
Restrict API Keys for Required APIs Only
Restricting API keys limits their access to only the APIs that are required by the application.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | API_KEY_APIS_UNRESTRICTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theAPIs & Services >Credentials page in the Google Cloud console. UnderAPI Keys, edit each key using theActions menu and then restrict the APIs in theAPI restrictions section.
Restrict Cloud Shell Access Settings
Administrators can use Cloud Shell to access and manage Google Cloud resources, including sensitive data and projects. Disabling Cloud Shell for Cloud Identity managed user accounts helps reduce the potential attack surface for unauthorized access.
| Enforcement mode | Audit |
| Finding category | CLOUDSHELL_MANAGED_USERS_ACCESS_ENABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
In the Google Admin console, navigate toApps > Additional Google services > Google Cloud Platform > Cloud Shell Settings and disableCloud Shell Access Settings. To disable Cloud Shell for specific users, you'll need to use access groups: add individual users to the group and turn off the group's Cloud Shell access setting. For more information, seeTurn Google Cloud on or off for users.
Restrict CMEK Crypto Key Projects
Define the projects that Cloud KMS can store customer managed encryption keys (CMEKs) using the "Restrict which projects may supply KMS CryptoKeys for CMEK" (gcp.restrictCmekCryptoKeyProjects) organization policy constraint.
| Enforcement mode | Audit |
| Finding category | ORG_POLICY_CMEK_RESTRICTED_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Define the projects that can store CMEKs using theRestrict which projects may supply KMS CryptoKeys for CMEK (constraints/gcp.restrictCmekCryptoKeyProjects) constraint. For more information, seeLimit the use of Cloud KMS keys for CMEK.
Restrict Default Network Creation for Compute Engine Instances
Use the "Skip default network creation" (compute.skipDefaultNetworkCreation) organization policy constraint to skip the creation of the default network and related resources when creating projects.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SKIP_DEFAULT_NETWORK_CREATION_ORG_POLICY |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Set theSkip default network creation (constraints/compute.skipDefaultNetworkCreation) constraint totrue. For more information, seeOrganization policy constraints.
Restrict External IP Addresses to Specific VM Instances
Use the "Define allowed external IPs for VM instances" (compute.vmExternalIpAccess) organization policy constraint to block public access to your VMs.
| Enforcement mode | Audit |
| Finding category | ORG_POLICY_EXTERNAL_IP_FOR_VM_INSTANCES_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To block external IP addresses on Compute Engine VM instances, seeRestrict external IP addresses to specific instances.
Restrict Flow of Sensitive Data Across Geographic Jurisdictions
Restrict the flow of the data across allowed jurisdictional (country) boundaries.
| Enforcement mode | Detective |
| Severity | HIGH |
| Finding category | DATA_SECURITY_POSTURE_FLOW_VIOLATION |
| Category name in the API | CC_CATEGORY_DATA_SECURITY |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Parameters
|
Optional. Optional. Configure the allowed regions that clients can access supported data stores from. If empty, all access is flagged as violations to this control. |
Remediation steps
Determine whether the data flow should be permitted. To permit access from these principals in the future, update the cloud control parameter to include the region. SeeApply a framework.
For more information about how this control works, seeRestrict Flow of Sensitive Data Across Geographic Jurisdictions.
Restrict Insecure SSL Policies for Compute Engine Instances
Avoid weak or insecure SSL policies for Compute Engine instances.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | WEAK_SSL_POLICY |
| Revision number | 1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Configure TLS 1.2 and strong cipher suites on your load balancers. If a weak cipher suite or down-level TLS version is used, edit the SSL policy and changeMinimum TLS version toTLS 1.2 andProfile toModern orRestricted. If a default Google Cloud SSL policy is used, create a new SSL policy and apply it to the appropriate forwarding rules. In both the cases, ensure the following cipher suites are disabled if you want to use a custom profile:TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA, andTLS_RSA_WITH_3DES_EDE_CBC_SHA. For more information, seeUse SSL policies for SSL and TLS protocols.
Restrict Legacy IAM Roles
To implement the principle of least privilege, avoid the overly permissive legacy roles like Owner, Editor, and Viewer.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | PRIMITIVE_ROLES_USED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theIAM page in the Google Cloud console and replace primitive roles with more granular roles.
