Skip to content

Google Deployment Manager

GoogleDeploymentManager Queries List

This page contains all queries from GoogleDeploymentManager.

Query Severity Category Description Help
Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc
High Access Control Cloud Storage Bucket is anonymously or publicly accessible Documentation
SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01
High Backup Checks if backup configuration is enabled for all Cloud SQL Database instances Documentation
DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35
High Encryption DNSSEC should not use the RSASHA1 algorithm Documentation
SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f
High Encryption Cloud SQL Database Instance should have SLL enabled Documentation
GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee
High Insecure Configurations Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. Documentation
BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7
High Insecure Configurations BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' Documentation
COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7
High Insecure Configurations The node image should be Container-Optimized OS(COS) Documentation
IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111
High Insecure Configurations Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. Documentation
Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906
High Insecure Configurations Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty Documentation
Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412
High Insecure Configurations Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. Documentation
MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87
High Insecure Configurations MySQL Instance should not have Local Infile On Documentation
Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be
High Insecure Configurations Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true Documentation
Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d
High Insecure Configurations Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined Documentation
Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e
High Insecure Configurations Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false Documentation
Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171
High Insecure Configurations Gmail accounts are being used instead of corporate credentials Documentation
Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7
High Networking and Firewall Compute instances shouldn't be accessible from the Internet. Documentation
GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02
High Networking and Firewall Master authorized networks must be enabled in GKE clusters Documentation
Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba
High Observability Cloud Storage Bucket should be enabled Documentation
Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc
High Observability Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' Documentation
Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011
High Observability Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' Documentation
Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf
High Resource Management Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true Documentation
Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb
Medium Encryption VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined Documentation
OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41
Medium Insecure Configurations VM instance should have OSLogin enabled Documentation
Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6
Medium Insecure Configurations Google Storage Bucket Level Access should be enabled Documentation
Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79
Medium Insecure Configurations Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true Documentation
Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a
Medium Insecure Configurations Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' Documentation
Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e
Medium Insecure Configurations DNSSEC must be enabled for Cloud DNS Documentation
IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0
Medium Networking and Firewall Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true Documentation
RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8
Medium Networking and Firewall Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 Documentation
SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575
Medium Networking and Firewall Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block) Documentation
Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5
Medium Observability Bucket should have versioning enabled Documentation
Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811
Medium Secret Management VM Instance should block project-wide SSH keys Documentation