This page describes the detective policies that are included in the v1.0 version of the predefined posture template for the National Institute of Standards and Technology (NIST) SP 800-53 standard. This template includes a policy set that defines the Security Health Analytics detectors that apply to workloads that must be compliant with the NIST SP 800-53 standard.
You can deploy this posture template without making any changes.
Security Health Analytics detectors
The following table describes the Security Health Analytics detectors that are included in this posture template.
Detector name | Description |
---|---|
BIGQUERY_TABLE_CMEK_DISABLED |
This detector checks whether a BigQuery table isn't configured to use a customer-managed encryption key (CMEK). For more information, see Dataset vulnerability findings. |
PUBLIC_DATASET |
This detector checks whether a dataset is configured to be open to public access. For more information, see Dataset vulnerability findings. |
SQL_CROSS_DB_OWNERSHIP_CHAINING |
This detector checks whether the |
INSTANCE_OS_LOGIN_DISABLED |
This detector checks whether OS Login is not turned on. |
SQL_SKIP_SHOW_DATABASE_DISABLED |
This detector checks whether the |
SQL_EXTERNAL_SCRIPTS_ENABLED |
This detector checks whether the |
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED |
This detector checks whether VPC Flow Logs is not turned on. |
API_KEY_EXISTS |
This detector checks whether a project is using API keys instead of standard authentication. |
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY |
This detector checks whether the |
COMPUTE_SERIAL_PORTS_ENABLED |
This detector checks whether serial ports are enabled. |
SQL_LOG_DISCONNECTIONS_DISABLED |
This detector checks whether the |
COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED |
This detector checks whether project-wide SSH keys are being used. |
KMS_PROJECT_HAS_OWNER |
This detector checks whether a user has the Owner permission on a project that includes keys. |
KMS_KEY_NOT_ROTATED |
This detector checks whether rotation for the Cloud Key Management Service encryption is not turned on. |
ESSENTIAL_CONTACTS_NOT_CONFIGURED |
This detector checks whether you have at least one Essential Contact. |
AUDIT_LOGGING_DISABLED |
This detector checks whether audit logging is turned off for a resource. |
LOCKED_RETENTION_POLICY_NOT_SET |
This detector checks whether the locked retention policy is set for logs. |
DNS_LOGGING_DISABLED |
This detector checks whether DNS logging is enabled on the VPC network. |
LOG_NOT_EXPORTED |
This detector checks whether a resource doesn't have a log sink configured. |
KMS_ROLE_SEPARATION |
This detector checks for separation of duties for Cloud KMS keys. |
DISK_CSEK_DISABLED |
This detector checks whether customer supplied encryption key (CSEK) support is turned off for a VM. |
SQL_USER_CONNECTIONS_CONFIGURED |
This detector checks whether the |
API_KEY_APIS_UNRESTRICTED |
This detector checks whether API keys are being used too broadly. |
SQL_LOG_MIN_MESSAGES |
This detector checks whether the |
SQL_LOCAL_INFILE |
This detector checks whether the |
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED |
This detector checks whether the |
DATASET_CMEK_DISABLED |
This detector checks whether CMEK support is turned off for a BigQuery dataset. |
OPEN_SSH_PORT |
This detector checks whether a firewall has an open SSH port that allows generic access. For more information, see Firewall vulnerability findings. |
FIREWALL_NOT_MONITORED |
This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes. |
SQL_LOG_STATEMENT |
This detector checks whether the |
SQL_PUBLIC_IP |
This detector checks whether a Cloud SQL database has an external IP address. |
IP_FORWARDING_ENABLED |
This detector checks whether IP forwarding is turned on. |
DATAPROC_CMEK_DISABLED |
This detector checks whether CMEK support is turned off for a Dataproc cluster. |
CONFIDENTIAL_COMPUTING_DISABLED |