Restrict Legacy TLS Versions
Use the "Restrict TLS Versions" (gcp.restrictTLSVersion) organization policy constraint to deny access from older TLS versions such as TLS 1.0 or TLS 1.1.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORG_POLICY_RESTRICT_TLS_VERSION_NOT_SET |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Update the organization policy to restrict TLS versions for resources within the folder or project. For instructions, seeRestrict a TLS version.
Restrict Non CMEK Services
Use the "Restrict which services may create resources without CMEK" (gcp.restrictNonCmekServices) organization policy constraint to block services that don't use CMEK encryption.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORG_POLICY_NON_CMEK_SERVICES_ALLOWED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Configure theRestrict which services may create resources without CMEK (constraints/gcp.restrictNonCmekServices) constraint. For instructions, seeRequire CMEK protection.
Restrict Non-Privileged Users from Executing Privileged Functions
Enable audit logs for the IAM API, Security Token Service API, and Service Account Credentials API. Include the ADMIN_READ, DATA_READ, and DATA_WRITE types.
| Enforcement mode | Audit |
| Finding category | IAM_AUDIT_LOGS_NOT_IMPLEMENTED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
EnableDATA_READ,DATA_WRITE, andADMIN_READ for the following APIs:iam.googleapis.com,iamcredentials.googleapis.com, andsts.googleapis.com. For more information, see the following: *Service Account Credentials audit logging *Security Token Service audit logging *Identity and Access Management audit logging
Restrict Public Access to BigQuery Datasets
Restrict public access to BigQuery datasets to avoid data exposure risk.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | PUBLIC_DATASET |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Remove the principalsallUsers andallAuthenticatedUsers from the dataset permissions. For more information, seeRevoke access to a dataset.
Restrict Public Access to Cloud SQL Database Instances
Restrict public access to Cloud SQL database instances. If a Cloud SQL instance has '0.0.0.0/0' as an allowed network, any IPv4 client can attempt a login. This control doesn't apply to on-premises database instances.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | PUBLIC_SQL_INSTANCE |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theCloud SQL Instances page in the Google Cloud console. Click the instance name. SelectConnections. UnderAuthorized networks, delete 0.0.0.0/0. Add a specific IP addresses or IP ranges that you want to let connect to your instance.
For more information, seeAuthorize with authorized networks.
Restrict Public Access to Cloud Storage Buckets
Restrict public access to Cloud Storage bucket to avoid data exposure risk.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | PUBLIC_BUCKET_ACL |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Restrict anonymous public access to objects in Cloud Storage buckets. For more information, seeRemove public access for all objects within a bucket.
Restrict Public IP Addresses on Vertex AI Workbench Notebooks and Instances
Use the "Restrict public IP access on new Vertex AI Workbench notebooks and instances" (ainotebooks.restrictPublicIp) organization policy constraint to restrict public IP access to newly created Vertex AI Workbench notebooks and instances.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | ORG_POLICY_PUBLIC_IP_ACCESS_ALLOWED_ON_VERTEXAI_WORKBENCH |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set theRestrict public IP access on new Vertex AI Workbench notebooks and instances (ainotebooks.restrictPublicIp) constraint totrue to restrict public IP access on new Vertex AI Workbench notebooks and instances. For more information, seeUpdating policies with boolean rules.
Restrict Public IP Addresses to Compute Engine Instances
Don't assign public IP addresses to Compute Engine instances. A Compute Engine instance with a public IP address increases attack surface. This control checks network interfaces to determine whether they define external IP addresses. This control doesn't check GKE or Dataflow instances.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | PUBLIC_IP_ADDRESS |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theVM instances page in the Google Cloud console. Find the instances with a public IP address. For each interface underNetwork interfaces, setExternal IP toNone. To block public IP addresses across Compute Engine, use theDefine allowed external IPs for VM instances (constraints/compute.vmExternalIpAccess) organization policy. Configure an empty allowlist of external IP addresses that the VM can use and deny all others.
Restrict Resource Service Usage
Use the "Restrict Resource Service Usage" (gcp.restrictServiceUsage) organization policy constraint to define which Google Cloud services can be used within an organization, folder, or project.
| Enforcement mode | Audit |
| Finding category | ORG_POLICY_RESOURCE_SERVICE_USAGE_NOT_ALLOWED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Configure theRestrict Resource Service Usage (gcp.restrictServiceUsage) constraint. For instructions, seeSetting the organization policy.
