CIS Google Cloud 1.3.0 Benchmark Report
For information about compliance assessment differences between CIS Google Cloud 1.2.0 and 1.3.0, see CIS Google Cloud 1.2.0 to 1.3.0 (deprecated).
Changes to Benchmark Reports in the Lacework Console
This section covers functionality that is deprecated.
Due to changes in the Lacework Console, visibility of and interaction with the CIS Google Cloud 1.3.0 benchmark is different from previous CIS reports.
The notable changes are outlined below:
- All CIS 1.3.0 benchmark rules are enabled or disabled through the Policies page (see Enable the CIS Google Cloud 1.3.0 Benchmark).
- The Compliance > GCP > Reports page does not list this report, but will continue to list and display results for the older CIS Google Cloud benchmark reports.
- The Cloud Compliance Dashboard provides details for each assessment, including the CIS Google Cloud 1.3.0 report.
- The Reports page lists all reports that have been run in your environment, including a 90 day history for each report type on all your integrated accounts. The summary for each report can be viewed in the Console, and downloaded in PDF format. See Reports for information.
See Reports and Use Cases for Cloud Compliance Dashboard for guidance on viewing similar sections and data.
Prerequisites
The following articles describe how to integrate your Google Cloud environment with the Lacework Compliance platform. Completing these will prepare your environment for the CIS Google Cloud 1.3.0 benchmark.
- Prepare for Google Cloud Integration
- Determine your Google Cloud Integration Type - The setup for the Configuration integration type must be completed in order to use the Lacework Compliance platform.
- Choose one of the following options:
Previous Integrations using Terraform
If you have previously integrated Google Cloud with Lacework using Terraform, re-run terraform init -upgrade, followed by terraform apply to upgrade modules.
The Cloud Asset Inventory and Essential Contacts endpoints are now required for the Google Cloud resource collections to work with the new benchmark (see API List for a full list of APIs needed for Google Cloud integrations).
As such, upgrade to the latest Terraform modules to ensure the necessary permissions are met.
Previous Integrations using the Google Cloud Console
If you have previously integrated Google Cloud with Lacework manually using the Google Cloud Console, ensure that you enable the Cloud Asset Inventory and Essential Contacts APIs on projects that host the service account for the integrations (see API List for a full list of APIs needed for Google Cloud integrations).
See How to Enable the APIs for guidance.
Enable the CIS Google Cloud 1.3.0 Benchmark
All policies in the CIS Google Cloud 1.3.0 benchmark are enabled by default. You can disable or enable them using one of the following methods outlined in this section.
Enable or Disable Policies through the Lacework Console
On the Policies page, use the framework:cis-gcp-1-3-0 tag to filter for CIS Google Cloud 1.3.0 policies only.
You can enable or disable individual policies using its status toggle: 
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Rules.
Bulk Enable or Disable Policies through the Lacework CLI
Enable or disable all the CIS Google Cloud 1.3.0 policies by using the following commands in the Lacework CLI:
lacework policy enable --tag framework:cis-gcp-1-3-0
lacework policy disable --tag framework:cis-gcp-1-3-0
If you have not set up the CLI before, see the Lacework CLI guide to get started.
Automated vs Manual Rules
Lacework automates compliance rules where possible. For some of the benchmark rules, it is not possible to automate the rule check in an Google Cloud environment. These rules are called manual rules. You must verify such rules manually.
Manual Rules (that were deemed automated)
The following table outlines a number of CIS Google Cloud 1.3.0 rules that cannot yet be automated (they were deemed as "automated" by CIS). As such, manual auditing of these rules in your Google Cloud environment is required.
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 1.6 | lacework-global-236 | Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level. |
| 1.8 | lacework-global-294 | Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users. |
| 1.11 | lacework-global-295 | Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users. |
| 1.16 | lacework-global-243 | Ensure Essential Contacts is Configured for Organization. |
| 2.15 | lacework-global-299 | Ensure 'Access Approval' is 'Enabled'. |
Lacework intends to automate these rules in a future release except for Control ID 2.15 (lacework-global-299), which will stay as a manual rule.
