Google Deployment Manager
GoogleDeploymentManager Queries List¶
This page contains all queries from GoogleDeploymentManager.
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Cloud Storage Anonymous or Publicly Accessible 63ae3638-a38c-4ff4-b616-6e1f72a31a6a |
High | Access Control | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' | Documentation |
| BigQuery Dataset Is Public 83103dff-d57f-42a8-bd81-40abab64c1a7 |
High | Access Control | BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' | Documentation |
| Cloud Storage Bucket Is Publicly Accessible 77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc |
High | Access Control | Cloud Storage Bucket is anonymously or publicly accessible | Documentation |
| SQL DB Instance Backup Disabled a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01 |
High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances | Documentation |
| SQL DB Instance With SSL Disabled 660360d3-9ca7-46d1-b147-3acc4002953f |
High | Encryption | Cloud SQL Database Instance should have SLL enabled | Documentation |
| DNSSEC Using RSASHA1 6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35 |
High | Encryption | DNSSEC should not use the RSASHA1 algorithm | Documentation |
| IP Aliasing Disabled 28727987-e398-49b8-aef1-8a3e7789d111 |
High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. | Documentation |
| Cluster Master Authentication Disabled 7ef7d141-9fbb-4679-a977-fd0883436906 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty | Documentation |
| Cluster Labels Disabled 8810968b-4b15-421d-918b-d91eb4bb8d1d |
High | Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined | Documentation |
| Private Cluster Disabled 48c61fbd-09c9-46cc-a521-012e0c325412 |
High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. | Documentation |
| Network Policy Disabled c47f90e8-4a19-43f0-8413-cc434d286c4e |
High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false | Documentation |
| GKE Legacy Authorization Enabled df58d46c-783b-43e0-bdd0-d99164f712ee |
High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. | Documentation |
| Client Certificate Disabled dd690686-2bf9-4012-a821-f61912dd77be |
High | Insecure Configurations | Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true | Documentation |
| MySQL Instance With Local Infile On c759d6f2-4dd3-4160-82d3-89202ef10d87 |
High | Insecure Configurations | MySQL Instance should not have Local Infile On | Documentation |
| Not Proper Email Account In Use a21b8df3-c840-4b3d-a41a-10fb2afda171 |
High | Insecure Configurations | Gmail accounts are being used instead of corporate credentials | Documentation |
| GKE Master Authorized Networks Disabled 62c8cf50-87f0-4295-a974-8184ed78fe02 |
High | Networking and Firewall | Master authorized networks must be enabled in GKE clusters | Documentation |
| Compute Instance Is Publicly Accessible 8212e2d7-e683-49bc-bf78-d6799075c5a7 |
High | Networking and Firewall | Compute instances shouldn't be accessible from the Internet. | Documentation |
| Stackdriver Logging Disabled 95601b9a-7fe8-4aee-9b58-d36fd9382dfc |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' | Documentation |
| Cloud Storage Bucket Versioning Disabled ad0875c1-0b39-4890-9149-173158ba3bba |
High | Observability | Cloud Storage Bucket should have versioning enabled | Documentation |
| Stackdriver Monitoring Disabled bbfc97ab-e92a-4a7b-954c-e88cec815011 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' | Documentation |
| Node Auto Upgrade Disabled dc5c5fee-6c53-43b0-ab11-4c660e064aaf |
High | Resource Management | Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true | Documentation |
| Disk Encryption Disabled fc040fb6-4c23-4c0d-b12a-39edac35debb |
Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined | Documentation |
| Cloud DNS Without DNSSEC 313d6deb-3b67-4948-b41d-35b699c2492e |
Medium | Insecure Configurations | DNSSEC must be enabled for Cloud DNS | Documentation |
| Google Storage Bucket Level Access Disabled 1239f54b-33de-482a-8132-faebe288e6a6 |
Medium | Insecure Configurations | Google Storage Bucket Level Access should be enabled | Documentation |
| COS Node Image Not Used dbe058d7-b82e-430b-8426-992b2e4677e7 |
Medium | Insecure Configurations | The node image should be Container-Optimized OS(COS) | Documentation |
| OSLogin Is Disabled In VM Instance e66e1b71-c810-4b4e-a737-0ab59e7f5e41 |
Medium | Insecure Configurations | VM instance should have OSLogin enabled | Documentation |
| Shielded VM Disabled 9038b526-4c19-4928-bca2-c03d503bdb79 |
Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true | Documentation |
| SSH Access Is Not Restricted dee21308-2a7a-49de-8ff7-c9b87e188575 |
Medium | Networking and Firewall | Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges | Documentation |
| RDP Access Is Not Restricted 50cb6c3b-c878-4b88-b50e-d1421bada9e8 |
Medium | Networking and Firewall | Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 | Documentation |
| IP Forwarding Enabled 7c98538a-81c6-444b-bf04-e60bc3ceeec0 |
Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true | Documentation |
| Bucket Without Versioning 227c2f58-70c6-4432-8e9a-a89c1a548cf5 |
Medium | Observability | Bucket should have versioning enabled | Documentation |
| Project-wide SSH Keys Are Enabled In VM Instances 6e2b1ec1-1eca-4eb7-9d4d-2882680b4811 |
Medium | Secret Management | VM Instance should block project-wide SSH keys | Documentation |