What's new in the CIS v2.0 benchmark for GCP
Our analysis of the latest CIS GCP recommendations.
At the end of last year, the Center for Internet Security released version 2.0.0 of their Foundation Benchmark for Google Cloud Platform (GCP). Oddly, for being a major version, very few changes have been made between v1.3 and v2.0.
Only two new recommendations were added. One recommendation conflicted with the PostgreSQL benchmark and was deleted. Ten recommendations were changed from Manual to Automated assessment as the GCP APIs matured. Seven recommendations were elevated to Level 2, reflecting the complexity or expense in adhering to the recommendations.
Our take on the new recommendations in v2.0
- 6.2.5 Ensure ‘Log_hostname’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on'. was removed.
- 2.16 Ensure Logging is enabled for HTTP(S) Load Balancer (L2) was added.
- 6.2.9 Ensure [PostgreSQL] Instance IP assignment is set to private (L1) was added.
These two new recommendations are common-sense changes. Logging is pretty critical for any incident response, and the new guidance reflects this. Similarly, there are very few good reasons to expose a database directly on the internet.
These recommendations were changed from Manual to Automated:
- 1.13 Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps
- 1.14 Ensure API Keys Are Restricted to Only APIs That Application Needs Access
- 1.15 Ensure API Keys Are Rotated Every 90 Days
- 3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
- 3.5 Ensure That RSASHA1 Is Not Used for the Zone- Signing Key in Cloud DNS DNSSEC
- 6.2.1 Ensure ‘Log_error_verbosity’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘DEFAULT’ or Stricter
- 6.2.4 Ensure ‘Log_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
- 6.2.5 Ensure that the ‘Log_min_messages’ Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
- 7.1 Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
- 7.3 Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
The good news is that more of the benchmark can now be automated and moved into continuous compliance workflows. And it should be noted that while CIS had these as manual, Steampipe was automating these checks in the CIS 1.3 version of the compliance mod.
These seven recommendations were changed from Level 1 to Level 2:
- 2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes (Automated)
- 2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes (Automated)
- 2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes (Automated)
- 2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes (Automated)
- 2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes(Automated)
- 2.14 Ensure 'Access Transparency' is 'Enabled' (Automated)
- 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network (Automated)
The Access Transparency setting is only available with specific support tiers, and so it makes sense to change this to a Level 2 setting. VPC Flow Logs can get expensive and they’re considered Level 2 in the AWS Benchmark, so this change brings consistency across the two documents. The changes to the Log Metric Filters for VPCs, Cloud Storage and SQL Instances seems ill-advised. While there is non-zero cost to logging these actions, having some alert on changes to core infrastructure components like a VPC Route Table or Firewalls is important.
However, most organizations follow both levels of recommendations or ensure other controls are in place like logging to a SIEM.
Evaluate your environment with GCP CIS v2.0
The Steampipe GCP Compliance mod, packed with hundreds of controls that check your GCP accounts for compliance with benchmarks like CIS and Forseti, now includes new controls for GCP CIS v2.0. If you're new to Steampipe, download Steampipe, install and configure the GCP plugin, and run these commands.
git clone https://github.com/turbot/steampipe-mod-gcp-compliance.gitcd steampipe-mod-gcp-compliancesteampipe check benchmark.cis_v200
If you've already installed Steampipe and the GCP plugin, and cloned the GCP Compliance mod, then just do this.
steampipe plugin update gcpcd steampipe-mod-gcp-compliancegit pullsteampipe check benchmark.cis_v200
Here's a sample report in the console.
You can output results to formats including JSON, CSV, HTML, or use custom output templates to create new output formats. To view the GCP CIS v2.0.0 benchmark report in your browser, run this command in the same cloned repo.
Your browser will then automatically open to http://localhost:9194 to view the dashboard.
We love open source!
Steampipe delivers a full suite of tools to build, execute and share cloud configuration, compliance, and security frameworks using HCL + SQL! We would love your help to expand the open source documentation and control coverage for the Steampipe GCP Compliance mod. The best way to get started is to join our Slack community; we would love to talk to you!