Forseti Scanner has default rules that create a
violation when their conditions are met.
This page describes the default rules for specific Google Cloud Platform (GCP) products and
- Datasets should not be public.
- Datasets should not be accessible by users who’s email address matches
- Datasets should not be accessible by groups who’s email address matches
- The IP address of any GCP instances should not be listed on
the emergingthreats website.
- Cloud SQL instances should not allow access from anywhere (authorized networks).
- Cloud SQL instances should not allow access over SSL from anywhere (authorized networks).
Cloud Storage (legacy ACL policies)
- Buckets ACLs should not be publicly accessible (
- Buckets ACLs should not be accessible by any authenticated user (
Cloud Identity and Access Management (Cloud IAM) policies
- Only Cloud IAM users and group members in my domain may be granted the role
Cloud Identity-Aware Proxy (Cloud IAP) bypass access
- Forbid any Cloud IAP bypasses on all resources in my organization, when Cloud IAP is enabled.
- Allow direct access from debug IPs and internal monitoring hosts.
External Project Access
- Find any users in your org that may have access to projects outside of your allowed org or folder.
- Prevent allow all ingress (used to detect allow ingress to all policies)
- Your company users (@domain.tld) and all gmail users are allowed to be members of your G Suite
- Crypto keys with the following config should be rotated in 100 days.
Kubernetes Engine Version
- Only allow the following supported versions:
- For major version 1.8, the minor version must be at least 12-gke.1
- For major version 1.9, the minor version must be at least 7-gke.1
- For major version 1.10, the minor version must be at least 2-gke.1
- For major version 1.11, any minor version is allowed
Service Account Key
- User-managed service account keys should not be older than the date and time you specify.