This page describes the detective policies that are included in the v1.0 version of the predefined posture template for the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1 and version 1.0. This template includes a policy set that defines the Security Health Analytics detectors that apply to workloads that must be compliant with the PCI DSS standard.
You can deploy this posture template without making any changes.
Security Health Analytics detectors
The following table describes the Security Health Analytics detectors that are included in this posture template.
| Detector name | Description |
|---|---|
PUBLIC_DATASET |
This detector checks whether a dataset is configured to be open to public access. For more information, see Dataset vulnerability findings. |
NON_ORG_IAM_MEMBER |
This detector checks whether a user isn't using organization credentials. |
KMS_PROJECT_HAS_OWNER |
This detector checks whether a user has the Owner permission on a project that includes keys. |
AUDIT_LOGGING_DISABLED |
This detector checks whether audit logging is turned off for a resource. |
SSL_NOT_ENFORCED |
This detector checks whether a Cloud SQL database instance doesn't use SSL for all incoming connections. For more information, see SQL vulnerability findings. |
LOCKED_RETENTION_POLICY_NOT_SET |
This detector checks whether the locked retention policy is set for logs. |
KMS_KEY_NOT_ROTATED |
This detector checks whether rotation for the Cloud Key Management Service encryption is not turned on. |
OPEN_SMTP_PORT |
This detector checks whether a firewall has an open SMTP port that allows generic access. For more information, see Firewall vulnerability findings. |
SQL_NO_ROOT_PASSWORD |
This detector checks whether a Cloud SQL database with a public IP address doesn't have a password for the root account. |
OPEN_LDAP_PORT |
This detector checks whether a firewall has an open LDAP port that allows generic access. For more information, see Firewall vulnerability findings. |
OPEN_ORACLEDB_PORT |
This detector checks whether a firewall has an open Oracle database port that allows generic access. For more information, see Firewall vulnerability findings. |
OPEN_SSH_PORT |
This detector checks whether a firewall has an open SSH port that allows generic access. For more information, see Firewall vulnerability findings. |
MFA_NOT_ENFORCED |
This detector checks whether a user isn't using 2-step verification. |
COS_NOT_USED |
This detector checks whether Compute Engine VMs aren't using the Container-Optimized OS. For more information, see Container vulnerability findings. |
HTTP_LOAD_BALANCER |
This detector checks whether Compute Engine instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy. For more information, see Compute instance vulnerability findings. |
EGRESS_DENY_RULE_NOT_SET |
This detector checks whether an egress deny rule is not set on a firewall. For more information, see Firewall vulnerability findings. |
PUBLIC_LOG_BUCKET |
This detector checks whether a bucket with a log sink is publicly accessible. |
OPEN_DIRECTORY_SERVICES_PORT |
This detector checks whether a firewall has an open DIRECTORY_SERVICES port that allows generic access. For more information, see Firewall vulnerability findings. |
OPEN_MYSQL_PORT |
This detector checks whether a firewall has an open MySQL port that allows generic access. For more information, see Firewall vulnerability findings. |
OPEN_FTP_PORT |
This detector checks whether a firewall has an open FTP port that allows generic access. For more information, see Firewall vulnerability findings. |
OPEN_FIREWALL |
This detector checks whether a firewall open to public access. For more information, see Firewall vulnerability findings. |
WEAK_SSL_POLICY |
This detector checks whether an instance has a weak SSL policy. |
OPEN_POP3_PORT |
This detector checks whether a firewall has an open POP3 port that allows generic access. For more information, see Firewall vulnerability findings. |
OPEN_NETBIOS_PORT |
This detector checks whether a firewall has an open NETBIOS port that allows generic access. For more information, see Firewall vulnerability findings. |
FLOW_LOGS_DISABLED |
This detector checks whether flow logs are enabled on the VPC subnetwork. |
OPEN_MONGODB_PORT |
This detector checks whether a firewall has an open Mongo database port that allows generic access. For more information, see Firewall vulnerability findings. |
MASTER_AUTHORIZED_NETWORKS_DISABLED |
This detector checks whether Control Plane Authorized Networks is not enabled on GKE clusters. For more information, see Container vulnerability findings. |
OPEN_REDIS_PORT |
This detector checks whether a firewall has an open REDIS port that allows generic access. For more information, see Firewall vulnerability findings. |
OPEN_DNS_PORT |
This detector checks whether a firewall has an open DNS port that allows generic access. For more information, see Firewall vulnerability findings. |
