Predefined posture template for PCI DSS v3.2.1 and v1.0

This page describes the detective policies that are included in the v1.0 version of the predefined posture template for the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1 and version 1.0. This template includes a policy set that defines the Security Health Analytics detectors that apply to workloads that must be compliant with the PCI DSS standard.

You can deploy this posture template without making any changes.

Security Health Analytics detectors

The following table describes the Security Health Analytics detectors that are included in this posture template.

Detector name	Description
`PUBLIC_DATASET`	This detector checks whether a dataset is configured to be open to public access. For more information, see Dataset vulnerability findings.
`NON_ORG_IAM_MEMBER`	This detector checks whether a user isn't using organization credentials.
`KMS_PROJECT_HAS_OWNER`	This detector checks whether a user has the Owner permission on a project that includes keys.
`AUDIT_LOGGING_DISABLED`	This detector checks whether audit logging is turned off for a resource.
`SSL_NOT_ENFORCED`	This detector checks whether a Cloud SQL database instance doesn't use SSL for all incoming connections. For more information, see SQL vulnerability findings.
`LOCKED_RETENTION_POLICY_NOT_SET`	This detector checks whether the locked retention policy is set for logs.
`KMS_KEY_NOT_ROTATED`	This detector checks whether rotation for the Cloud Key Management Service encryption is not turned on.
`OPEN_SMTP_PORT`	This detector checks whether a firewall has an open SMTP port that allows generic access. For more information, see Firewall vulnerability findings.
`SQL_NO_ROOT_PASSWORD`	This detector checks whether a Cloud SQL database with a public IP address doesn't have a password for the root account.
`OPEN_LDAP_PORT`	This detector checks whether a firewall has an open LDAP port that allows generic access. For more information, see Firewall vulnerability findings.
`OPEN_ORACLEDB_PORT`	This detector checks whether a firewall has an open Oracle database port that allows generic access. For more information, see Firewall vulnerability findings.
`OPEN_SSH_PORT`	This detector checks whether a firewall has an open SSH port that allows generic access. For more information, see Firewall vulnerability findings.
`MFA_NOT_ENFORCED`	This detector checks whether a user isn't using 2-step verification.
`COS_NOT_USED`	This detector checks whether Compute Engine VMs aren't using the Container-Optimized OS. For more information, see Container vulnerability findings.
`HTTP_LOAD_BALANCER`	This detector checks whether Compute Engine instance uses a load balancer that is configured to use a target HTTP proxy instead of a target HTTPS proxy. For more information, see Compute instance vulnerability findings.
`EGRESS_DENY_RULE_NOT_SET`	This detector checks whether an egress deny rule is not set on a firewall. For more information, see Firewall vulnerability findings.
`PUBLIC_LOG_BUCKET`	This detector checks whether a bucket with a log sink is publicly accessible.
`OPEN_DIRECTORY_SERVICES_PORT`	This detector checks whether a firewall has an open DIRECTORY_SERVICES port that allows generic access. For more information, see Firewall vulnerability findings.
`OPEN_MYSQL_PORT`	This detector checks whether a firewall has an open MySQL port that allows generic access. For more information, see Firewall vulnerability findings.
`OPEN_FTP_PORT`	This detector checks whether a firewall has an open FTP port that allows generic access. For more information, see Firewall vulnerability findings.
`OPEN_FIREWALL`	This detector checks whether a firewall open to public access. For more information, see Firewall vulnerability findings.
`WEAK_SSL_POLICY`	This detector checks whether an instance has a weak SSL policy.
`OPEN_POP3_PORT`	This detector checks whether a firewall has an open POP3 port that allows generic access. For more information, see Firewall vulnerability findings.
`OPEN_NETBIOS_PORT`	This detector checks whether a firewall has an open NETBIOS port that allows generic access. For more information, see Firewall vulnerability findings.
`FLOW_LOGS_DISABLED`	This detector checks whether flow logs are enabled on the VPC subnetwork.
`OPEN_MONGODB_PORT`	This detector checks whether a firewall has an open Mongo database port that allows generic access. For more information, see Firewall vulnerability findings.
`MASTER_AUTHORIZED_NETWORKS_DISABLED`	This detector checks whether Control Plane Authorized Networks is not enabled on GKE clusters. For more information, see Container vulnerability findings.
`OPEN_REDIS_PORT`	This detector checks whether a firewall has an open REDIS port that allows generic access. For more information, see Firewall vulnerability findings.
`OPEN_DNS_PORT`	This detector checks whether a firewall has an open DNS port that allows generic access. For more information, see Firewall vulnerability findings.
`OPEN_TELNET_PORT`	This detector checks whether a firewall has an open TELNET port that allows generic access. For more information, see Firewall vulnerability findings.
`OPEN_HTTP_PORT`	This detector checks whether a firewall has an open HTTP port that allows generic access. For more information, see Firewall vulnerability findings.