Restrict Service Usage
Use the "Restrict Resource Service Usage" (constraints/gcp.restrictServiceUsage) organization policy constraint to define which Google Cloud services can be used within an organization, folder, or project.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ORG_POLICY_RESTRICT_SERVICE_USAGE_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Configure theRestrict Resource Service Usage (constraints/gcp.restrictServiceUsage) organization policy. For instructions, seeSetting the organization policy.
Restrict Usage of Shared and Group Accounts
Restrict the use of shared or group accounts to help maintain a secure environment.
| Enforcement mode | Audit |
| Finding category | SECURE_MANAGEMENT_OF_SHARED_AND_GROUP_ACCOUNTS_POLICY_NEEDS_REVIEW |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Define policies for the use of shared or group accounts.
Use role-based access control (RBAC) and IAM roles. Assign roles based on responsibilities.
Use individual accounts whenever possible.
Regularly audit and review activities associated with shared or group accounts.
Use strong authentication practices such as 2-step verification for shared or group accounts.
Review access regularly to ensure that shared accounts are still required.
Document and communicate your policies regarding shared or group accounts.
Train users on these policies.
Use automation, such as Deployment Manager or Terraform, to enforce your policies and configuration. For more best practices, seeBest practices for using Google groups.
Restrict Use of Default Service Account for Vertex AI Workbench Instances
Restrict the use of the highly permissive default service account for Workbench instances to reduce the risk of unauthorized access to Google Cloud services.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | VERTEX_AI_DEFAULT_SERVICE_ACCOUNT_IN_USE |
| Category name in the API | CC_CATEGORY_ARTIFICIAL_INTELLIGENCE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Change the service account associated with the Workbench instance:
If required, create a service account with appropriate privileges. For instructions, seeManage access to an instance.
In the Google Cloud console, go to theInstances page.
Click the instance that you want to configure.
Stop the instance.
In theSystems section, clickVM details.
Edit the Compute Engine instance and select a service account that uses appropriate privileges.
Restart the instance.
Restrict User Managed Service Account Keys
Avoid having user-managed keys for user-managed service accounts.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | USER_MANAGED_SERVICE_ACCOUNT_KEY |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Determine a secure alternative and delete the user-managed service account keys. For information about alternatives, seeChoose the right authentication method for your use case. To delete the user-managed service account keys, go to theService Accounts page in the Google Cloud console. Select and delete the user-managed service account keys. For more information on service account key management, seeBest practices for managing service account keys.
Restrict VM IP Forwarding for Compute Engine Instances
Use the "Restrict VM IP Forwarding" (compute.vmCanIpForward) organization policy constraint to define the set of VM instances that can enable IP forwarding.
| Enforcement mode | Audit |
| Finding category | ORG_POLICY_COMPUTE_IPFORWARD_LIST_VIOLATED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Specify the VM instances that can enable IP forwarding in theRestrict VM IP Forwarding (compute.vmCanIpForward) constraint. Use one of the following forms: *under:organizations/ORGANIZATION_ID * under:folders/FOLDER_ID *under:projects/PROJECT_ID *projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME. For more information, seeEnable IP forwarding for instances.
Restrict VPC Networks on Vertex AI
Use the "Restrict VPC networks on new Vertex AI Workbench instances" (ainotebooks.restrictVpcNetworks) organization policy constraint to define the VPC networks that a user can select when creating new Vertex AI Workbench instances.
| Enforcement mode | Audit |
| Finding category | ORG_POLICY_VERTEXAI_VPC_NETWORK_POLICY_NOT_SET |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set theRestrict VPC networks on new Vertex AI Workbench instances (ainotebooks.restrictVpcNetworks) constraint to the allowed or denied list of networks. Use one of the following formats:under:organizations/ORGANIZATION_ID,under:folders/FOLDER_ID,under:projects/PROJECT_ID, orprojects/PROJECT_ID/global/networks/NETWORK_NAME.
Retain Audit Records
Retain audit records for 90 days or more to provide support for after-the-fact investigations of incidents.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | AUDIT_RECORDS_NOT_RETAINED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Enableaudit logging.
Export audit logs to Cloud Storage, BigQuery, or Pub/Sub for retention for at least 90 days.
Create a process to archive logs to an cost-effective, offline storage system.
