Remediating findings

This topic describes how to remediate findings in reports.

A report combines aggregate findings from Security Command Center and inventory data from Cloud Asset Inventory to give an aggregate view of risk across your organization. These reports are aligned with the CIS Google Cloud Computing Foundations Benchmark v1.0.0. For more information on this framework, see CIS Benchmarks.

As a best practice, start by remediating the findings that have the highest impact, as indicated in a Risk Manager report.

Before you begin

Create a report.

Remediating CIS Benchmark findings

Risk Manager has integrated with Security Command Center Premium tier to simplify the remediation process for CIS Benchmark findings. If you're a Security Command Center Standard tier customer, you can't use Security Command Center to inspect and remediate all individual CIS Benchmark findings on your Google Cloud resources. Upgrade to Premium tier to get full support. See Onboarding to Risk Manager for more information.

Remediating CIS Benchmark findings with Security Command Center Premium tier

To inspect and remediate individual findings using Security Command Center, follow these steps:

  1. In a report, click on a CIS Benchmark description. A page opens with a table of findings in Security Command Center that correspond to that CIS Benchmark.

  2. In the table, click on the category of the finding that you want to remediate. A pane opens with more information on that finding.

  3. Under Remediation, follow the instructions on how to remediate the finding.

Remediating CIS Benchmark findings without Security Command Center Premium tier

Instructions on how to remediate findings for CIS Benchmarks supported by Risk Manager can be found below:

Identity and Access Management
1.1 Ensure that corporate login credentials are used instead of Gmail accounts
1.2 Ensure that multi-factor authentication is enabled for all non-service accounts
1.3 Ensure that there are only GCP-managed service account keys for each service account
1.4 Ensure that Service Account has no Admin privileges
1.5 Ensure that IAM users are not assigned Service Account User role at project level
1.6 Ensure user-managed/external keys for service accounts are rotated every 90 days or less
1.7 Ensure that Separation of duties is enforced while assigning service account related roles to users
1.8 Ensure Encryption keys are rotated within a period of 365 days
1.9 Ensure that Separation of duties is enforced while assigning KMS related roles to users
1.10 Ensure API keys are not created for a project
1.11 Ensure API keys are restricted to use by only specified Hosts and Apps
1.12 Ensure API keys are restricted to only APIs that application needs access
1.13 Ensure API keys are rotated every 90 days
Logging and Monitoring
2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
2.2 Ensure that sinks are configured for all Log entries
2.3 Ensure that object versioning is enabled on log-buckets
2.4 Ensure log metric filter and alerts exists for Project Ownership assignments/changes
2.5 Ensure log metric filter and alerts exists for Audit Configuration Changes
2.6 Ensure log metric filter and alerts exists for Custom Role changes
2.7 Ensure log metric filter and alerts exists for VPC Network Firewall rule changes
2.8 Ensure log metric filter and alerts exists for VPC network route changes
2.9 Ensure log metric filter and alerts exists for VPC network changes
2.10 Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes
2.11 Ensure log metric filter and alerts exists for SQL instance configuration changes
Networking
3.1 Ensure the default network does not exist in a project
3.2 Ensure legacy network does not exist for a project
3.3 Ensure that DNSSEC is enabled for Cloud DNS
3.4 Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC
3.5 Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC
3.6 Ensure that SSH access is restricted from the internet
3.7 Ensure that RDP access is restricted from the internet
3.8 Ensure Private Google Access is enabled for all subnetwork in VPC Network
3.9 Ensure VPC Flow logs is enabled for every subnet in VPC Network
Virtual Machines
4.1 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
4.2 Ensure 'Block Project - wide SSH keys' enabled for VM instances
4.3 Ensure oslogin is enabled for a Project
4.4 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
4.5 Ensure that IP forwarding is not enabled on Instances
4.6 Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys
Storage
5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible
5.3 Ensure that logging is enabled for Cloud storage buckets
Cloud SQL Database Services
6.1 Ensure that Cloud SQL database instance requires all incoming connections to use SSL
6.2 Ensure that Cloud SQL database instances are not open to the world
6.3 Ensure that MySql database instance does not allow anyone to connect with administrative privileges
Kubernetes Engine
7.1 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
7.2 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
7.3 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
7.4 Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
7.6 Ensure Kubernetes web UI / Dashboard is disabled
7.7 Ensure 'Automatic node repair' is enabled for Kubernetes Clusters
7.8 Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
7.9 Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
7.11 Ensure Network policy is enabled on Kubernetes Engine Clusters
7.13 Ensure Kubernetes Cluster is created with Alias IP ranges enabled
7.14 Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
7.15 Ensure Kubernetes Cluster is created with Private cluster enabled
7.16 Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets
7.17 Ensure default Service account is not used for Project access in Kubernetes Clusters
7.18 Ensure Kubernetes Clusters created with limited service account Access scopes for Project access

What's next?