The Center for Internet Security (CIS) serves as a guardian of cybersecurity standards across a diverse array of internet-connected technologies. Notably, cloud platforms represent the pinnacle of internet-connected innovations. In this domain, Google Cloud Platform (GCP) shines as a preeminent choice, boasting widespread recognition. It’s plausible that GCP stands as a prominent vendor within your technological landscape, offering a spectrum of renowned SaaS, PaaS, and IaaS services like App Engine, BigQuery, Cloud IoT Core, and Edge.
For those benefiting from CloudDefense.AI CSPM (Cloud Security Posture Management), the understanding of the cloud’s expansive potential as a cyber attack surface is evident. Given the perpetually evolving cyber threat landscape, adept management of this landscape is imperative. In this context, I advocate for the utilization of CIS Benchmarks to assess your GCP security configurations, ideally on a biannual basis. CIS facilitates this process through a simple form on their website, culminating in the dispatch of a customized PDF containing your selected Benchmarks. While CIS extends a comprehensive list, below is a sampling of pivotal settings warranting attention:
- Identity and Access Management (IAM)
- Logging and Monitoring
- Networking
- Virtual Machines (VMs)
- Storage
By embracing these guidelines, you fortify your GCP infrastructure against potential threats and align with contemporary cybersecurity practices.
What you must know about CIS Benchmarks for Google Cloud Platform
Identity and Access Management (IAM)
Identity and Access Management (IAM) is a fundamental pillar of security in any cloud environment. In GCP, proper IAM settings are essential to protect your sensitive data and critical systems from cyber threats. Here are some crucial IAM settings to consider:
- Ensure the use of Corporate Login Credentials.
- Enable Multi-Factor Authentication (MFA) for all non-service accounts to enhance authentication security.
- Avoid granting admin privileges to Service Accounts, following the principle of least privilege.
- Enforce Security Key Enforcement for All Admin accounts.
- Use only GCP-managed Service Account Keys for each Service Account.
- Avoid assigning IAM users the Service Account User or Service Account Token Creator roles.
- Implement automated role assignments at the project level.
- Rotate user-managed and external keys for Service Accounts every 90 days or less.
- Enforce separation of duties when assigning Service Account related roles to users.
Logging and Monitoring
Logging and monitoring are critical for timely detection of security incidents and for compliance purposes. Properly configured logging ensures that your security team can respond effectively to potential threats. Here are essential settings for logging and monitoring in GCP:
- Enable Log Metric Filters and Alerts to identify signs of compromise quickly.
- Set up Log Metric Filters and Alerts for project ownership assignments and changes.
- Implement Log Metric Filters and Alerts for audit configuration changes.
- Configure Log Metric Filters and Alerts for custom role changes.
- Ensure Log Metric Filters and Alerts cover VPC network firewall rule changes, route changes, and other network-related events.
- Enable cloud DNS logging for all VPC networks.
- Enable cloud asset inventory for comprehensive visibility.
Networking
Networking settings are crucial to ensure that networked services are appropriately configured and secure. Outdated cryptographic technologies should be avoided, and access should be restricted to minimize attack surfaces. Key networking recommendations include:
- Eliminate the default network from projects.
- Avoid the existence of legacy networks in older projects.
- Enable DNSSEC for Cloud DNS.
- Use secure cryptographic technologies and avoid RSASHA1 in Cloud DNS DNSSEC.
- Restrict SSH and RDP access from the internet.
- Enable VPC Flow Logs for all subnets in a VPC network.
- Ensure SSL proxy load balancers do not permit weak cipher suites.
- Utilize Identity Aware Proxy (IAP) to allow traffic only from Google IP addresses.
Virtual Machines (VMs)
Virtual machines are a significant use case within GCP, and their security is paramount. Properly configuring security controls and access is essential. Here are key settings for securing VMs:
- Avoid using the default service account for instances.
- Prevent instances from using the default service account with full access to all Cloud APIs.
- Enable “Block Project-Wide SSH Keys” for VM instances.
- Enable Oslogin at the project level.
- Disable “Enable Connecting to Serial Ports” for VM instances.
- Turn off IP forwarding on instances.
- Encrypt VM disks with customer-supplied encryption keys for critical VMs.
- Launch Compute instances with shielded VM enabled.
- Avoid assigning public IP addresses to Compute instances.
- Enforce HTTPS connections for App Engine applications.
- Enable Confidential Computing for Compute instances.
- Keep VMs up to date with the latest operating system updates.
Storage
- Protecting access to cloud storage buckets, where sensitive data is often stored, is crucial. Here are key storage-related configurations:
- Prevent cloud storage buckets from being anonymously or publicly accessible.
- Enable Uniform Bucket-Level Access for cloud storage buckets.
These are some of the essential CIS Benchmarks for Google Cloud Platform. Regularly reviewing and implementing these recommendations will significantly enhance the security of your GCP environment.
To ensure you’re not missing any benchmarks, you can request a PDF directly from the CIS website. Remember, cybersecurity is an ongoing effort, and staying informed about the latest best practices is essential to safeguard your cloud infrastructure.
Those are most of the crucial CIS Benchmarks for GCP. To make sure that you don’t miss any, you can request your own PDF here.