Configure the lifecycle for your Cloud Storage bucket.
Regularly review and monitor exports to logs.
Regularly test your backup and restore procedures.
Retrieve Cloud NAT Configurations
Retrieve NAT configurations to review if outbound traffic is routed and managed.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_CLOUD_NAT_CONFIGURATIONS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Evaluate the Cloud NAT gateway configuration to ensure outbound traffic is correctly routed and managed. For more information, seeView a Public NAT configuration.
Review Authentication, Authorization, User Account Management
Manage and review user authentication, authorization, and account management practices.
| Enforcement mode | Audit |
| Finding category | IAM_USERACCOUNT_MANAGEMENT_UNAUTHORIZED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Enable SSO.
Synchronize user accounts using Google Cloud Directory Sync.
Configure Google Sign-In authentication for anyone with the legacy basic Owners role.
Grant the legacy basic Owners role to your account managers. Maintain assignments as required.
Define and maintain group and role membership conditions in your user directories.
Grant appropriate roles to users and groups in your organization.
Implement an approval process in your user directories for account creation.
Manage service accounts according to your organization's processes.
Enable audit logging and review logs for account usage.
Notify account managers about account deactivations and transfers. Consider exporting audit logs to BigQuery.
Ensure all Google Cloud access is by valid accounts and for intended usage.
Review IAM roles and account configuration for compliance with your internal and external policies.
Revoke and reissue shared credentials when a user is removed from a group.
Review Log and Alert Configuration
Review alerting policies, log filters, and metrics.
| Enforcement mode | Audit |
| Finding category | MISSING_AUDIT_PROCESSING_FAILURES_ALERTS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Verify that alerting policies are set up by checking if they have associated notification channels.
Create metrics to capture relevant events.
Review Organization Administrator Assignments
Review the users in your organization who have the roles/resourcemanager.organizationAdmin role. Ensure at least one user has this role.
| Enforcement mode | Audit |
| Finding category | ORGANIZATION_ADMIN_ROLE_NOT_ASSIGNED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Verify the Organization Administrator (roles/resourcemanager.organizationAdmin) role assignments and grant it to additional users as required. For more information, seeViewing existing access for an organization resource andGrant an IAM role by using the Google Cloud console.
Separate User and Administrator Roles
Define separate user and admin roles.
| Enforcement mode | Audit |
| Finding category | USER_ADMIN_ROLES_NOT_SEPARATED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Define different roles and accounts for users and administrators.
Enable two-factor or multi-factor authentication for users, especially administrators, to enhance account security.
Set Application Restriction on API Keys
Unrestricted API keys pose a security risk as any untrusted application can use them. Implement restrictions on API keys to specific hosts, HTTP referrers, and applications to help enhance security.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | API_KEY_APPS_UNRESTRICTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theAPIs & Services >Credentials page in the Google Cloud console. UnderAPI Keys, edit each key using theActions menu, and then restrict applications under theApplication restrictions section.
Set Ingress and Egress Controls for Compute
Limit the number of external network connections to your system.
| Enforcement mode | Audit |
| Finding category | INGRESS_EGRESS_CONTROLS_NOT_SET |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Createfirewall rules to limit incoming external connections and outgoing external connections.
Create a rule that denies all traffic that you haven’t explicitly allowed.
Set Log Bucket Flag for Bucket Logging
The log-bucket flag enables usage logs and storage logging for Cloud Storage buckets.
| Enforcement mode | Audit |
| Finding category | LOGBUCKET_SET_INCORRECTLY |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set the correct log bucket for Cloud Storage buckets. SeeSet up log delivery.
Set Log Error Verbosity Flag for AlloyDB Instances
The log_error_verbosity flag for AlloyDB for PostgreSQL helps to control details in logged messages when set to default or verbose.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ALLOYDB_LOG_ERROR_VERBOSITY |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set thelog_error_verbosity flag todefault orverbose.
Go to theAlloyDB for PostgreSQL clusters page in the Google Cloud console.
Click a cluster in theResource Name column.
Under theInstances in your cluster section, clickEdit for the instance.
ClickAdvanced Configuration Options.
Under theFlags section, set the
log_error_verbosityflag todefault orverbose.
