Forseti Scanner has default rules that create a violation when their conditions are met.
- Datasets should not be public.
- Datasets should not be accessible by users who are @gmail.com.
- Datasets should not be accessible by groups who are @gmail.com.
- Cloud Storage (note: this is NOT the same as Cloud Storage IAM policies!)
- Buckets ACLs should not be publicly accessible (
- Buckets ACLs should not be accessible by any authenticated user (
- Cloud SQL
- Cloud SQL instances should not allow access from anywhere (authorized networks).
- Cloud SQL instances should not allow access over SSL from anywhere (authorized networks).
- G Suite Groups
- Your company users (@domain.tld) and all gmail users are allowed to be members of your G Suite groups.
- Cloud IAM policies
- Only Cloud IAM user and group members in my domain may be granted the role
- Cloud Identity Aware Proxy (IAP) bypass access
- Forbid any IAP bypasses on all resources in my organization, when IAP is enabled.
- Allow direct access from debug IPs and internal monitoring hosts.