Skip to content

Google Deployment Manager

GoogleDeploymentManager Queries List

This page contains all queries from GoogleDeploymentManager.

GCP_BOM

Bellow are listed queries related with GoogleDeploymentManager GCP_BOM:

Query Severity Category Description Help
BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8
Trace Bill Of Materials A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more) Documentation
BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59
Trace Bill Of Materials A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more) Documentation
BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f
Trace Bill Of Materials A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more) Documentation

GCP

Bellow are listed queries related with GoogleDeploymentManager GCP:

Query Severity Category Description Help
Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a
High Access Control Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more) Documentation
BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7
High Access Control BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more) Documentation
Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc
High Access Control Cloud Storage Bucket is anonymously or publicly accessible (read more) Documentation
SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01
High Backup Checks if backup configuration is enabled for all Cloud SQL Database instances (read more) Documentation
DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35
High Encryption DNSSEC should not use the RSASHA1 algorithm (read more) Documentation
SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f
High Encryption Cloud SQL Database Instance should have SLL enabled (read more) Documentation
Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171
High Insecure Configurations Gmail accounts are being used instead of corporate credentials (read more) Documentation
MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87
High Insecure Configurations MySQL Instance should not have Local Infile On (read more) Documentation
Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906
High Insecure Configurations Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more) Documentation
Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412
High Insecure Configurations Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more) Documentation
Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d
High Insecure Configurations Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more) Documentation
IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111
High Insecure Configurations Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more) Documentation
GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee
High Insecure Configurations Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more) Documentation
Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be
High Insecure Configurations Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more) Documentation
Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e
High Insecure Configurations Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more) Documentation
Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7
High Networking and Firewall Compute instances shouldn't be accessible from the Internet. (read more) Documentation
GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02
High Networking and Firewall Master authorized networks must be enabled in GKE clusters (read more) Documentation
Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc
High Observability Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more) Documentation
Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011
High Observability Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more) Documentation
Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba
High Observability Cloud Storage Bucket should have versioning enabled (read more) Documentation
Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf
High Resource Management Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more) Documentation
Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb
Medium Encryption VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more) Documentation
Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e
Medium Insecure Configurations DNSSEC must be enabled for Cloud DNS (read more) Documentation
OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41
Medium Insecure Configurations VM instance should have OSLogin enabled (read more) Documentation
Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6
Medium Insecure Configurations Google Storage Bucket Level Access should be enabled (read more) Documentation
Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79
Medium Insecure Configurations Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more) Documentation
COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7
Medium Insecure Configurations The node image should be Container-Optimized OS(COS) (read more) Documentation
SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575
Medium Networking and Firewall Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more) Documentation
RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8
Medium Networking and Firewall Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more) Documentation
IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0
Medium Networking and Firewall Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more) Documentation
Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5
Medium Observability Bucket should have versioning enabled (read more) Documentation
Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811
Medium Secret Management VM Instance should block project-wide SSH keys (read more) Documentation