Set Log Min Error Statement Flag for AlloyDB Instances
The log_min_error_statement flag for AlloyDB for PostgreSQL instance helps to identify the SQL statements that cause an error condition to be recorded in the server log. At a minimum, set the value to error.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | ALLOYDB_LOG_MIN_ERROR_STATEMENT_SEVERITY |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set thelog_min_error_statement flag toerror. 1. Go to theAlloyDB for PostgreSQL clusters page in the Google Cloud console.2. Click the cluster in theResource Name column.3. Under theInstance in your cluster section, clickEdit for the instance.4. ClickAdvanced Configuration Options, and set thelog_min_error_statement flag under theFlags section to a recommended value like error.
Set Log Min Messages Flag for AlloyDB Instances
The log_min_messages flag for AlloyDB for PostgreSQL instance helps to control message levels recorded in server logs. At a minimum, set the value to warning.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | ALLOYDB_LOG_MIN_MESSAGES |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set thelog_min_messages flag towarning.
Go to theAlloyDB for PostgreSQL clusters page in the Google Cloud console.
Click the cluster in theResource Name column.
Under theInstance in your cluster section, clickEdit.
ClickAdvanced Configuration Options.
Set the
log_min_messagesflag under theFlags section to one of Notice, Info, Debug1, Debug2, Debug3, Debug4, or Debug5.
Set Uniform Bucket Level Access for Cloud Storage Buckets
Enable fine-grained access control for Cloud Storage buckets by using the "Enforce uniform bucket-level access" (storage.uniformBucketLevelAccess) organization policy constraint or setting the access controls for a bucket to Uniform.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | UNIFORM_BUCKET_LEVEL_ACCESS_ORG_POLICY |
| Revision number | 3 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Complete one or both of the following:
Set the access control for a bucket toUniform. For more information, seeSet uniform bucket-level access.
Set theEnforce uniform bucket-level access (
storage.uniformBucketLevelAccess) organization policy constraint totrue. For more information, seeRequire uniform bucket-level access.
Set Up Job Scheduling and Configurations
Set up proper job scheduling and configurations to manage security tasks.
| Enforcement mode | Audit |
| Finding category | MISSING SCHEDULING AND CONFIGURATIONS_SECURITY_TASKS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Configure job scheduling and configurations to manage tasks. Consider usingCloud Scheduler.
Grant appropriate IAM roles to different groups.
Enable multi-factor authentication (MFA) or two-factor authentication (2FA) for production access.
Create separate projects to segregate resources.
Store Audit Logs in a Separate Repository
Back up audit logs in a separate physical repository and configure a retention schedule, integrity checks, monitoring, and access controls.
| Enforcement mode | Audit |
| Finding category | IMPROPER_STORAGE_AUDIT_LOGS |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Enable audit logging.
Export logs to your backup. You can use a Cloud Storage bucket or export to an external storage system.
Configure retention periods.
Review and monitor exported logs.
Use checksums to verify integrity.
Use Cloud Monitoring and Pub/Sub to set up custom monitoring and alerting policies for exported logs.
Test your backup and restore procedures.
If storing logs outside of Google Cloud, configure security settings for your backup system.
Follow Google Cloud best practices foraudit logging, export, and backup configurations.
Configure access controls for the backup destination.
Subscribe a GKE Cluster to a Release Channel
Subscribe to a release channel to automate Google Kubernetes Engine (GKE) cluster version upgrades.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | RELEASE_CHANNEL_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Subscribe the GKE cluster to a release channel. For more information, seeEnroll a new cluster in a release channel andEnroll an existing cluster.
Synchronize System Clocks
Ensure that all clocks use the same timezone (for example, UTC) so that you can use audit logs.
| Enforcement mode | Audit |
| Finding category | SYSTEM_CLOCKS_NOT_SYNCHRONIZED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Set all system clocks to UTC.
For applications that generate custom logs, generate the timestamp in UTC.
UseGoogle Cloud logging libraries, which automatically generate timestamps in the system⒙s timezone.
Verify that the timestamp foraudit logs is in UTC.
Verify thetimestamp in logs.
Consider manually synchronizing withGoogle⒙s time servers.
Synchronize system clocks with Google's NTP servers. For example:
sudo chronyc makestep
Terminate Network Connections
Terminate the network connection associated with a communications session at the end of the session or after 600 seconds (10 minutes) of inactivity.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | NETWORK_CONNECTION_TERMINATION_PROCEDURE_MISSING |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Verify the HTTP keepalive timeout for your clients. For instructions, seeUpdate client HTTP keepalive timeout.