OPEN_TELNET_PORT |
This detector checks whether a firewall has an open TELNET port that allows generic access. For more information, see Firewall vulnerability findings. |
OPEN_HTTP_PORT |
This detector checks whether a firewall has an open HTTP port that allows generic access. For more information, see Firewall vulnerability findings. |
CLUSTER_LOGGING_DISABLED |
This detector checks logging isn't enabled for a GKE cluster. For more information, see Container vulnerability findings. |
FULL_API_ACCESS |
This detector checks whether an instance is using a default service account with full access to all Google Cloud APIs. |
OBJECT_VERSIONING_DISABLED |
This detector checks whether object versioning is enabled on storage buckets with sinks. |
PUBLIC_IP_ADDRESS |
This detector checks whether an instance has a public IP address. |
AUTO_UPGRADE_DISABLED |
This detector checks whether a GKE cluster's auto upgrade feature is disabled. For more information, see Container vulnerability findings. |
LEGACY_AUTHORIZATION_ENABLED |
This detector checks whether Legacy Authorization is enabled on GKE clusters. For more information, see Container vulnerability findings. |
CLUSTER_MONITORING_DISABLED |
This detector checks whether monitoring is disabled on GKE clusters. For more information, see Container vulnerability findings. |
OPEN_CISCOSECURE_WEBSM_PORT |
This detector checks whether a firewall has an open CISCOSECURE_WEBSM port that allows generic access. For more information, see Firewall vulnerability findings. |
OPEN_RDP_PORT |
This detector checks whether a firewall has an open RDP port that allows generic access. For more information, see Firewall vulnerability findings. |
WEB_UI_ENABLED |
This detector checks whether the GKE web UI is enabled. For more information, see Container vulnerability findings. |
FIREWALL_RULE_LOGGING_DISABLED |
This detector checks whether firewall rule logging is disabled. For more information, see Firewall vulnerability findings. |
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER |
This detector checks whether a user has service account roles at the project level, instead of for a specific service account. |
PRIVATE_CLUSTER_DISABLED |
This detector checks whether a GKE cluster has private cluster disabled. For more information, see Container vulnerability findings. |
PRIMITIVE_ROLES_USED |
This detector checks whether a user has a basic role (Owner, Editor, or Viewer). For more information, see IAM vulnerability findings. |
REDIS_ROLE_USED_ON_ORG |
This detector checks whether Redis IAM role is assigned to an organization or folder. For more information, see IAM vulnerability findings. |
PUBLIC_BUCKET_ACL |
This detector checks whether a bucket is publicly accessible. |
OPEN_MEMCACHED_PORT |
This detector checks whether a firewall has an open MEMCACHED port that allows generic access. For more information, see Firewall vulnerability findings. |
OVER_PRIVILEGED_ACCOUNT |
This detector checks whether a service account has overly broad project access in a cluster. For more information, see Container vulnerability findings. |
AUTO_REPAIR_DISABLED |
This detector checks whether a GKE cluster's auto repair feature is disabled. For more information, see Container vulnerability findings. |
NETWORK_POLICY_DISABLED |
This detector checks whether the network policy is disabled on a cluster. For more information, see Container vulnerability findings. |
CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED |
This detector checks whether cluster hosts aren't configured to use only private, internal IP addresses to access Google APIs. For more information, see Container vulnerability findings. |
OPEN_CASSANDRA_PORT |
This detector checks whether a firewall has an open Cassandra port that allows generic access. For more information, see Firewall vulnerability findings. |
TOO_MANY_KMS_USERS |
This detector checks whether there are more than three users of cryptographic keys. For more information, see KMS vulnerability findings. |
OPEN_POSTGRESQL_PORT |
This detector checks whether a firewall has an open PostgreSQL port that allows generic access. For more information, see Firewall vulnerability findings. |
IP_ALIAS_DISABLED |
This detector checks whether a GKE cluster was created with the alias IP address range disabled. For more information, see Container vulnerability findings. |
PUBLIC_SQL_INSTANCE |
This detector checks whether a Cloud SQL allows connections from all IP addresses. |
OPEN_ELASTICSEARCH_PORT |
This detector checks whether a firewall has an open Elasticsearch port that allows generic access. For more information, see Firewall vulnerability findings. |
YAML definition
The following is the YAML definition for the posture template for PCI DSS.
name: organizations/123/locations/global/postureTemplates/pci_dss_v_3_2_1
description: Posture Template to make your workload PCI-DSS v3.2.1 compliant.
