本页面介绍了 Center for Internet Security (CIS) Google Cloud Computing Platform Benchmark v2.0.0 预定义状况模板 v1.0 版中包含的检测政策。这种预定义的状况可帮助您检测 Google Cloud 环境何时不符合 CIS 基准。
您可以部署此安全状况模板,而无需进行任何更改。
下表介绍了安全状况模板中包含的 Security Health Analytics 检测器。如需详细了解这些检测器,请参阅漏洞发现结果。
| 检测器名称 | 说明 |
|---|---|
ACCESS_TRANSPARENCY_DISABLED |
此检测器会检查 Access Transparency 是否已关闭。 |
ADMIN_SERVICE_ACCOUNT |
此检测器会检查服务帐号是具有管理员、所有者或编辑者权限。 |
ESSENTIAL_CONTACTS_NOT_CONFIGURED |
此检测器会检查您是否至少有一位重要联系人。 |
API_KEY_APIS_UNRESTRICTED |
此检测器会检查 API 密钥是否使用得过于频繁。 |
API_KEY_EXISTS |
此检测器会检查项目是否正在使用 API 密钥,而非标准身份验证。 |
API_KEY_NOT_ROTATED |
此检测器会检查过去 90 天内是否轮替过 API 密钥。 |
AUDIT_CONFIG_NOT_MONITORED |
此检测器会检查审核配置更改是否受到监控。 |
AUDIT_LOGGING_DISABLED |
此检测器会检查是否为资源关闭了审核日志记录功能。 |
AUTO_BACKUP_DISABLED |
此检测器会检查 Cloud SQL 数据库是否未启用自动备份。 |
BIGQUERY_TABLE_CMEK_DISABLED |
此检测器会检查 BigQuery 表是否未配置为使用客户管理的加密密钥 (CMEK)。如需了解详情,请参阅数据集漏洞发现结果。 |
BUCKET_IAM_NOT_MONITORED |
此检测器会检查 Cloud Storage 中 IAM 权限更改是否关闭了日志记录功能。 |
BUCKET_POLICY_ONLY_DISABLED |
此检测器会检查是否配置了统一存储桶级访问权限。 |
CLOUD_ASSET_API_DISABLED |
此检测器会检查 Cloud Asset Inventory 是否已停用。 |
COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED |
此检测器会检查是否正在使用项目范围的 SSH 密钥。 |
COMPUTE_SERIAL_PORTS_ENABLED |
此检测器会检查串行端口是否已启用。 |
CONFIDENTIAL_COMPUTING_DISABLED |
此检测器会检查机密计算是否已关闭。 |
CUSTOM_ROLE_NOT_MONITORED |
此检测器会检查是否针对自定义角色更改停用了日志记录功能。 |
DATAPROC_CMEK_DISABLED |
此检测器会检查是否已为 Dataproc 集群关闭 CMEK 支持。 |
DATASET_CMEK_DISABLED |
此检测器会检查 BigQuery 数据集是否关闭了 CMEK 支持。 |
DEFAULT_NETWORK |
此检测器会检查项目中是否存在默认网络。 |
DEFAULT_SERVICE_ACCOUNT_USED |
此检测器会检查是否正在使用默认服务帐号。 |
DISK_CSEK_DISABLED |
此检测器会检查是否为虚拟机停用了对客户提供的加密密钥 (CSEK) 支持功能。 |
DNS_LOGGING_DISABLED |
此检测器会检查 VPC 网络是否启用了 DNS 日志记录。 |
DNSSEC_DISABLED |
此检测器会检查是否已为 Cloud DNS 区域停用 DNSSEC。 |
FIREWALL_NOT_MONITORED |
此检测器会检查是否未将日志指标和提醒配置为监控 VPC 防火墙规则更改。 |
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED |
此检测器会检查 VPC 流日志是否未启用。 |
FULL_API_ACCESS |
此检测器会检查实例是否使用对所有 Google Cloud API 拥有完整访问权限的默认服务帐号。 |
INSTANCE_OS_LOGIN_DISABLED |
此检测器会检查 OS Login 是否未开启。 |
IP_FORWARDING_ENABLED |
此检测器会检查 IP 转发是否已开启。 |
KMS_KEY_NOT_ROTATED |
此检测器会检查是否未为 Cloud Key Management Service 加密开启轮替。 |
KMS_PROJECT_HAS_OWNER |
此检测器会检查用户是否对包含键的项目具有 Owner 权限。 |
KMS_PUBLIC_KEY |
此检测器会检查 Cloud Key Management Service 加密密钥是否可公开访问。如需了解详情,请参阅 KMS 漏洞发现结果。 |
KMS_ROLE_SEPARATION |
此检测器会检查 Cloud KMS 密钥的职责分离。 |
LEGACY_NETWORK |
此检测器会检查项目中是否存在旧版网络。 |
LOCKED_RETENTION_POLICY_NOT_SET |
此检测器会检查是否为日志设置了锁定的保留政策。 |
LOAD_BALANCER_LOGGING_DISABLED |
此检测器会检查负载均衡器是否已关闭日志记录功能。 |
LOG_NOT_EXPORTED |
此检测器会检查资源是否未配置日志接收器。 |
MFA_NOT_ENFORCED |
此检测器会检查用户是否未使用两步验证。 |
NETWORK_NOT_MONITORED |
此检测器会检查是否未将日志指标和提醒配置为监控 VPC 网络更改。 |
NON_ORG_IAM_MEMBER |
此检测器会检查用户是否未使用组织凭据。 |
OPEN_RDP_PORT |
此检测器会检查防火墙是否具有开放的 RDP 端口。 |
OPEN_SSH_PORT |
此检测器会检查防火墙是否具有允许一般访问的开放 SSH 端口。如需了解详情,请参阅防火墙漏洞发现结果。 |
OS_LOGIN_DISABLED |
此检测器会检查 OS Login 是否处于关闭状态。 |
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER |
此检测器会检查用户是否具有项目级的服务帐号角色,而不是特定服务帐号的角色。 |
OWNER_NOT_MONITORED |
此检测器会检查是否针对项目所有权分配和更改关闭了日志记录功能。 |
PUBLIC_BUCKET_ACL |
此检测器会检查存储桶是否可公开访问。 |
PUBLIC_DATASET |
此检测器会检查数据集是否已配置为允许公开访问。如需了解详情,请参阅数据集漏洞发现结果。 |
PUBLIC_IP_ADDRESS |
此检测器会检查实例是否具有外部 IP 地址。 |
PUBLIC_SQL_INSTANCE |
此检测器会检查 Cloud SQL 是否允许来自所有 IP 地址的连接。 |
ROUTE_NOT_MONITORED |
此检测器会检查是否未将日志指标和提醒配置为监控 VPC 网络路由更改。 |
RSASHA1_FOR_SIGNING |
此检测器会检查 RSASHA1 是否用于 Cloud DNS 区域中的密钥签名。 |
SERVICE_ACCOUNT_KEY_NOT_ROTATED |
此检测器会检查过去 90 天内是否轮替过服务帐号密钥。 |