Test Incident Response Capabilities
Test your capability to recover from incidents and contingencies.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | MISSING_INCIDENT_RESPONSE_TESTING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Test the contingency plan for your system, review the contingency plan test results, and initiate corrective actions, if needed. Conduct regular system backups and test the reliability and integrity of the backups. Test the effectiveness of the incident response capability for your systems.
Track and Report Model Card Features
Configure Security Command Center to track and report on model card features to help maintain information integrity.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | TRACKING_OF_MODEL_CARD_FEATURES_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Ensure that you can ingest and use information in model cards or model card equivalents when evaluating your security posture in Security Command Center and Compliance Manager. For more information, seeModel Armor overview andCreate and manage Model Armor templates.
Track TEVV Provenance and Quality
Configure data management to help track the provenance and quality of test, evaluation, validation, and verification (TEVV) protocols.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | PROVENANCE_TRACKING_DISABLED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Include options to track training processes for all data types to help ensure comprehensive provenance and training history that include records of origin, date of acquisition or collection, and a complete chain of custody for all data types.
Triage and Remediate System Flaws
Identify, report, and correct system flaws. Incorporate flaw remediation into the organizational configuration management process.
| Enforcement mode | Audit |
| Finding category | WEAK_TRIAGING_REMEDIATION_MECHANISM_SYSTEM_FLAWS |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Consider the following:
Verify the images that you use for VMs and containers.
Triage and correct information system flaws. UseSecurity Command Center) andPatch feature in VM Manager.
Test software and firmware updates before installation.
Install security software and firmware updates within 30 days of release.
Include flaw remediation into your configuration management processes.
Turn Off Contained Database Authentication Flag for SQL Server
Turn off the contained database authentication flag for SQL Server instances.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_CONTAINED_DATABASE_AUTHENTICATION |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and setcontained database authentication database flag toOff for the instance.
Turn Off Cross Database Ownership Chaining Flag for SQL Server
Turn off the cross db ownership chaining flag for SQL Server.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_CROSS_DB_OWNERSHIP_CHAINING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Turn thecross db ownership chaining flag off. Go to theSQL >Instances page in the Google Cloud console and set thecross db ownership chaining database flag toOff for the instance. For cross-database access, use the MicrosoftTutorial: Signing Stored Procedures with a Certificate instead.
Turn Off External Scripts Flag for SQL Server
Turn off the external scripts enabled flag for SQL Server.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_EXTERNAL_SCRIPTS_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Turn theexternal scripts enabled flag off. Go to theSQL >Instances page in the Google Cloud console and setexternal scripts enabled database flag toOff for the instance.
Turn Off Local Infile Flag for MySQL
Turn off the local_infile flag for the MySQL instance.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_LOCAL_INFILE |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and set thelocal_infile database flag toOff for the instance.
Turn Off Log Executor Stats Flag for PostgreSQL
Turn off the log_executor_stats flag for PostgreSQL instances to reduce performance overhead.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | SQL_LOG_EXECUTOR_STATS_ENABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and set thelog_executor_stats database flag toOff for the Cloud SQL instance.
Turn off Log Hostname Flag for PostgreSQL
Turn off the log_hostname flag for PostgreSQL instances to reduce performance overhead.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | SQL_LOG_HOSTNAME_ENABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and set thelog_hostname database flag toOff for the Cloud SQL instance.
Turn Off Log Min Duration Statement Flag for PostgreSQL
Turn off the log_min_duration_statement flag by setting it to -1 for PostgreSQL instances.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_LOG_MIN_DURATION_STATEMENT_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and set thelog_min_duration_statement database flag to-1 for the Cloud SQL instance.
Turn off Log Parser Stats Flag for PostgreSQL
Turn off the log_parser_stats flag for PostgreSQL to reduce performance overhead.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_LOG_PARSER_STATS_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set thelog_parser_stats flag toOff. Go to theSQL >Instances page in the Google Cloud console and set thelog_parser_stats database flag toOff for the Cloud SQL instance.
Turn off Log Planner Stats Flag for PostgreSQL
Turn off the log_planner_stats flag for PostgreSQL to reduce performance overhead.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | SQL_LOG_PLANNER_STATS_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set thelog_planner_stats flag toOff. Go to theSQL >Instances page in the Google Cloud console and set thelog_planner_stats database flag toOff for the Cloud SQL instance.
