Mapping with the CIS Google Cloud Benchmark¶
This section shows the control-level alignment for the CIS Google Cloud Platform Foundation Benchmark v4.0.0.
| CIS ID | TrustOnCloud Control ID | Comments |
|---|---|---|
| 1.1 | Iam.C3 assured by Iam.C4 under Iam.CO2 | |
| 1.2 | Iam.C95 assured by Iam.C96 under Iam.CO10 | |
| 1.3 | Iam.C26 under Iam.CO10 | |
| 1.4 | Iam.C5 assured by Iam.C6 Iam.CO3 | |
| 1.5 | Iam.C1 assured by Iam.C2 under Iam.CO1 | This CIS control ensures service accounts do not have Admin privileges. Control Iam.C1 specifies to ensure there are no basic roles are used for all identities (e.g., service accounts or users). |
| 1.6 | Iam.C78 assured by Iam.C79 under Iam.CO3 | |
| 1.7 | Iam.C5 assured by Iam.C6 under Iam.CO3 | |
| 1.8 | Iam.C80 assured by Iam.C81 under Iam.CO3 | |
| 1.9 | Iam.C13 assured by Iam.C14 under Iam.CO5 | This CIS control ensures Cloud KMS crypto keys are not anonymously or publicly accessible. Control Iam.C13 specifies to ensure all service’s IAM bindings are defined and reviewed as part of your IAM Operating Model. |
| 1.10 | Cloudkms.C4 assured by Cloudkms.C5 under Cloudkms.CO3 | This CIS control ensures Cloud KMS encryption keys are rotated within a period of 90 days. Control Cloudkms.C4 specifies to rotation of keys is performed per the organization’s security requirements, which may be more frequent than 90 days. |
| 1.11 | Iam.C13 assured by Iam.C14 under Iam.CO5 | This CIS control ensures separation of duties is enforced while assigning KMS related roles. Control Iam.C13 specifies to ensure all permissions are defined and reviewed as part of your IAM Operating Model. |
| 1.12 | Iam.C60 under Iam.CO16 | |
| 1.13 | Iam.C57 assured by Iam.C59 under Iam.CO16 | |
| 1.14 | Iam.C57 assured by Iam.C59 under Iam.CO16 | |
| 1.15 | Iam.C60 under Iam.CO16 | |
| 1.16 | ||
| 1.17 | Cloudfunctions.C7 under Cloudfunctions.CO7 | This CIS control ensures secrets are not stored in Cloud Functions environment variables by using Secret Manager. Control Cloudfunctions.C7 specifies to ensure use a secret management service which may be another provider based on your organization’s requirements. |
| 2.1 | Cloudresourcemanager.C76 assured by Cloudresourcemanager.C77 under Cloudresourcemanager.CO15 Cloudresourcemanager.C54 assured by Cloudresourcemanager.C56 under Cloudresourcemanager.CO15 |
|
| 2.2 | Logging.C10 assured by Logging.C14 under Logging.CO6 | |
| 2.3 | Storage.C26 assured by Storage.C27 under Storage.CO11 | |
| 2.4 | Cloudresourcemanager.C78 under Cloudresourcemanager.CO1 | |
| 2.5 | Cloudresourcemanager.C79 under Cloudresourcemanager.CO15 | |
| 2.6 | Iam.C97 under Iam.CO5 | This CIS control ensures log metric filters and alerts exist for any role change, our control focuses on Indicators of Compromise (IOC) for unauthorized creation, modification, deletion, or un-deletion of IAM roles. |
| 2.7 | Compute.C399 under Compute.CO8 | This CIS control ensures log metric filters and alerts exist for any VPC firewall rule change. Instead of using Cloud Monitoring metrics for VPC firewall rule changes, our controls focus on Indicators of Compromise (IOC) for unauthorized creation, modification, or deletion of firewall rules by inspecting the network, source ranges, tags, status, priority (Compute.C399). |
| 2.8 | Compute.C402 under Compute.CO15 | This CIS control ensures log metric filters and alerts exist for any VPC network route change. Instead of using Cloud Monitoring metrics for VPC network route changes, our controls focus on Indicators of Compromise (IOC) for unauthorized creation or deletion of VPC network routes by inspecting the route name, destination or source range, priority, and next hop gateway (Compute.C402). |
| 2.9 | Compute.C400 under Compute.CO77 Compute.C401 under Compute.CO12 |
