Googledeploymentmanager queries
GoogleDeploymentManager Queries List¶
This page contains all queries from GoogleDeploymentManager.
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Cloud Storage Bucket Is Publicly Accessible 77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc |
High | Access Control | Cloud Storage Bucket is anonymously or publicly accessible | Documentation |
| SQL DB Instance Backup Disabled a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01 |
High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances | Documentation |
| DNSSEC Using RSASHA1 6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35 |
High | Encryption | DNSSEC should not use the RSASHA1 algorithm | Documentation |
| SQL DB Instance With SSL Disabled 660360d3-9ca7-46d1-b147-3acc4002953f |
High | Encryption | Cloud SQL Database Instance should have SLL enabled | Documentation |
| Network Policy Disabled c47f90e8-4a19-43f0-8413-cc434d286c4e |
High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false | Documentation |
| IP Aliasing Disabled 28727987-e398-49b8-aef1-8a3e7789d111 |
High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. | Documentation |
| Not Proper Email Account In Use a21b8df3-c840-4b3d-a41a-10fb2afda171 |
High | Insecure Configurations | Gmail accounts are being used instead of corporate credentials | Documentation |
| GKE Legacy Authorization Enabled df58d46c-783b-43e0-bdd0-d99164f712ee |
High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. | Documentation |
| Cluster Master Authentication Disabled 7ef7d141-9fbb-4679-a977-fd0883436906 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty | Documentation |
| Private Cluster Disabled 48c61fbd-09c9-46cc-a521-012e0c325412 |
High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. | Documentation |
| Compute Instance Is Publicly Accessible 8212e2d7-e683-49bc-bf78-d6799075c5a7 |
High | Networking and Firewall | Compute instances shouldn't be accessible from the Internet. | Documentation |
| Cloud Storage Bucket Versioning Disabled ad0875c1-0b39-4890-9149-173158ba3bba |
High | Observability | Cloud Storage Bucket should be enabled | Documentation |
| Node Auto Upgrade Disabled dc5c5fee-6c53-43b0-ab11-4c660e064aaf |
High | Resource Management | Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true | Documentation |
| Disk Encryption Disabled fc040fb6-4c23-4c0d-b12a-39edac35debb |
Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined | Documentation |
| Shielded VM Disabled 9038b526-4c19-4928-bca2-c03d503bdb79 |
Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true | Documentation |
| Cloud DNS Without DNSSEC 313d6deb-3b67-4948-b41d-35b699c2492e |
Medium | Insecure Configurations | DNSSEC must be enabled for Cloud DNS | Documentation |
| Google Storage Bucket Level Access Disabled 1239f54b-33de-482a-8132-faebe288e6a6 |
Medium | Insecure Configurations | Google Storage Bucket Level Access should be enabled | Documentation |
| IP Forwarding Enabled 7c98538a-81c6-444b-bf04-e60bc3ceeec0 |
Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true | Documentation |