Default Rules

Forseti Scanner has default rules that create a violation when their conditions are met.

  • BigQuery
    • Datasets should not be public.
    • Datasets should not be accessible by users who are @gmail.com.
    • Datasets should not be accessible by groups who are @gmail.com.
  • Cloud Storage (note: this is NOT the same as Cloud Storage IAM policies!)
    • Buckets ACLs should not be publicly accessible (AllUsers).
    • Buckets ACLs should not be accessible by any authenticated user (AllAuthenticatedUsers).
  • Cloud SQL
    • Cloud SQL instances should not allow access from anywhere (authorized networks).
    • Cloud SQL instances should not allow access over SSL from anywhere (authorized networks).
  • G Suite Groups
    • Your company users (@domain.tld) and all gmail users are allowed to be members of your G Suite groups.
  • Cloud IAM policies
    • Only Cloud IAM user and group members in my domain may be granted the role Organization Admin.
  • Cloud Identity Aware Proxy (IAP) bypass access
    • Forbid any IAP bypasses on all resources in my organization, when IAP is enabled.
    • Allow direct access from debug IPs and internal monitoring hosts.