This CIS control ensures log metric filters and alerts exist for any VPC network change. Instead of using Cloud Monitoring metrics for VPC network changes, our controls focus on Indicators of Compromise (IOC) for unauthorized creation, modification, or deletion of VPC networks by inspecting the routing or network name (Compute.C400) or removal or deletion of VPC network peering by inspecting the network name (Compute.C401) |
| 2.10 | Storage.C3 assured by Storage.C4 under Storage.CO3 Storage.C13 assured by Storage.C16 under Storage.CO8 Storage.C14 assured by Storage.C18 under Storage.CO8 |
This CIS control ensures log metric filters and alerts exist for Cloud Storage IAM permission changes. Instead of using Cloud Monitoring metrics for Cloud Storage IAM permission changes, our controls focus on Indicators of Compromise (IoC) related to fine-grained access control (Storage.C3), public accessible buckets (Storage.C13), unauthorized domains (Storage.C14). |
| 2.11 | Cloudsql.C5 under Cloudsql.C03 Cloudsql.C90 under Cloudsql.C03 Cloudsql.C66 under Cloudsql.C020 Cloudsql.C130 under Cloudsql.C018 Cloudsql.C131 under Cloudsql.CO16 |
This CIS control ensures log metric filters and alerts exist for any SQL instance configuration change. Instead of using Cloud Monitoring metrics our controls focus on Indicators of Compromise (IoC) for unauthorized backups (Cloudsql.C5), backup failure (Cloudsql.C90), unauthorized database engine (Cloudsql.C66), binary logs disabled (Compute.C130), unauthorized addition or removal of networks (Compute.C131) |
| 2.12 | Dns.C2 under Dns.CO2 | |
| 2.13 | Iam.C13 assured by Iam.C94 under IAM.CO5 Cloudasset.C15 |
The CIS control ensures Cloud Asset Inventory is enabled. We cover the CIS control in Iam.C13 and specify to use Recommender ThreatModel for insights from Cloud Asset Inventory, Cloudasset.C15 |
| 2.14 | Accessapproval.C3 assured by Accessapproval.C16 under Accessapproval.CO3 | |
| 2.15 | Accessapproval.C6 assured by Accessapproval.C7 under Accessapproval.CO4 | |
| 2.16 | Compute.C110 assured by Compute.C111 under Compute.CO37 | |
| 3.1 | Compute.C15 assured by Compute.C16 under Compute.CO5 | |
| 3.2 | Compute.C17 assured by Compute.C19 under Compute.CO5 | |
| 3.3 | Dns.C9 assured by Dns.C16 under Dns.CO6 | |
| 3.4 | Dns.C17 assured by Dns.C18 under Dns.CO6 | The CIS control ensures SHA1 algorithm is not used for the key-signing key in Cloud DNS DNSSEC. We cover the CIS controls 3.4 and 3.5 for key-signing and zone-signing keys in Dns.C17 |
| 3.5 | Dns.C17 assured by Dns.C18 under Dns.CO6 | The CIS control ensures SHA1 algorithm is not used for the zone-signing key in Cloud DNS DNSSEC. We cover the CIS controls 3.4 and 3.5 for key-signing and zone-signing keys in Dns.C17 |
| 3.6 | Compute.C25 assured by Compute.C26 under Compute.CO6 Compute.C27 assured by Compute.C28 under Compute.CO6 |
The CIS control ensures SSH access is restricted from the internet using firewall rules. We cover the CIS control (Compute.C25) and specify to configure firewall rules to block suspicious IPs in VPCs allowing access from the internet (Compute.C27) |
| 3.7 | Compute.C25 assured by Compute.C26 under Compute.CO6 Compute.C27 assured by Compute.C28 under Compute.CO6 |
The CIS control ensures RDP access is restricted from the internet using firewall rules. We cover the CIS control (Compute.C25) and specify to configure firewall rules to block suspicious IPs in VPCs allowing access from the internet (Compute.C27) |
| 3.8 | Compute.C9 assured by Compute.C11 under Compute.CO3 | |
| 3.9 | Compute.C354 assured by Compute.C355 under Compute.CO41 | |
| 3.10 | Iap.C12 under Iap.CO5 | |
| 4.1 | Compute.C70 assured by Compute.C72 under Compute.CO23 | |
| 4.2 | Compute.C70 assured by Compute.C72 under Compute.CO23 Compute.C65 under Compute.CO23 |
The CIS control recommends not assigning the default Compute Engine service account with Scope Allow full access to all Cloud APIs. We cover the CIS control (Compute.C70) and specify to limit access to all service accounts attached to VMs (Compute.C65) |
| 4.3 | Compute.C78 assured by Compute.C79 under Compute.CO27 Compute.C80 assured by Compute.C81 under Compute.CO27 |