Automated Rules (that were deemed manual)
In some cases, Lacework is able to automate certain CIS Google Cloud 1.3.0 benchmark rules that were deemed as manual by CIS. The following table outlines these rules:
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 1.12 | lacework-global-296 | Ensure API Keys Are Not Created for a Project. |
| 1.13 | lacework-global-240 | Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps. |
| 1.14 | lacework-global-241 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access. |
| 1.15 | lacework-global-242 | Ensure API Keys Are Rotated Every 90 Days. |
| 3.4 | lacework-global-260 | Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC. |
| 3.5 | lacework-global-261 | Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC. |
| 3.9 | lacework-global-490 | Ensure No SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites. |
| 6.2.1 | lacework-global-312 | Ensure ‘Log_error_verbosity’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘DEFAULT’ or Stricter. |
| 6.2.4 | lacework-global-279 | Ensure ‘Log_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately. |
| 6.2.6 | lacework-global-281 | Ensure That the ‘Log_min_messages’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning'. |
| 7.1 | lacework-global-292 | Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible. |
| 7.3 | lacework-global-314 | Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets. |
Adjusted Rules
2.1 Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project
This rule has been split into three different policies to monitor at the project, folder, and organization levels separately.
The table below outlines each rule and their new title:
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 2.1 | lacework-global-245 | Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project. |
| 2.1 | lacework-global-487 | Ensure That Cloud Audit Logging Is Configured Properly Across All Users From a Folder. |
| 2.1 | lacework-global-488 | Ensure That Cloud Audit Logging Is Configured Properly Across All Users From an Organization. |
The policy catalog only retains one entry for this rule, which is lacework-global-245.
2.2 Ensure That Sinks Are Configured for All Log Entries
This rule has been split into two different policies to check the following regarding Google Cloud sinks:
- There is at least one log sink with no filter configured (as this ensures all log entries are included).
- There is a destination that exists for the sink.
The table below outlines each rule and their new title:
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 2.2 | lacework-global-246 | Ensure That Sinks Are Configured for All Log Entries. |
| 2.2 | lacework-global-489 | Ensure That Sink Destinations Exist. |
3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
This rule has been split into two different policies to monitor HTTPS and SSL Proxy Load Balancers separately.
The table below outlines each rule and their new title:
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 3.9 | lacework-global-263 | Ensure No HTTPS Load Balancers Permit SSL Policies With Weak Cipher Suites. |
| 3.9 | lacework-global-490 | Ensure No SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites. |
The policy catalog only retains one entry for this rule, which is lacework-global-263.
4.4 Ensure Oslogin Is Enabled for a Project
This rule has been split into two different policies to check the following regarding OS Login:
- Checks for projects without OS Login enabled.
- Checks for VMs (instances) with OS Login disabled.
The table below outlines each rule and their new title:
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 4.4 | lacework-global-267 | Ensure Oslogin Is Enabled for a Project. |
| 4.4 | lacework-global-498 | Ensure Oslogin Is Not Disabled on Instances. |
The policy catalog only retains one entry for this rule, which is lacework-global-267.
Determining Active Google Cloud API Keys for Certain Rules
For the following control IDs, Lacework pulls data on API keys from Google Cloud APIs. The data provided by Google returns active API keys, but also recently deleted API keys.
As such, the number of assessed resources in the policy assessment (and reports) may be greater than the number of API keys seen in your Google Cloud Console.
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 1.12 | lacework-global-296 | Ensure API Keys Are Not Created for a Project. |
| 1.13 | lacework-global-240 | Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps. |
| 1.14 | lacework-global-241 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access. |
| 1.15 | lacework-global-242 | Ensure API Keys Are Rotated Every 90 Days. |
Organization vs Project Level Rules
The majority of the CIS Google Cloud benchmark rules are evaluated at the Project level, however, some are evaluated at the Organization level. As such, depending on your level of integration with Google Cloud, these Organization level rules may not display.
Policy Mapping for CIS Google Cloud 1.3.0
The CIS Google Cloud 1.3.0 rules are mapped to Lacework global policies. See the following sections for the mappings used.