This detector checks whether Confidential Computing is turned off. |
KMS_PUBLIC_KEY |
This detector checks whether a Cloud Key Management Service cryptographic key is publicly accessible. For more information, see KMS vulnerability findings. |
SQL_INSTANCE_NOT_MONITORED |
This detector checks whether logging is turned off for Cloud SQL configuration changes. |
SQL_TRACE_FLAG_3625 |
This detector checks whether the |
DEFAULT_NETWORK |
This detector checks whether the default network exists in a project. |
DNSSEC_DISABLED |
This detector checks whether DNS security (DNSSEC) is turned off for Cloud DNS. For more information, see DNS vulnerability findings. |
API_KEY_NOT_ROTATED |
This detector checks whether an API key has been rotated within the last 90 days. |
SQL_LOG_CONNECTIONS_DISABLED |
This detector checks whether the |
LEGACY_NETWORK |
This detector checks whether a legacy network exists in a project. |
IAM_ROOT_ACCESS_KEY_CHECK |
This detector checks whether IAM root access key is accessible. |
PUBLIC_IP_ADDRESS |
This detector checks whether an instance has an external IP address. |
OPEN_RDP_PORT |
This detector checks whether a firewall has an open RDP port. |
INSTANCE_OS_LOGIN_DISABLED |
This detector checks whether OS Login is not turned on. |
ADMIN_SERVICE_ACCOUNT |
This detector checks whether a service account has Admin, Owner, or Editor privileges. |
SQL_USER_OPTIONS_CONFIGURED |
This detector checks whether the |
FULL_API_ACCESS |
This detector checks whether an instance is using a default service account with full access to all Google Cloud APIs. |
DEFAULT_SERVICE_ACCOUNT_USED |
This detector checks whether the default service account is being used. |
NETWORK_NOT_MONITORED |
This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes. |
SQL_CONTAINED_DATABASE_AUTHENTICATION |
This detector checks whether the |
PUBLIC_BUCKET_ACL |
This detector checks whether a bucket is publicly accessible. |
LOAD_BALANCER_LOGGING_DISABLED |
This detector checks whether logging is turned off for the load balancer. |
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER |
This detector checks whether a user has service account roles at the project level, instead of for a specific service account. |
SQL_REMOTE_ACCESS_ENABLED |
This detector checks whether the |
CUSTOM_ROLE_NOT_MONITORED |
This detector checks whether logging is turned off for custom role changes. |
AUTO_BACKUP_DISABLED |
This detector checks whether a Cloud SQL database doesn't have automatic backups turned on. |
RSASHA1_FOR_SIGNING |
This detector checks whether RSASHA1 is used for key signing in Cloud DNS zones. |
CLOUD_ASSET_API_DISABLED |
This detector checks whether Cloud Asset Inventory is turned off. |
SQL_LOG_ERROR_VERBOSITY |
This detector checks whether the |
ROUTE_NOT_MONITORED |
This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes. |
BUCKET_POLICY_ONLY_DISABLED |
This detector checks whether uniform bucket-level access is configured. |
BUCKET_IAM_NOT_MONITORED |
This detector checks whether logging is turned off for IAM permission changes in Cloud Storage. |
PUBLIC_SQL_INSTANCE |
This detector checks whether a Cloud SQL allows connections from all IP addresses. |
SERVICE_ACCOUNT_ROLE_SEPARATION |
This detector checks for separation of duties for service account keys. |
AUDIT_CONFIG_NOT_MONITORED |
This detector checks whether audit configuration changes are being monitored. |
OWNER_NOT_MONITORED |
This detector checks whether logging is turned off for project ownership assignments and changes. |
YAML definition
The following is the YAML definition for the posture template for NIST 800-53.
name: organizations/123/locations/global/postureTemplates/nist_800_53
description: Posture Template to make your workload NIST800-53 compliant.
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: NIST800-53 detective policy set
description: 68 SHA modules that new customers can automatically enable.
