Default Rules
Forseti Scanner has default rules that create a
violation when their conditions are met.
This page describes the default rules for specific Google Cloud Platform (GCP) products and
resources.
BigQuery
- Datasets should not be public.
- Datasets should not be accessible by users who’s email address matches
@gmail.com
.
- Datasets should not be accessible by groups who’s email address matches
*@googlegroups.com
.
Blacklist
- The IP address of any GCP instances should not be listed on
the emergingthreats website.
Cloud SQL
- Cloud SQL instances should not allow access from anywhere (authorized networks).
- Cloud SQL instances should not allow access over SSL from anywhere (authorized networks).
Cloud Storage (legacy ACL policies)
- Buckets ACLs should not be publicly accessible (
AllUsers
).
- Buckets ACLs should not be accessible by any authenticated user (
AllAuthenticatedUsers
).
Cloud Identity and Access Management (Cloud IAM) policies
- Only Cloud IAM users and group members in my domain may be granted the role
Organization Admin
.
Cloud Identity-Aware Proxy (Cloud IAP) bypass access
- Forbid any Cloud IAP bypasses on all resources in my organization, when Cloud IAP is enabled.
- Allow direct access from debug IPs and internal monitoring hosts.
External Project Access
- Find any users in your org that may have access to projects outside of your allowed org or folder.
Firewall
- Prevent allow all ingress (used to detect allow ingress to all policies)
G Suite
- Your company users (@domain.tld) and all gmail users are allowed to be members of your G Suite
groups.
KMS
- Crypto keys with the following config should be rotated in 100 days.
algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
protection_level: SOFTWARE
purpose: ENCRYPT_DECRYPT
state: ENABLED
Kubernetes Engine Version
- Only allow the following supported versions:
- For major version 1.8, the minor version must be at least 12-gke.1
- For major version 1.9, the minor version must be at least 7-gke.1
- For major version 1.10, the minor version must be at least 2-gke.1
- For major version 1.11, any minor version is allowed
Service Account Key
- User-managed service account keys should not be older than the date and time you specify.