1. Identity and Access Management (IAM)
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID |
|---|---|
| 1.1 | lacework-global-232 |
| 1.2 | lacework-global-233 |
| 1.3 | lacework-global-293 |
| 1.4 | lacework-global-234 |
| 1.5 | lacework-global-235 |
| 1.6 | lacework-global-236 |
| 1.7 | lacework-global-237 |
| 1.8 | lacework-global-294 |
| 1.9 | lacework-global-238 |
| 1.10 | lacework-global-239 |
| 1.11 | lacework-global-295 |
| 1.12 | lacework-global-296 |
| 1.13 | lacework-global-240 |
| 1.14 | lacework-global-241 |
| 1.15 | lacework-global-242 |
| 1.16 | lacework-global-243 |
| 1.17 | lacework-global-297 |
| 1.18 | lacework-global-244 |
2. Logging and Monitoring
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID |
|---|---|
| 2.1 | lacework-global-245 (Project) lacework-global-487 (Folder) lacework-global-488 (Organization) |
| 2.2 | lacework-global-246 (Configuration) lacework-global-489 (Existence) |
| 2.3 | lacework-global-298 |
| 2.4 | lacework-global-247 |
| 2.5 | lacework-global-248 |
| 2.6 | lacework-global-249 |
| 2.7 | lacework-global-250 |
| 2.8 | lacework-global-251 |
| 2.9 | lacework-global-252 |
| 2.10 | lacework-global-253 |
| 2.11 | lacework-global-254 |
| 2.12 | lacework-global-255 |
| 2.13 | lacework-global-256 |
| 2.14 | lacework-global-257 |
| 2.15 | lacework-global-299 |
3. Networking
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID |
|---|---|
| 3.1 | lacework-global-300 |
| 3.2 | lacework-global-258 |
| 3.3 | lacework-global-259 |
| 3.4 | lacework-global-260 |
| 3.5 | lacework-global-261 |
| 3.6 | lacework-global-301 |
| 3.7 | lacework-global-302 |
| 3.8 | lacework-global-262 |
| 3.9 | lacework-global-263 (HTTPS) lacework-global-490 (SSL Proxy) |
| 3.10 | lacework-global-303 |
4. Virtual Machines
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID |
|---|---|
| 4.1 | lacework-global-264 |
| 4.2 | lacework-global-265 |
| 4.3 | lacework-global-266 |
| 4.4 | lacework-global-267 (Project) lacework-global-498 (Instances) |
| 4.5 | lacework-global-268 |
| 4.6 | lacework-global-269 |
| 4.7 | lacework-global-304 |
| 4.8 | lacework-global-305 |
| 4.9 | lacework-global-306 |
| 4.10 | lacework-global-307 |
| 4.11 | lacework-global-308 |
| 4.12 | lacework-global-309 |
5. Storage
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID |
|---|---|
| 5.1 | lacework-global-270 |
| 5.2 | lacework-global-310 |
6. Cloud SQL Database Services
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID |
|---|---|
| 6.4 | lacework-global-271 |
| 6.5 | lacework-global-272 |
| 6.6 | lacework-global-311 |
| 6.7 | lacework-global-273 |
6.1 MySQL Database
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID |
|---|---|
| 6.1.1 | lacework-global-274 |
| 6.1.2 | lacework-global-275 |
| 6.1.3 | lacework-global-276 |
6.2 PostgreSQL Database
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID |
|---|---|
| 6.2.1 | lacework-global-312 |
| 6.2.2 | lacework-global-277 |
| 6.2.3 | lacework-global-278 |
| 6.2.4 | lacework-global-279 |
| 6.2.5 | lacework-global-280 |
| 6.2.6 | lacework-global-281 |
| 6.2.7 | lacework-global-282 |
| 6.2.8 | lacework-global-283 |
| 6.2.9 | lacework-global-284 |
6.3 SQL Server
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID |
|---|---|
| 6.3.1 | lacework-global-285 |
| 6.3.2 | lacework-global-286 |
| 6.3.3 | lacework-global-287 |
| 6.3.4 | lacework-global-288 |
| 6.3.5 | lacework-global-289 |
| 6.3.6 | lacework-global-290 |
| 6.3.7 | lacework-global-291 |
7. BigQuery
| CIS Google Cloud 1.3.0 Rule ID | Lacework Policy ID |
|---|---|
| 7.1 | lacework-global-292 |
| 7.2 | lacework-global-313 |
| 7.3 | lacework-global-314 |