SERVICE_ACCOUNT_ROLE_SEPARATION |
此检测器会检查服务帐号密钥的职责分离。 |
SHIELDED_VM_DISABLED |
此检测器会检查安全强化型虚拟机是否已关闭。 |
SQL_CONTAINED_DATABASE_AUTHENTICATION |
此检测器会检查 Cloud SQL for SQL Server 中的 |
SQL_CROSS_DB_OWNERSHIP_CHAINING |
此检测器会检查 Cloud SQL for SQL Server 中的 |
SQL_EXTERNAL_SCRIPTS_ENABLED |
此检测器会检查 Cloud SQL for SQL Server 中的 |
SQL_INSTANCE_NOT_MONITORED |
此检测器会检查是否针对 Cloud SQL 配置更改关闭了日志记录功能。 |
SQL_LOCAL_INFILE |
此检测器会检查 Cloud SQL for MySQL 中的 |
SQL_LOG_CONNECTIONS_DISABLED |
此检测器会检查 Cloud SQL for PostgreSQL 中的 |
SQL_LOG_DISCONNECTIONS_DISABLED |
此检测器会检查 Cloud SQL for PostgreSQL 中的 |
SQL_LOG_ERROR_VERBOSITY |
此检测器会检查 Cloud SQL for PostgreSQL 中的 |
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED |
此检测器会检查 Cloud SQL for PostgreSQL 中的 |
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY |
此检测器会检查 Cloud SQL for PostgreSQL 中的 |
SQL_LOG_MIN_MESSAGES |
此检测器会检查 Cloud SQL for PostgreSQL 中的 |
SQL_LOG_STATEMENT |
此检测器会检查 Cloud SQL for PostgreSQL Server 中的 |
SQL_NO_ROOT_PASSWORD |
此检测器会检查具有外部 IP 地址的 Cloud SQL 数据库是否没有根账号的密码。 |
SQL_PUBLIC_IP |
此检测器会检查 Cloud SQL 数据库是否具有外部 IP 地址。 |
SQL_REMOTE_ACCESS_ENABLED |
此检测器会检查 Cloud SQL for SQL Server 中的 |
SQL_SKIP_SHOW_DATABASE_DISABLED |
此检测器会检查 Cloud SQL for MySQL 中的 |
SQL_TRACE_FLAG_3625 |
此检测器会检查 Cloud SQL for SQL Server 中的 |
SQL_USER_CONNECTIONS_CONFIGURED |
此检测器会检查 Cloud SQL for SQL Server 中是否已配置 |
SQL_USER_OPTIONS_CONFIGURED |
此检测器会检查 Cloud SQL for SQL Server 中是否已配置 |
USER_MANAGED_SERVICE_ACCOUNT_KEY |
此检测器会检查用户是否管理服务帐号密钥。 |
WEAK_SSL_POLICY |
此检测器会检查实例是否具有弱 SSL 政策。 |
YAML 定义
以下是 CIS 2.0 的状态模板的 YAML 定义。
name: organizations/123/locations/global/postureTemplates/cis_2_0
description: Posture Template to make your workload secure and CIS 2.0 compliant
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: CIS_2_0 detective policy set
description: CIS_2_0 SHA modules that new customers can automatically enable.
policies:
- policy_id: Access transparency disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ACCESS_TRANSPARENCY_DISABLED
- policy_id: Admin service account
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ADMIN_SERVICE_ACCOUNT
- policy_id: Essential contacts not configured
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ESSENTIAL_CONTACTS_NOT_CONFIGURED
- policy_id: API key APIs unrestricted
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: API_KEY_APIS_UNRESTRICTED
- policy_id: API key APPs unrestricted
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: API_KEY_APPS_UNRESTRICTED
- policy_id: API key exists
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: API_KEY_EXISTS
- policy_id: API key not rotated
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: API_KEY_NOT_ROTATED
- policy_id: Audit config not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: AUDIT_CONFIG_NOT_MONITORED
- policy_id: Audit logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: AUDIT_LOGGING_DISABLED
- policy_id: Auto backup disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: AUTO_BACKUP_DISABLED
- policy_id: BigQuery table CMEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BIGQUERY_TABLE_CMEK_DISABLED
- policy_id: Bucket IAM not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_IAM_NOT_MONITORED
- policy_id: Bucket policy only disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_POLICY_ONLY_DISABLED
