GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → GoogleCloudPlatform → Inspec Gcp Cis Benchmark

GoogleCloudPlatform / Inspec Gcp Cis Benchmark

Licence: apache-2.0
GCP CIS 1.1.0 Benchmark InSpec Profile

Programming Languages

ruby
36898 projects - #4 most used programming language

Labels

securitycloudgcpcomplianceauditing

Projects that are alternatives of or similar to Inspec Gcp Cis Benchmark

Cloud Custodian
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
Stars: ✭ 3,926 (+5589.86%)
Mutual labels:  cloud, gcp, compliance
inspec-gke-cis-benchmark
GKE CIS 1.1.0 Benchmark InSpec Profile
Stars: ✭ 27 (-60.87%)
Mutual labels:  auditing, gcp, compliance
Scoutsuite
Multi-Cloud Security Auditing Tool
Stars: ✭ 3,803 (+5411.59%)
Mutual labels:  cloud, gcp, auditing
Terratag
Terratag is a CLI tool that enables users of Terraform to automatically create and maintain tags across their entire set of AWS, Azure, and GCP resources
Stars: ✭ 385 (+457.97%)
Mutual labels:  cloud, gcp
Fake Gcs Server
Google Cloud Storage emulator & testing library.
Stars: ✭ 316 (+357.97%)
Mutual labels:  cloud, gcp
Gifee
Google's Infrastructure for Everyone Else
Stars: ✭ 370 (+436.23%)
Mutual labels:  cloud, gcp
Prowler
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, ISO27001, GDPR, HIPAA, SOC2, ENS and other security frameworks.
Stars: ✭ 4,561 (+6510.14%)
Mutual labels:  cloud, compliance
Pulumi
Pulumi - Developer-First Infrastructure as Code. Your Cloud, Your Language, Your Way 🚀
Stars: ✭ 10,887 (+15678.26%)
Mutual labels:  cloud, gcp
Terracognita
Reads from existing Cloud Providers (reverse Terraform) and generates your infrastructure as code on Terraform configuration
Stars: ✭ 452 (+555.07%)
Mutual labels:  cloud, gcp
Click To Deploy
Source for Google Click to Deploy solutions listed on Google Cloud Marketplace.
Stars: ✭ 509 (+637.68%)
Mutual labels:  cloud, gcp
Pci Paas Webapp Ase Sqldb Appgateway Keyvault Oms
Azure PCI PaaS Reference Architecture
Stars: ✭ 36 (-47.83%)
Mutual labels:  cloud, compliance
Rudder
Continuous Auditing & Configuration
Stars: ✭ 314 (+355.07%)
Mutual labels:  compliance, auditing
Docker Android
Android in docker solution with noVNC supported and video recording
Stars: ✭ 4,042 (+5757.97%)
Mutual labels:  cloud, gcp
My Links
Knowledge seeks no man
Stars: ✭ 311 (+350.72%)
Mutual labels:  cloud, gcp
Fsfirestore
Functional F# library to access Firestore database hosted on Google Cloud Platform (GCP) or Firebase.
Stars: ✭ 22 (-68.12%)
Mutual labels:  cloud, gcp
Lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
Stars: ✭ 9,137 (+13142.03%)
Mutual labels:  compliance, auditing
Terraformer
CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code
Stars: ✭ 6,316 (+9053.62%)
Mutual labels:  cloud, gcp
Airflow Toolkit
Any Airflow project day 1, you can spin up a local desktop Kubernetes Airflow environment AND one in Google Cloud Composer with tested data pipelines(DAGs) 🖥 >> [ 🚀, 🚢 ]
Stars: ✭ 51 (-26.09%)
Mutual labels:  cloud, gcp
Elasticluster
Create clusters of VMs on the cloud and configure them with Ansible.
Stars: ✭ 298 (+331.88%)
Mutual labels:  cloud, gcp
Ccat
Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.
Stars: ✭ 300 (+334.78%)
Mutual labels:  cloud, gcp
View All Similar Projects ➔

GCP CIS 1.1.0 Benchmark Inspec Profile

This repository holds the Google Cloud Platform (GCP) Center for Internet Security (CIS) version 1.1 Benchmark Inspec Profile.