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: PCI-DSS v3.2.1 detective policy set
description: 58 SHA modules that new customers can automatically enable.
policies:
- policy_id: Public dataset
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_DATASET
- policy_id: Non org IAM member
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: NON_ORG_IAM_MEMBER
- policy_id: KMS project has owner
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: KMS_PROJECT_HAS_OWNER
- policy_id: Audit logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: AUDIT_LOGGING_DISABLED
- policy_id: SSL not enforced
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SSL_NOT_ENFORCED
- policy_id: Locked retention policy not set
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LOCKED_RETENTION_POLICY_NOT_SET
- policy_id: KMS key not rotated
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: KMS_KEY_NOT_ROTATED
- policy_id: Open SMTP port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_SMTP_PORT
- policy_id: SQL no root password
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: SQL_NO_ROOT_PASSWORD
- policy_id: Open LDAP port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_LDAP_PORT
- policy_id: Open oracle db port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_ORACLEDB_PORT
- policy_id: Open SSH port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_SSH_PORT
- policy_id: MFA not enforced
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: MFA_NOT_ENFORCED
- policy_id: COS not used
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: COS_NOT_USED
- policy_id: HTTP load balancer
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: HTTP_LOAD_BALANCER
- policy_id: Egress deny rule not set
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: EGRESS_DENY_RULE_NOT_SET
- policy_id: Public log bucket
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_LOG_BUCKET
- policy_id: Open directory services port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_DIRECTORY_SERVICES_PORT
- policy_id: Open mysql port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_MYSQL_PORT
- policy_id: Open FTP port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_FTP_PORT
- policy_id: Open firewall
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_FIREWALL
- policy_id: Weak SSL policy
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: WEAK_SSL_POLICY
- policy_id: Open POP3 port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_POP3_PORT
- policy_id: Open netbios port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_NETBIOS_PORT
- policy_id: Flow logs disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FLOW_LOGS_DISABLED
- policy_id: Open mongo db port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_MONGODB_PORT
- policy_id: Master authorized networks disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: MASTER_AUTHORIZED_NETWORKS_DISABLED
- policy_id: Open redis port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_REDIS_PORT
- policy_id: Open dns port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_DNS_PORT
- policy_id: Open telnet port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_TELNET_PORT
- policy_id: Open HTTP port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_HTTP_PORT
- policy_id: Cluster logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: CLUSTER_LOGGING_DISABLED
- policy_id: Full API access
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FULL_API_ACCESS
- policy_id: Object versioning disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OBJECT_VERSIONING_DISABLED
- policy_id: Public IP address
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_IP_ADDRESS
- policy_id: Auto upgrade disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: AUTO_UPGRADE_DISABLED
- policy_id: Legacy authorization enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LEGACY_AUTHORIZATION_ENABLED
- policy_id: Cluster monitoring disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: CLUSTER_MONITORING_DISABLED
- policy_id: Open ciscosecure websm port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_CISCOSECURE_WEBSM_PORT
- policy_id: Open RDP port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_RDP_PORT
- policy_id: Web UI enabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: WEB_UI_ENABLED
- policy_id: Firewall rule logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FIREWALL_RULE_LOGGING_DISABLED
- policy_id: Over privileged service account user
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OVER_PRIVILEGED_SERVICE_ACCOUNT_USER
- policy_id: Private cluster disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PRIVATE_CLUSTER_DISABLED
- policy_id: Primitive roles used
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PRIMITIVE_ROLES_USED
- policy_id: Redis role used on org
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: REDIS_ROLE_USED_ON_ORG
- policy_id: Public bucket ACL
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_BUCKET_ACL
- policy_id: Open memcached port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_MEMCACHED_PORT
- policy_id: Over privileged account
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OVER_PRIVILEGED_ACCOUNT
- policy_id: Auto repair disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: AUTO_REPAIR_DISABLED
- policy_id: Network policy disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: NETWORK_POLICY_DISABLED
- policy_id: Cluster private google access disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED
- policy_id: Open cassandra port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_CASSANDRA_PORT
- policy_id: Too many KMS users
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: TOO_MANY_KMS_USERS
- policy_id: Open postgresql port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_POSTGRESQL_PORT
- policy_id: IP alias disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: IP_ALIAS_DISABLED
- policy_id: Public SQL instance
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_SQL_INSTANCE
- policy_id: Open elasticsearch port
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OPEN_ELASTICSEARCH_PORT