The CIS control ensures project-wide SSH keys are blocked for VM instances. We cover the CIS control (Compute.C78) and specify to ensure no SSH keys are configured on the project common metadata and any VM-specific metadata (Compute.C80) |
| 4.4 | Compute.C84 assured by Compute.C85 under Compute.CO27 Compute.C129 under Compute.CO27 |
The CIS control ensures OS login is enabled at the project and disabled at the instance. We specify to disable OS login at the instance (Compute.C84) and ensure 2-factor authentication is used when SSH is authorized for a VM (Compute.C129) |
| 4.5 | Compute.C61 assured by Compute.C62 under Compute.CO21 | |
| 4.6 | Compute.C86 assured by Compute.C87 under Compute.CO17 | |
| 4.7 | Compute.C75 assured by Compute.C76 under Compute.CO28 | The CIS control ensures critical VMs are encrypted with customer-supplied encryption keys (CSEK). We specify to encrypt instances, disks, and images using a customer-managed encryption key (CMEK) or customer-supplied encryption key (CSEK) |
| 4.8 | Compute.C58 assured by Compute.C59 under Compute.CO20 | |
| 4.9 | Compute.C49 assured by Compute.C50 under Compute.CO17 | |
| 4.10 | Appengine.C57 assured by Appengine.C58 under Appengine.CO17 | |
| 4.11 | Compute.C60 assured by Compute.C393 under Compute.CO20 | |
| 4.12 | Compute.C48 prevented by Compute.C298 under Compute.CO16 | |
| 5.1 | Storage.C13 assured by Storage.C16 under Storage.CO8 Storage.C14 assured by Storage.C18 under Storage.CO8 |
|
| 5.2 | Storage.C3 assured by Storage.C4 under Storage.CO3 | |
| 6.1.1 | Cloudsql.C21 assured by Cloudsql.22 under Cloudsql.CO6 | |
| 6.1.2 | Cloudsql.C55 assured by Cloudsql.C56 under Cloudsql.CO19 | |
| 6.1.3 | Cloudsql.C55 assured by Cloudsql.C56 under Cloudsql.CO19 | |
| 6.2.1 | Cloudsql.C54 assured by Cloudsql.C84 under Cloudsql.CO18 | |
| 6.2.2 | Cloudsql.C54 assured by Cloudsql.C84 under Cloudsql.CO18 | |
| 6.2.3 | Cloudsql.C54 assured by Cloudsql.C84 under Cloudsql.CO18 | |
| 6.2.4 | Cloudsql.C54 assured by Cloudsql.C84 under Cloudsql.CO18 | |
| 6.2.5 | Cloudsql.C54 assured by Cloudsql.C84 under Cloudsql.CO18 | |
| 6.2.6 | Cloudsql.C54 assured by Cloudsql.C84 under Cloudsql.CO18 | |
| 6.2.7 | Cloudsql.C54 assured by Cloudsql.C84 under Cloudsql.CO18 | |
| 6.2.8 | Cloudsql.C54 assured by Cloudsql.C84 under Cloudsql.CO18 | |
| 6.3.1 | Cloudsql.C55 assured by Cloudsql.C56 under Cloudsql.CO19 | |
| 6.3.2 | Cloudsql.C55 assured by Cloudsql.C56 under Cloudsql.CO19 | |
| 6.3.3 | Cloudsql.C55 assured by Cloudsql.C56 under Cloudsql.CO19 | |
| 6.3.4 | Cloudsql.C55 assured by Cloudsql.C56 under Cloudsql.CO19 | |
| 6.3.5 | Cloudsql.C55 assured by Cloudsql.C56 under Cloudsql.CO19 | |
| 6.3.6 | Cloudsql.C55 assured by Cloudsql.C56 under Cloudsql.CO19 | |
| 6.3.7 | Cloudsql.C55 assured by Cloudsql.C56 under Cloudsql.CO19 | |
| 6.4 | Cloudsql.C46 assured by Cloudsql.C47 under Cloudsql.CO15 Cloudsql.C72 assured by Cloudsql.C73 under Cloudsql.CO21 |
The CIS control specifies to require all incoming connection to use SSL. In addition to requiring all incoming connections to use SSL (Cloudsql.C46) we specify to use ephemeral certificates for all TLS/SSL for mTLS (Cloudsql.C72) |
| 6.5 | Cloudsql.C59 assured by Cloudsql.C50 prevented by Cloudsql.C49 under Cloudsql.CO16 | |
| 6.6 | Cloudsql.C58 assured by Cloudsql.C24 under Cloudsql.CO6 | |
| 6.7 | Cloudsql.C7 assured by Cloudsql.C8 under Cloudsql.CO3 | |
| 7.1 | Bigquery.C15 assured by Bigquery.C16 under Bigquery.CO8 | |
| 7.2 | Bigquery.C27 assured by Bigquery.C29 under Bigquery.CO7 Bigquery.C36 assured by Bigquery.C37 under Bigquery.CO7 |
The CIS control specifies to encrypt all BigQuery tables with customer-managed encryption keys (CMEK). We specified to use CMEKs for all BigQuery resources (Bigquery.C27) and AEAD for column-level encryption |
| 7.3 | Bigquery.C27 assured by Bigquery.C29 under Bigquery.CO7 | |
| 7.4 | Bigquery.C20 assured by Bigquery.C21 under Bigquery.CO9 | |
| 8.1 | Dataproc.C62 assured by Dataproc.C63 under Dataproc.CO4 |