Required Disclaimer

This is not an officially supported Google product. This code is intended to help users assess their security posture on the Google Cloud against the CIS Benchmark. This code is not certified by CIS.

Coverage

The following GCP CIS v1.1.0 Benchmark Controls are not covered:

  • Identity and Access Management 1.2 - "Ensure that multi-factor authentication is enabled for all non-service accounts"
  • Identity and Access Management 1.3 - "Ensure that Security Key Enforcement is enabled for all admin accounts"
  • Identity and Access Management 1.12 - "Ensure API keys are not created for a project"
  • Identity and Access Management 1.13 - "Ensure API keys are restricted to use by only specified Hosts and Apps"
  • Identity and Access Management 1.14 - "Ensure API keys are restricted to only APIs that application needs access"
  • Identity and Access Management 1.15 - "Ensure API keys are rotated every 90 days"
  • Cloud SQL Database Services 6.3 - "Ensure that MySql database instance does not allow anyone to connect with administrative privileges"
  • Cloud SQL Database Services 6.4 - "Ensure that MySQL Database Instance does not allows root login from any Host"

Usage

Profile Inputs (see inspec.yml file)

This profile uses InSpec Inputs to make the tests more flexible. You are able to provide inputs at runtime either via the cli or via YAML files to help the profile work best in your deployment.

pro tip: Do not change the inputs in the inspec.yml file directly, either:

  • update them via the cli - via the --input flag
  • pass them in via a YAML file as shown in the Example - via the --input-file flag

Further details can be found here: https://docs.chef.io/inspec/inputs/

(Required) User Provided Inputs - via the CLI or Input Files

  • gcp_project_id - (Default: null, type: String) - The target GCP Project you are scanning.

(Optional) User Provided Inputs

  • sa_key_older_than_seconds - (Default: 7776000, type: int, CIS IAM 1.15) - The maximum allowed age of GCP User-managed Service Account Keys (90 days in seconds).
  • kms_rotation_period_seconds - (Default: 7776000, type: int, CIS IAM 1.10) - The maximum allowed age of KMS keys (90 days in seconds).

Cloud Shell Walkthrough

Use this Cloud Shell Walkthrough for a hands-on example.

Open this project in Cloud Shell

CLI Example

#install inspec
$ gem install inspec-bin --no-document --quiet

# make sure you're authenticated to GCP
$ gcloud auth list

# acquire credentials to use with Application Default Credentials
$ gcloud auth application-default login


# scan a project with this profile, replace {{project-id}} with your project ID
$ inspec exec https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark.git -t gcp:// --input gcp_project_id={{project-id}}  --reporter cli json:{{project-id}}_scan.json
...snip...
Profile Summary: 48 successful controls, 5 control failures, 7 controls skipped
Test Summary: 166 successful, 7 failures, 7 skipped

Required APIs

Consider these GCP projects, which may all be the same or different:

  • the project of the Service Account that's used to authenticate the scan
  • the project from which the benchmark is called
  • the project to be scanned

The following GCP APIs should be enabled in all of these projects:

  • cloudkms.googleapis.com
  • cloudresourcemanager.googleapis.com
  • compute.googleapis.com
  • dns.googleapis.com
  • iam.googleapis.com
  • logging.googleapis.com
  • monitoring.googleapis.com
  • sqladmin.googleapis.com
  • storage-api.googleapis.com

Required Permissions

The following permissions are required to run the CIS benchmark profile:

On organization level:

  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.folders.get

On project level:

  • cloudkms.cryptoKeys.get
  • cloudkms.cryptoKeys.getIamPolicy
  • cloudkms.cryptoKeys.list
  • cloudkms.keyRings.list
  • cloudsql.instances.get
  • cloudsql.instances.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.instances.get
  • compute.instances.list
  • compute.networks.get
  • compute.networks.list
  • compute.projects.get
  • compute.regions.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.zones.list
  • dns.managedZones.get
  • dns.managedZones.list
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.list
  • logging.logMetrics.list
  • logging.sinks.get
  • logging.sinks.list
  • monitoring.alertPolicies.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].