Google Deployment Manager
GoogleDeploymentManager Queries List¶
This page contains all queries from GoogleDeploymentManager.
GCP_BOM¶
Bellow are listed queries related with GoogleDeploymentManager GCP_BOM:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| BOM - GCP SB c7781feb-a955-4f9f-b9cf-0d7c6f54bb59 |
Trace | Bill Of Materials | A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more) | Documentation |
| BOM - GCP PD 268c65a8-58ad-43e4-9019-1a9bbc56749f |
Trace | Bill Of Materials | A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more) | Documentation |
| BOM - GCP PST 9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8 |
Trace | Bill Of Materials | A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more) | Documentation |
GCP¶
Bellow are listed queries related with GoogleDeploymentManager GCP:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Cloud Storage Anonymous or Publicly Accessible 63ae3638-a38c-4ff4-b616-6e1f72a31a6a |
High | Access Control | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more) | Documentation |
| Cloud Storage Bucket Is Publicly Accessible 77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc |
High | Access Control | Cloud Storage Bucket is anonymously or publicly accessible (read more) | Documentation |
| BigQuery Dataset Is Public 83103dff-d57f-42a8-bd81-40abab64c1a7 |
High | Access Control | BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more) | Documentation |
| SQL DB Instance Backup Disabled a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01 |
High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances (read more) | Documentation |
| SQL DB Instance With SSL Disabled 660360d3-9ca7-46d1-b147-3acc4002953f |
High | Encryption | Cloud SQL Database Instance should have SLL enabled (read more) | Documentation |
| DNSSEC Using RSASHA1 6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35 |
High | Encryption | DNSSEC should not use the RSASHA1 algorithm (read more) | Documentation |
| GKE Legacy Authorization Enabled df58d46c-783b-43e0-bdd0-d99164f712ee |
High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more) | Documentation |
| Network Policy Disabled c47f90e8-4a19-43f0-8413-cc434d286c4e |
High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more) | Documentation |
| Cluster Labels Disabled 8810968b-4b15-421d-918b-d91eb4bb8d1d |
High | Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more) | Documentation |
| Cluster Master Authentication Disabled 7ef7d141-9fbb-4679-a977-fd0883436906 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more) | Documentation |
| Private Cluster Disabled 48c61fbd-09c9-46cc-a521-012e0c325412 |
High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more) | Documentation |
| MySQL Instance With Local Infile On c759d6f2-4dd3-4160-82d3-89202ef10d87 |
High | Insecure Configurations | MySQL Instance should not have Local Infile On (read more) | Documentation |
| Not Proper Email Account In Use a21b8df3-c840-4b3d-a41a-10fb2afda171 |
High | Insecure Configurations | Gmail accounts are being used instead of corporate credentials (read more) | Documentation |
| IP Aliasing Disabled 28727987-e398-49b8-aef1-8a3e7789d111 |
High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more) | Documentation |
| Client Certificate Disabled dd690686-2bf9-4012-a821-f61912dd77be |
High | Insecure Configurations | Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more) | Documentation |
| GKE Master Authorized Networks Disabled 62c8cf50-87f0-4295-a974-8184ed78fe02 |
High | Networking and Firewall | Master authorized networks must be enabled in GKE clusters (read more) | Documentation |
| Compute Instance Is Publicly Accessible 8212e2d7-e683-49bc-bf78-d6799075c5a7 |
High | Networking and Firewall | Compute instances shouldn't be accessible from the Internet. (read more) | Documentation |
| Stackdriver Monitoring Disabled bbfc97ab-e92a-4a7b-954c-e88cec815011 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more) | Documentation |
| Cloud Storage Bucket Versioning Disabled ad0875c1-0b39-4890-9149-173158ba3bba |
High | Observability | Cloud Storage Bucket should have versioning enabled (read more) | Documentation |
| Stackdriver Logging Disabled 95601b9a-7fe8-4aee-9b58-d36fd9382dfc |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more) | Documentation |
| Node Auto Upgrade Disabled dc5c5fee-6c53-43b0-ab11-4c660e064aaf |
High | Resource Management | Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more) | Documentation |
| Disk Encryption Disabled fc040fb6-4c23-4c0d-b12a-39edac35debb |
Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more) | Documentation |
| COS Node Image Not Used dbe058d7-b82e-430b-8426-992b2e4677e7 |
Medium | Insecure Configurations | The node image should be Container-Optimized OS(COS) (read more) | Documentation |
| Shielded VM Disabled 9038b526-4c19-4928-bca2-c03d503bdb79 |
Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more) | Documentation |
| OSLogin Is Disabled In VM Instance e66e1b71-c810-4b4e-a737-0ab59e7f5e41 |
Medium | Insecure Configurations | VM instance should have OSLogin enabled (read more) | Documentation |
| Cloud DNS Without DNSSEC 313d6deb-3b67-4948-b41d-35b699c2492e |
Medium | Insecure Configurations | DNSSEC must be enabled for Cloud DNS (read more) | Documentation |
| Google Storage Bucket Level Access Disabled 1239f54b-33de-482a-8132-faebe288e6a6 |
Medium | Insecure Configurations | Google Storage Bucket Level Access should be enabled (read more) | Documentation |
| IP Forwarding Enabled 7c98538a-81c6-444b-bf04-e60bc3ceeec0 |
Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more) | Documentation |
| SSH Access Is Not Restricted dee21308-2a7a-49de-8ff7-c9b87e188575 |
Medium | Networking and Firewall | Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more) | Documentation |
| RDP Access Is Not Restricted 50cb6c3b-c878-4b88-b50e-d1421bada9e8 |
Medium | Networking and Firewall | Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more) | Documentation |
| Bucket Without Versioning 227c2f58-70c6-4432-8e9a-a89c1a548cf5 |
Medium | Observability | Bucket should have versioning enabled (read more) | Documentation |
| Project-wide SSH Keys Are Enabled In VM Instances 6e2b1ec1-1eca-4eb7-9d4d-2882680b4811 |
Medium | Secret Management | VM Instance should block project-wide SSH keys (read more) | Documentation |