google

The included Google checks are listed below. For more information about each check, see the link provided.

Checks
google-bigquery-no-public-access
BigQuery datasets should only be accessible within the organisation
google-compute-disk-encryption-customer-key
Disks should be encrypted with Customer Supplied Encryption Keys
google-compute-disk-encryption-customer-keys
Encrypted compute disk with unmanaged keys.
google-compute-disk-encryption-required
The encryption key used to encrypt a compute disk has been specified in plaintext.
google-compute-enable-shielded-vm
Instances should have Shielded VM enabled
google-compute-enable-vpc-flow-logs
VPC flow logs should be enabled for all subnets
google-compute-no-default-service-account
Instances should not use the default service account
google-compute-no-ip-forwarding
Instances should not have IP forwarding enabled
google-compute-no-oslogin-override
Instances should not override the project setting for OS Login
google-compute-no-plaintext-disk-keys
Disk encryption keys should not be provided in plaintext
google-compute-no-plaintext-vm-disk-keys
VM disk encryption keys should not be provided in plaintext
google-compute-no-project-wide-ssh-keys
Disable project-wide SSH keys for all instances
google-compute-no-public-egress
An outbound firewall rule allows traffic to /0.
google-compute-no-public-ingress
An inbound firewall rule allows traffic from /0.
google-compute-no-public-ip
Instances should not have public IP addresses
google-compute-no-serial-port
Disable serial port connectivity for all instances
google-compute-project-level-oslogin
OS Login should be enabled at project level
google-compute-use-secure-tls-policy
SSL policies should enforce secure versions of TLS
google-compute-vm-disk-encryption-customer-key
VM disks should be encrypted with Customer Supplied Encryption Keys
google-dns-enable-dnssec
Cloud DNS should use DNSSEC
google-dns-no-rsa-sha1
Zone signing should not use RSA SHA1
google-gke-enable-auto-repair
Kubernetes should have 'Automatic repair' enabled
google-gke-enable-auto-upgrade
Kubernetes should have 'Automatic upgrade' enabled
google-gke-enable-ip-aliasing
Clusters should have IP aliasing enabled
google-gke-enable-master-networks
Master authorized networks should be configured on GKE clusters
google-gke-enable-network-policy
Network Policy should be enabled on GKE clusters
google-gke-enable-private-cluster
Clusters should be set to private
google-gke-enable-stackdriver-logging
Stackdriver Logging should be enabled
google-gke-enable-stackdriver-monitoring
Stackdriver Monitoring should be enabled
google-gke-enforce-pod-security-policy
Pod security policy enforcement not defined.
google-gke-metadata-endpoints-disabled
Legacy metadata endpoints enabled.
google-gke-no-legacy-auth
Clusters should use client certificates for authentication
google-gke-no-public-control-plane
GKE Control Plane should not be publicly accessible
google-gke-node-metadata-security
Node metadata value disables metadata concealment.
google-gke-node-pool-uses-cos
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
google-gke-node-shielding-enabled
Shielded GKE nodes not enabled.
google-gke-use-cluster-labels
Clusters should be configured with Labels
google-gke-use-rbac-permissions
Legacy ABAC permissions are enabled.
google-gke-use-service-account
Checks for service account defined for GKE nodes
google-iam-no-folder-level-default-service-account-assignment
Roles should not be assigned to default service accounts
google-iam-no-folder-level-service-account-impersonation
Users should not be granted service account access at the folder level
google-iam-no-org-level-default-service-account-assignment
Roles should not be assigned to default service accounts
google-iam-no-org-level-service-account-impersonation
Users should not be granted service account access at the organization level
google-iam-no-privileged-service-accounts
Service accounts should not have roles assigned with excessive privileges
google-iam-no-project-level-default-service-account-assignment
Roles should not be assigned to default service accounts
google-iam-no-project-level-service-account-impersonation
Users should not be granted service account access at the project level
google-iam-no-user-granted-permissions
IAM granted directly to user.
google-kms-rotate-kms-keys
KMS keys should be rotated at least every 90 days
google-project-no-default-network
Default network should not be created at project level
google-sql-enable-backup
Enable automated backups to recover from data-loss
google-sql-enable-pg-temp-file-logging
Temporary file logging should be enabled for all temporary files.
google-sql-encrypt-in-transit-data
SSL connections to a SQL database instance should be enforced.
google-sql-mysql-no-local-infile
Disable local_infile setting in MySQL
google-sql-no-contained-db-auth
Contained database authentication should be disabled
google-sql-no-cross-db-ownership-chaining
Cross-database ownership chaining should be disabled
google-sql-no-public-access
Ensure that Cloud SQL Database Instances are not publicly exposed
google-sql-pg-log-checkpoints
Ensure that logging of checkpoints is enabled.
google-sql-pg-log-connections
Ensure that logging of connections is enabled.
google-sql-pg-log-disconnections
Ensure that logging of disconnections is enabled.
google-sql-pg-log-errors
Ensure that Postgres errors are logged
google-sql-pg-log-lock-waits
Ensure that logging of lock waits is enabled.
google-sql-pg-no-min-statement-logging
Ensure that logging of long statements is disabled.
google-storage-enable-ubla
Ensure that Cloud Storage buckets have uniform bucket-level access enabled
google-storage-no-public-access
Ensure that Cloud Storage bucket is not anonymously or publicly accessible.