Predefined posture for secure by default, extended

This page describes the preventative policies that are included in the v1.0 version of the predefined posture for secure by default, extended. This predefined posture helps prevent common misconfigurations and common security issues caused by default settings.

You can use this predefined posture to configure a security posture that helps protect Google Cloud resources. If you want to deploy this predefined posture, you must customize some of the policies so that they apply to your environment.

Policy Description Compliance standards
iam.disableServiceAccountKeyCreation

This constraint prevents users from creating persistent keys for service accounts to decrease the risk of exposed service account credentials.

The value is true to disable service account key creation.

NIST SP 800-53 control: AC-2
iam.automaticIamGrantsForDefaultServiceAccounts

This constraint prevents default service accounts from receiving the overly-permissive Identity and Access Management (IAM) role Editor at creation.

The value is false to disable automatic IAM grants for default service accounts.

NIST SP 800-53 control: AC-3
iam.disableServiceAccountKeyUpload

This constraint avoids the risk of leaked and reused custom key material in service account keys.

The value is true to disable service account key uploads.

NIST SP 800-53 control: AC-6
storage.publicAccessPrevention

This policy prevents Cloud Storage buckets from being open to unauthenticated public access.

The value is true to prevent public access to buckets.

NIST SP 800-53 control: AC-3 and AC-6
iam.allowedPolicyMemberDomains

This policy limits IAM policies to only allow managed user identities in selected domains to access resources inside this organization.

The value is directoryCustomerId to restrict sharing between domains.

NIST SP 800-53 control: AC-3, AC-6, and IA-2
essentialcontacts.allowedContactDomains

This policy limits Essential Contacts to only allow managed user identities in selected domains to receive platform notifications.

The value is @google.com. You must change the value to match your domain.

NIST SP 800-53 control: AC-3, AC-6, and IA-2
storage.uniformBucketLevelAccess

This policy prevents Cloud Storage buckets from using per-object ACL (a separate system from IAM policies) to provide access, enforcing consistency for access management and auditing.

The value is true to enforce uniform bucket-level access.

NIST SP 800-53 control: AC-3 and AC-6
compute.requireOsLogin

This policy requires OS Login on newly created VMs to more easily manage SSH keys, provide resource-level permission with IAM policies, and log user access.

The value is true to require OS Login.

NIST SP 800-53 control: AC-3 and AU-12
compute.disableSerialPortAccess

This policy prevents users from accessing the VM serial port which can be used for backdoor access from the Compute Engine API control plane.

The value is true to disable VM serial port access.

NIST SP 800-53 control: AC-3 and AC-6
compute.restrictXpnProjectLienRemoval

This policy prevents the accidental deletion of Shared VPC host projects by restricting the removal of project liens.

The value is true to restrict Shared VPC project lien removal.

NIST SP 800-53 control: AC-3 and AC-6
compute.vmExternalIpAccess

This policy prevents the creation of Compute Engine instances with a public IP address, which can expose them to incoming internet traffic and outgoing internet traffic.

The value is denyAll to turn off all access from public IP addresses.

NIST SP 800-53 control: AC-3 and AC-6
compute.skipDefaultNetworkCreation

This policy disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created.

The value is true to avoid creating the default VPC network.

NIST SP 800-53 control: AC-3 and AC-6
compute.setNewProjectDefaultToZonalDNSOnly

This policy restricts application developers from choosing legacy DNS settings for Compute Engine instances that have lower service reliability than modern DNS settings.

The value is Zonal DNS only for new projects.

NIST SP 800-53 control: AC-3 and AC-6
sql.restrictPublicIp

This policy prevents the creation of Cloud SQL instances with public IP addresses, which can expose them to incoming internet traffic and outgoing internet traffic.

The value is true to restrict access to Cloud SQL instances by public IP addresses.

NIST SP 800-53 control: AC-3 and AC-6
sql.restrictAuthorizedNetworks

This policy prevents public or non-RFC 1918 network ranges from accessing Cloud SQL databases.

The value is true to restrict authorized networks on Cloud SQL instances.

NIST SP 800-53 control: AC-3 and AC-6
compute.restrictProtocolForwardingCreationForTypes

This policy allows VM protocol forwarding for internal IP addresses only.

The value is INTERNAL to restrict protocol forwarding based on the type of IP address.

NIST SP 800-53 control: AC-3 and AC-6
compute.disableVpcExternalIpv6

This policy prevents the creation of external IPv6 subnets, which can be exposed to incoming and outgoing internet traffic.

The value is true to disable external IPv6 subnets.

NIST SP 800-53 control: AC-3 and AC-6
compute.disableNestedVirtualization

This policy disables nested virtualization to decrease security risk due to unmonitored nested instances.

The value is true to turn off VM nested virtualization.

NIST SP 800-53 control: AC-3 and AC-6

View the posture template

To view the posture template for secure by default, extended, do the following:

gcloud

Before using any of the command data below, make the following replacements:

  • ORGANIZATION_ID: the numeric ID of the organization

Execute the gcloud scc posture-templates describe command:

Linux, macOS, or Cloud Shell

gcloud scc posture-templates describe \
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/secure_by_default_extended

Windows (PowerShell)

gcloud scc posture-templates describe `
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/secure_by_default_extended

Windows (cmd.exe)

gcloud scc posture-templates describe ^
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/secure_by_default_extended

The response contains the posture template.

REST

Before using any of the request data, make the following replacements:

  • ORGANIZATION_ID: the numeric ID of the organization

HTTP method and URL:

GET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/secure_by_default_extended

To send your request, expand one of these options:

The response contains the posture template.

What's next