`CLUSTER_LOGGING_DISABLED`	This detector checks logging isn't enabled for a GKE cluster. For more information, see Container vulnerability findings.
`FULL_API_ACCESS`	This detector checks whether an instance is using a default service account with full access to all Google Cloud APIs.
`OBJECT_VERSIONING_DISABLED`	This detector checks whether object versioning is enabled on storage buckets with sinks.
`PUBLIC_IP_ADDRESS`	This detector checks whether an instance has a public IP address.
`AUTO_UPGRADE_DISABLED`	This detector checks whether a GKE cluster's auto upgrade feature is disabled. For more information, see Container vulnerability findings.
`LEGACY_AUTHORIZATION_ENABLED`	This detector checks whether Legacy Authorization is enabled on GKE clusters. For more information, see Container vulnerability findings.
`CLUSTER_MONITORING_DISABLED`	This detector checks whether monitoring is disabled on GKE clusters. For more information, see Container vulnerability findings.
`OPEN_CISCOSECURE_WEBSM_PORT`	This detector checks whether a firewall has an open CISCOSECURE_WEBSM port that allows generic access. For more information, see Firewall vulnerability findings.
`OPEN_RDP_PORT`	This detector checks whether a firewall has an open RDP port that allows generic access. For more information, see Firewall vulnerability findings.
`WEB_UI_ENABLED`	This detector checks whether the GKE web UI is enabled. For more information, see Container vulnerability findings.
`FIREWALL_RULE_LOGGING_DISABLED`	This detector checks whether firewall rule logging is disabled. For more information, see Firewall vulnerability findings.
`OVER_PRIVILEGED_SERVICE_ACCOUNT_USER`	This detector checks whether a user has service account roles at the project level, instead of for a specific service account.
`PRIVATE_CLUSTER_DISABLED`	This detector checks whether a GKE cluster has private cluster disabled. For more information, see Container vulnerability findings.
`PRIMITIVE_ROLES_USED`	This detector checks whether a user has a basic role (Owner, Editor, or Viewer). For more information, see IAM vulnerability findings.
`REDIS_ROLE_USED_ON_ORG`	This detector checks whether Redis IAM role is assigned to an organization or folder. For more information, see IAM vulnerability findings.
`PUBLIC_BUCKET_ACL`	This detector checks whether a bucket is publicly accessible.
`OPEN_MEMCACHED_PORT`	This detector checks whether a firewall has an open MEMCACHED port that allows generic access. For more information, see Firewall vulnerability findings.
`OVER_PRIVILEGED_ACCOUNT`	This detector checks whether a service account has overly broad project access in a cluster. For more information, see Container vulnerability findings.
`AUTO_REPAIR_DISABLED`	This detector checks whether a GKE cluster's auto repair feature is disabled. For more information, see Container vulnerability findings.
`NETWORK_POLICY_DISABLED`	This detector checks whether the network policy is disabled on a cluster. For more information, see Container vulnerability findings.
`CLUSTER_PRIVATE_GOOGLE_ACCESS_DISABLED`	This detector checks whether cluster hosts aren't configured to use only private, internal IP addresses to access Google APIs. For more information, see Container vulnerability findings.
`OPEN_CASSANDRA_PORT`	This detector checks whether a firewall has an open Cassandra port that allows generic access. For more information, see Firewall vulnerability findings.
`TOO_MANY_KMS_USERS`	This detector checks whether there are more than three users of cryptographic keys. For more information, see KMS vulnerability findings.
`OPEN_POSTGRESQL_PORT`	This detector checks whether a firewall has an open PostgreSQL port that allows generic access. For more information, see Firewall vulnerability findings.
`IP_ALIAS_DISABLED`	This detector checks whether a GKE cluster was created with the alias IP address range disabled. For more information, see Container vulnerability findings.
`PUBLIC_SQL_INSTANCE`	This detector checks whether a Cloud SQL allows connections from all IP addresses.
`OPEN_ELASTICSEARCH_PORT`	This detector checks whether a firewall has an open Elasticsearch port that allows generic access. For more information, see Firewall vulnerability findings.

View the posture template

To view the posture template for PCI DSS, do the following:

gcloud

Before using any of the command data below, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

Execute the gcloud scc posture-templates describe command:

Linux, macOS, or Cloud Shell

gcloud scc posture-templates describe \
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/pci_dss_v_3_2_1

Windows (PowerShell)

gcloud scc posture-templates describe `
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/pci_dss_v_3_2_1

Windows (cmd.exe)

gcloud scc posture-templates describe ^
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/pci_dss_v_3_2_1

The response contains the posture template.

REST

Before using any of the request data, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

HTTP method and URL:

GET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/pci_dss_v_3_2_1

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/pci_dss_v_3_2_1"

PowerShell (Windows)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/pci_dss_v_3_2_1" | Select-Object -Expand Content

The response contains the posture template.

What's next

Create a security posture using this posture template.