AC_GCP_0304 | Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | GCP | Data Protection | MEDIUM |
AC_GCP_0305 | Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes | GCP | Logging and Monitoring | MEDIUM |
AC_GCP_0306 | Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes | GCP | Logging and Monitoring | MEDIUM |
AC_GCP_0307 | Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | GCP | Logging and Monitoring | MEDIUM |
AC_GCP_0308 | Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes | GCP | Logging and Monitoring | MEDIUM |
AC_GCP_0309 | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes | GCP | Logging and Monitoring | MEDIUM |
AC_GCP_0310 | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes | GCP | Logging and Monitoring | MEDIUM |
AC_GCP_0311 | Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes | GCP | Logging and Monitoring | MEDIUM |
AC_GCP_0312 | Ensure That Cloud DNS Logging Is Enabled for All VPC Networks | GCP | Logging and Monitoring | MEDIUM |
AC_GCP_0313 | Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible | GCP | Data Protection | MEDIUM |
AC_GCP_0314 | Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | GCP | Identity and Access Management | HIGH |
AC_GCP_0315 | Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on' | GCP | Compliance Validation | LOW |
AC_GCP_0316 | Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' | GCP | Compliance Validation | LOW |
AC_GCP_0317 | Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' | GCP | Compliance Validation | LOW |
AC_GCP_0318 | Ensure That Sinks Are Configured for All Log Entries | GCP | Logging and Monitoring | LOW |
AC_GCP_0319 | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | GCP | Infrastructure Security | LOW |
AC_GCP_0323 | Ensure Compute Instances Are Launched With Shielded VM Enabled | GCP | Infrastructure Security | LOW |
AC_GCP_0327 | Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | GCP | Infrastructure Security | LOW |
AC_GCP_0330 | Ensure Essential Contacts is Configured for Organization | GCP | Logging and Monitoring | LOW |
AC_GCP_0336 | Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | GCP | Identity and Access Management | LOW |
AC_GCP_0337 | Ensure Cloud Asset Inventory Is Enabled | GCP | Logging and Monitoring | MEDIUM |
AC_GCP_0347 | Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging | GCP | Compliance Validation | LOW |
AC_GCP_0358 | Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | GCP | Logging and Monitoring | LOW |
AC_GCP_0365 | Ensure API Keys Only Exist for Active Services | GCP | Security Best Practices | MEDIUM |
AC_GCP_0366 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access | GCP | Security Best Practices | MEDIUM |
AC_GCP_0367 | Ensure API Keys Are Rotated Every 90 Days | GCP | Security Best Practices | MEDIUM |
AC_GCP_0368 | Ensure Logging is enabled for HTTP(S) Load Balancer | GCP | Security Best Practices | MEDIUM |
AC_GCP_0370 | Ensure Instance IP assignment is set to private | GCP | Compliance Validation | LOW |
AC_GCP_0371 | Ensure That the Default Network Does Not Exist in a Project - google_compute_network | GCP | Infrastructure Security | LOW |
AC_K8S_0001 | Configure Image Provenance using ImagePolicyWebhook admission controller | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0002 | Ensure HTTPS is enabled on Kubernetes Ingress resource | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0003 | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | Infrastructure Security | LOW |
AC_K8S_0004 | Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | Logging and Monitoring | LOW |
AC_K8S_0005 | Ensure that the Anonymous Auth is Not Enabled | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0006 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0007 | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0008 | Ensure that a Client CA File is Configured | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0009 | Ensure that the --rotate-certificates argument is not present or is set to true | Kubernetes | Data Protection | MEDIUM |
AC_K8S_0010 | Ensure that the --read-only-port is disabled | Kubernetes | Identity and Access Management | LOW |
AC_K8S_0011 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | Compliance Validation | LOW |
AC_K8S_0012 | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | Identity and Access Management | LOW |
AC_K8S_0013 | Ensure an owner key with proper label is set for Kubernetes namespace | Kubernetes | Security Best Practices | LOW |
AC_K8S_0014 | Ensure Kubernetes Network policy does not allow ingress from public IPs to query DNS | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0015 | Ensure Kubernetes Network policy does not allow ingress from public IPs to SSH | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0016 | Ensure Kubernetes Network policy does not allow ingress from public IPs to access sql servers | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0017 | Ensure Kubernetes Network policy does not allow ingress from public IPs to access Redis servers | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0018 | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0019 | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | Compliance Validation | MEDIUM |
AC_K8S_0020 | Ensure kube-controller-manager (affected versions of kube-controller-manager: v1.18.0, v1.17.0 - v1.17.4, v1.16.0 - v1.16.8, and v1.15.11) are not vulnerable to CVE-2020-8555 | Kubernetes | Data Protection | MEDIUM |
AC_K8S_0021 | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | Compliance Validation | MEDIUM |