- policy_id: Cloud asset API disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: CLOUD_ASSET_API_DISABLED
- policy_id: Compute project wide SSH keys allowed
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED
- policy_id: Compute serial port enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: COMPUTE_SERIAL_PORTS_ENABLED
- policy_id: Confidential computing disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: CONFIDENTIAL_COMPUTING_DISABLED
- policy_id: Custom role not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: CUSTOM_ROLE_NOT_MONITORED
- policy_id: Dataproc CMEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DATAPROC_CMEK_DISABLED
- policy_id: Dataset CMEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DATASET_CMEK_DISABLED
- policy_id: Default network
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DEFAULT_NETWORK
- policy_id: Default service account used
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DEFAULT_SERVICE_ACCOUNT_USED
- policy_id: Disk CSEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DISK_CSEK_DISABLED
- policy_id: DNS logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DNS_LOGGING_DISABLED
- policy_id: DNSSEC disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DNSSEC_DISABLED
- policy_id: Firewall not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FIREWALL_NOT_MONITORED
- policy_id: VPC flow logs settings not recommended
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
- policy_id: Full API access
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FULL_API_ACCESS
- policy_id: Instance OS login disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: INSTANCE_OS_LOGIN_DISABLED
- policy_id: IP forwarding enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: IP_FORWARDING_ENABLED
- policy_id: KMS key not rotated
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: KMS_KEY_NOT_ROTATED
- policy_id: KMS project has owner
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: KMS_PROJECT_HAS_OWNER
- policy_id: KMS public key
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: KMS_PUBLIC_KEY
- policy_id: KMS role separation
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: KMS_ROLE_SEPARATION
- policy_id: Legacy network
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LEGACY_NETWORK
- policy_id: Locked retention policy not set
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LOCKED_RETENTION_POLICY_NOT_SET
- policy_id: Load balancer logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LOAD_BALANCER_LOGGING_DISABLED
- policy_id: Log not exported
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LOG_NOT_EXPORTED
- policy_id: MFA not enforced
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: MFA_NOT_ENFORCED
- policy_id: Network not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: NETWORK_NOT_MONITORED
- policy_id: Non org IAM member
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: NON_ORG_IAM_MEMBER
- policy_id: Open RDP port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_RDP_PORT
- policy_id: Open SSH port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_SSH_PORT
- policy_id: OS login disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OS_LOGIN_DISABLED
- policy_id: Over privileged service account user
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OVER_PRIVILEGED_SERVICE_ACCOUNT_USER