policies:
- policy_id: BigQuery table CMEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BIGQUERY_TABLE_CMEK_DISABLED
- policy_id: Public dataset
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_DATASET
- policy_id: SQl cross db ownership
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_CROSS_DB_OWNERSHIP_CHAINING
- policy_id: Instance OS login disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: INSTANCE_OS_LOGIN_DISABLED
- policy_id: SQL skip show database disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_SKIP_SHOW_DATABASE_DISABLED
- policy_id: SQL external scripts enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_EXTERNAL_SCRIPTS_ENABLED
- policy_id: VPC flow logs settings not recommended
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
- policy_id: API key exists
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: API_KEY_EXISTS
- policy_id: SQL log min error statement severity
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
- policy_id: Compute serial ports enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: COMPUTE_SERIAL_PORTS_ENABLED
- policy_id: SQL log disconnections disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_DISCONNECTIONS_DISABLED
- policy_id: Compute project wide SHH keys allowed
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED
- policy_id: KMS project has owner
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: KMS_PROJECT_HAS_OWNER
- policy_id: KMS key not rotated
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: KMS_KEY_NOT_ROTATED
- policy_id: Essential contacts not configured
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ESSENTIAL_CONTACTS_NOT_CONFIGURED
- policy_id: Audit logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: AUDIT_LOGGING_DISABLED
- policy_id: Locked retention policy not set
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LOCKED_RETENTION_POLICY_NOT_SET
- policy_id: DNS logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DNS_LOGGING_DISABLED
- policy_id: Log not exported
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LOG_NOT_EXPORTED
- policy_id: KMS role separation
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: KMS_ROLE_SEPARATION
- policy_id: Disk CSEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DISK_CSEK_DISABLED
- policy_id: SQL user connections configured
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_USER_CONNECTIONS_CONFIGURED
- policy_id: API key APIs unrestricted
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: API_KEY_APIS_UNRESTRICTED
- policy_id: SQL log min messages
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_MIN_MESSAGES
- policy_id: SQL log infile
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOCAL_INFILE
- policy_id: SQL log min duration statement enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
- policy_id: Dataset CMEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DATASET_CMEK_DISABLED
- policy_id: Open SSH port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_SSH_PORT
- policy_id: Firewall not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FIREWALL_NOT_MONITORED
- policy_id: SQL log statement
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_STATEMENT
- policy_id: SQL public IP
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_PUBLIC_IP
- policy_id: IP forwarding enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: IP_FORWARDING_ENABLED
- policy_id: Dataproc CMEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DATAPROC_CMEK_DISABLED
- policy_id: Confidential computing disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: CONFIDENTIAL_COMPUTING_DISABLED
- policy_id: KMS public key
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: KMS_PUBLIC_KEY
- policy_id: SQL instance not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_INSTANCE_NOT_MONITORED
- policy_id: SQL trace flag 3625
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_TRACE_FLAG_3625
- policy_id: Default network
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DEFAULT_NETWORK
- policy_id: DNSSEC disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DNSSEC_DISABLED
- policy_id: API key not rotated
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: API_KEY_NOT_ROTATED
- policy_id: SQL log connections disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_CONNECTIONS_DISABLED
- policy_id: Legacy network
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LEGACY_NETWORK
- policy_id: IAM root access key check
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: IAM_ROOT_ACCESS_KEY_CHECK
- policy_id: Public IP address
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_IP_ADDRESS
- policy_id: Open RDP port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_RDP_PORT
- policy_id: OS login disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OS_LOGIN_DISABLED
- policy_id: Admin service account
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ADMIN_SERVICE_ACCOUNT
- policy_id: SQL user options configured
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_USER_OPTIONS_CONFIGURED
- policy_id: Full API access
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FULL_API_ACCESS
- policy_id: Default service account used
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DEFAULT_SERVICE_ACCOUNT_USED
- policy_id: Network not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: NETWORK_NOT_MONITORED
- policy_id: SQL contained database authentication
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_CONTAINED_DATABASE_AUTHENTICATION
- policy_id: Public bucket ACL
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_BUCKET_ACL
- policy_id: Load balancer logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LOAD_BALANCER_LOGGING_DISABLED
- policy_id: Over privileged service account user
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OVER_PRIVILEGED_SERVICE_ACCOUNT_USER
- policy_id: SQL remote access enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_REMOTE_ACCESS_ENABLED
- policy_id: Custom role not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: CUSTOM_ROLE_NOT_MONITORED
- policy_id: Auto backup disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: AUTO_BACKUP_DISABLED
- policy_id: RSASHA1 for signing
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: RSASHA1_FOR_SIGNING
- policy_id: Cloud asset API disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: CLOUD_ASSET_API_DISABLED
- policy_id: SQL log error verbosity
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_LOG_ERROR_VERBOSITY
- policy_id: Route not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ROUTE_NOT_MONITORED
- policy_id: Bucket policy only disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_POLICY_ONLY_DISABLED
- policy_id: Bucket IAM not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_IAM_NOT_MONITORED
- policy_id: Publc SQL instance
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_SQL_INSTANCE
- policy_id: Service account role separation
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SERVICE_ACCOUNT_ROLE_SEPARATION
- policy_id: Audit config not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: AUDIT_CONFIG_NOT_MONITORED
- policy_id: Owner not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OWNER_NOT_MONITORED