Turn off Log Statement Stats Flag for PostgreSQL
Turn off the log_statement_stats flag for PostgreSQL instance to reduce performance overhead.
| Enforcement mode |
|
| Severity | LOW |
| Finding category | SQL_LOG_STATEMENT_STATS_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theSQL >Instances page in the Google Cloud console and set thelog_statement_stats database flag toOff for the Cloud SQL instance.
Turn Off Remote Access Flag for SQL Server
Turn off the remote access flag for the SQL Server instance to avoid security risks.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | SQL_REMOTE_ACCESS_ENABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Turn off theremote_access flag. Go to theSQL >Instances page in the Google Cloud console and set theRemote access flag toOff for the SQL Server instance.
Use Central SIEM
Use a centralized Security Information and Event Management (SIEM).
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_CENTRAL_SIEM |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Manage a Security Information and Event Management (SIEM) or similar systems for centralized, tamper-resistant logging of events, activities, and changes.
Use Custom Service Accounts for Compute Engine Instances
Default Compute Engine instances have broad editor roles, granting read and write access to most Google Cloud services. Custom service accounts help prevent privilege escalation and unauthorized access.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | DEFAULT_SERVICE_ACCOUNT_USED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Change the service account that the VM instance uses. Go to theCompute Engine >VM instances page in the Google Cloud console. Click the instance name. Select the instance, and clickStop on theInstance details page. After the instance stops, edit it, and select a non-default service account with least privileges.
Use Custom VPC Networks
Create a VPC network with custom firewall rules to help enhance security and provide better control over network access.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | DEFAULT_NETWORK |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Go to theVPC Network >VPC networks page in the Google Cloud console and delete the default VPC network. Create a network with custom firewall rules. For more information, seeCreate networks.
Use Differentially Private Techniques to Generate Synthetic Data
Generate synthetic data using differentially private (DP) techniques.
| Enforcement mode | Audit |
| Severity | MEDIUM |
| Finding category | DP_SYNTHETIC_TRAINING_DATA_NOT_GENERATED |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Use differentially private synthetic data generation to create anonymized data for training. For more information, seeUse differential privacy.
Use FIPS 201 Approved Products
Use information technology products on the Federal Information Processing Standards (FIPS) 201-approved products list for Personal Identity Verification (PIV) capability.
| Enforcement mode | Audit |
| Finding category | FIPS 201_APPROVED_PRODUCTS_NOT_USED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Complete the following:
Use only services and products that comply with FIPS-201 standards.
Implement a user account system or SSO solution for authentication.
Configure 2FA using a PIV card.
UseIAM allow policies to control access to your resources.
Use Google Groups for Kubernetes RBAC
Set up Google Groups to work with Kubernetes role-based access control (RBAC) in your GKE clusters.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | GKE_AUTHENTICATOR_GROUPS_DISABLED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Update your cluster to use Google Groups for RBAC. For more information, seeUpdate an existing cluster.
Use IAM Tags
Use tags to create annotations for resources, and in some cases conditionally allow or deny policies based on whether a resource has a specific tag.
| Enforcement mode | Audit |
| Finding category | IAM_TAGS_NOT_FOUND |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To create a tag key, run the following command:
gcloud resource-manager tags keys create SHORT_NAME --parent=organizations/ORGANIZATION_ID.To create a tag value, run the following command:
gcloud resource-manager tags values create SHORT_NAME --parent=PARENT.To attach a tag to a resource, run the following command:
gcloud resource-manager tags bindings create --tag-value=TAG_VALUE --parent=RESOURCE_ID --location=LOCATION.
Use Latest Image Versions on Dataproc Clusters
Ensure that Dataproc clusters don't use outdated image versions that are impacted by the Log4j vulnerability. This control checks whether the softwareConfig.imageVersion field in the config property of a Cluster is earlier than 1.3.95 or is a subminor image version earlier than 1.4.77, 1.5.53, or 2.0.27.
| Enforcement mode |
|
| Severity | HIGH |
| Finding category | DATAPROC_IMAGE_OUTDATED |
| Revision number | 2 |
| Supported Security Command Center tiers | Standard, Premium, and Enterprise |
| Supported target resources |
|
Remediation steps
Recreate and update the affected cluster with the latest sub-minor image versions. SeeSteps to recreate a cluster for specific image and log4j version information.