- policy_id: Owner not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OWNER_NOT_MONITORED
- policy_id: Public bucket ACL
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_BUCKET_ACL
- policy_id: Public dataset
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_DATASET
- policy_id: Public IP address
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_IP_ADDRESS
- policy_id: Public SQL instance
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_SQL_INSTANCE
- policy_id: Route not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ROUTE_NOT_MONITORED
- policy_id: RSASHA1 for signing
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: RSASHA1_FOR_SIGNING
- policy_id: Service account key not rotated
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SERVICE_ACCOUNT_KEY_NOT_ROTATED
- policy_id: Service account role separation
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SERVICE_ACCOUNT_ROLE_SEPARATION
- policy_id: Shielded VM disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SHIELDED_VM_DISABLED
- policy_id: SQL contained database authentication
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_CONTAINED_DATABASE_AUTHENTICATION
- policy_id: SQL cross DB ownership chaining
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_CROSS_DB_OWNERSHIP_CHAINING
- policy_id: SQL external scripts enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_EXTERNAL_SCRIPTS_ENABLED
- policy_id: SQL instnance not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_INSTANCE_NOT_MONITORED
- policy_id: SQL local infile
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOCAL_INFILE
- policy_id: SQL log connections disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_CONNECTIONS_DISABLED
- policy_id: SQL log disconnections disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_DISCONNECTIONS_DISABLED
- policy_id: SQL log error verbosity
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_ERROR_VERBOSITY
- policy_id: SQL log min duration statement enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
- policy_id: SQL log min error statement severity
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
- policy_id: SQL log min messages
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_MIN_MESSAGES
- policy_id: SQL log statement
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_STATEMENT
- policy_id: SQL no root password
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_NO_ROOT_PASSWORD
- policy_id: SQL public IP
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_PUBLIC_IP
- policy_id: SQL remote access enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_REMOTE_ACCESS_ENABLED
- policy_id: SQL skip show database disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_SKIP_SHOW_DATABASE_DISABLED
- policy_id: SQL trace flag 3625
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_TRACE_FLAG_3625
- policy_id: SQL user connection configured
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_USER_CONNECTIONS_CONFIGURED
- policy_id: SQL user options configured
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_USER_OPTIONS_CONFIGURED
- policy_id: User managed service account key
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: USER_MANAGED_SERVICE_ACCOUNT_KEY
- policy_id: Weak SSL policy
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: WEAK_SSL_POLICY