Use Least Privilege and Just in Time Access
Use a least-privileged, role and attribute-based, and just-in-time security authorization model.
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_LEAST_PRIVILEGE_SECURITY_MODEL |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services within Google Cloud.
Use Least Privilege Service Accounts for GKE Clusters
Restrict Google Kubernetes Engine (GKE) nodes from using a Compute Engine default service node, which has broad access and is over-privileged for running your GKE cluster.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | OVER_PRIVILEGED_ACCOUNT |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Use a service account with the minimal permissions required to run your GKE nodes. For more information, seeUse least privilege IAM service accounts.
Use Multifactor or Passwordless Authentication
Use secure passwordless methods or strong passwords with multifactor authentication (MFA).
| Enforcement mode | Audit |
| Severity | HIGH |
| Finding category | MISSING_MFA_OR_PASSWORDLESS_AUTHENTICATION |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Implement secure passwordless methods for user authentication and authorization when feasible or enforce strong passwords with MFA. To configure this, in the Google Admin console, go toSecurity > Authentication > 2-Step verification.
Use Secure Web Proxy for Network Traffic Control
Configure Secure Web Proxy to route all network traffic and ensure the routing complies with regulatory standards for Compute Engine instances and Google Kubernetes Engine (GKE) clusters.
| Enforcement mode | Audit |
| Finding category | WEB_PROXY_NOT_CONFIGURED_TRAFFIC_CONTROL |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
UseSecure Web Proxy and set up appropriate rules to ensure that all the internal and external traffic routing is in compliance with the regulatory standards.
Use TLS 1.2 or Higher
Use TLS 1.2 or higher for encryption.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | IMPROPER_TLS_VERSION_IN_USE |
| Revision number | 2 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set the minimum TLS version for Compute Engine instances to TLS 1.2 at both the global and regional levels. For more information, seeUse SSL policies for SSL and TLS protocols.
Validate Information Inputs
Validate information inputs and document exceptions when they occur.
| Enforcement mode | Audit |
| Finding category | INPUT_VALIDATION_MISSING |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Verify that you have the appropriate input checks set up and a way to document your exceptions.
Validate the Integrity of Data Stored in External Systems
Provide the capability to check the integrity of information while it resides in an external system.
| Enforcement mode | Audit |
| Finding category | MISSING_CONTROLS_DATA_STORED_EXTERNAL_SYSTEM |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
This control doesn't apply to Google Cloud. Verify that you have the appropriate controls set up in external systems, as appropriate.
Verify Cloud KMS Key Version Algorithm
Check whether the key algorithms for Cloud KMS keys match the algorithms that you specify.
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | CRYPTOKEY_ALGORITHM_VERSION_RESTRICTED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Default values are RSA_SIGN_PSS_2048_SHA256, RSA_SIGN_PSS_3072_SHA256, RSA_SIGN_PSS_4096_SHA256, RSA_DECRYPT_OAEP_2048_SHA256, RSA_DECRYPT_OAEP_4096_SHA256, RSA_DECRYPT_OAEP_2048_SHA1, and RSA_DECRYPT_OAEP_4096_SHA1. For more information, seeKey purposes and algorithms.
Verify Cloud Storage Bucket Classification
Set the appropriate classification label for Cloud Storage buckets.
| Enforcement mode | Audit |
| Finding category | INCORRECT_CLOUD_STORAGE_CLASSIFICATION_ASSIGNED |
| Revision number | 1.1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
Set the right classification for the storage. SeeStorage classes.
VPC Flow Logs Disabled for Workstation Subnet
VPC Flow Logs must be enabled in the workstation subnet. The subnet used for cloud workstation should have VPC flow enabled
| Enforcement mode |
|
| Severity | MEDIUM |
| Finding category | WORKSTATION_SUBNET_FLOW_LOGS_DISABLED |
| Revision number | 1 |
| Supported Security Command Center tiers | Premium and Enterprise |
| Supported target resources |
|
Remediation steps
To enable VPC Flow Logs for a subnet:
- In the Google Cloud console, go to theVPC networks page.
- Click the name of the subnet used by your workstation cluster.
- On theSubnet details page, clickEdit.
- In theFlow logs section, selectOn.
- ClickSave.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-20 UTC.