The included Google checks are listed below. For more information about each check, see the link provided.
| Checks |
|---|
| google-bigquery-no-public-access BigQuery datasets should only be accessible within the organisation |
| google-compute-disk-encryption-customer-key Disks should be encrypted with Customer Supplied Encryption Keys |
| google-compute-disk-encryption-customer-keys Encrypted compute disk with unmanaged keys. |
| google-compute-disk-encryption-required The encryption key used to encrypt a compute disk has been specified in plaintext. |
| google-compute-enable-shielded-vm Instances should have Shielded VM enabled |
| google-compute-enable-vpc-flow-logs VPC flow logs should be enabled for all subnets |
| google-compute-no-default-service-account Instances should not use the default service account |
| google-compute-no-ip-forwarding Instances should not have IP forwarding enabled |
| google-compute-no-oslogin-override Instances should not override the project setting for OS Login |
| google-compute-no-plaintext-disk-keys Disk encryption keys should not be provided in plaintext |
| google-compute-no-plaintext-vm-disk-keys VM disk encryption keys should not be provided in plaintext |
| google-compute-no-project-wide-ssh-keys Disable project-wide SSH keys for all instances |
| google-compute-no-public-egress An outbound firewall rule allows traffic to /0. |
| google-compute-no-public-ingress An inbound firewall rule allows traffic from /0. |
| google-compute-no-public-ip Instances should not have public IP addresses |
| google-compute-no-serial-port Disable serial port connectivity for all instances |
| google-compute-project-level-oslogin OS Login should be enabled at project level |
| google-compute-use-secure-tls-policy SSL policies should enforce secure versions of TLS |
| google-compute-vm-disk-encryption-customer-key VM disks should be encrypted with Customer Supplied Encryption Keys |
| google-dns-enable-dnssec Cloud DNS should use DNSSEC |
| google-dns-no-rsa-sha1 Zone signing should not use RSA SHA1 |
| google-gke-enable-auto-repair Kubernetes should have ‘Automatic repair’ enabled |
| google-gke-enable-auto-upgrade Kubernetes should have ‘Automatic upgrade’ enabled |
| google-gke-enable-ip-aliasing Clusters should have IP aliasing enabled |
| google-gke-enable-master-networks Master authorized networks should be configured on GKE clusters |
| google-gke-enable-network-policy Network Policy should be enabled on GKE clusters |
| google-gke-enable-private-cluster Clusters should be set to private |
| google-gke-enable-stackdriver-logging Stackdriver Logging should be enabled |
| google-gke-enable-stackdriver-monitoring Stackdriver Monitoring should be enabled |
| google-gke-enforce-pod-security-policy Pod security policy enforcement not defined. |
| google-gke-metadata-endpoints-disabled Legacy metadata endpoints enabled. |
| google-gke-no-legacy-auth Clusters should use client certificates for authentication |
| google-gke-no-legacy-authentication Legacy client authentication methods utilized. |
| google-gke-no-public-control-plane GKE Control Plane should not be publicly accessible |
| google-gke-node-metadata-security Node metadata value disables metadata concealment. |
| google-gke-node-pool-uses-cos Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
| google-gke-node-shielding-enabled Shielded GKE nodes not enabled. |
| google-gke-use-cluster-labels Clusters should be configured with Labels |
| google-gke-use-rbac-permissions Legacy ABAC permissions are enabled. |
| google-gke-use-service-account Checks for service account defined for GKE nodes |
| google-iam-no-folder-level-default-service-account-assignment Roles should not be assigned to default service accounts |
| google-iam-no-folder-level-service-account-impersonation Users should not be granted service account access at the folder level |
| google-iam-no-org-level-default-service-account-assignment Roles should not be assigned to default service accounts |
| google-iam-no-org-level-service-account-impersonation Users should not be granted service account access at the organization level |
| google-iam-no-privileged-service-accounts Service accounts should not have roles assigned with excessive privileges |
| google-iam-no-project-level-default-service-account-assignment Roles should not be assigned to default service accounts |
| google-iam-no-project-level-service-account-impersonation Users should not be granted service account access at the project level |
| google-iam-no-user-granted-permissions IAM granted directly to user. |
| google-kms-rotate-kms-keys KMS keys should be rotated at least every 90 days |
| google-project-no-default-network Default network should not be created at project level |
| google-sql-enable-backup Enable automated backups to recover from data-loss |
| google-sql-enable-pg-temp-file-logging Temporary file logging should be enabled for all temporary files. |
| google-sql-encrypt-in-transit-data SSL connections to a SQL database instance should be enforced. |
| google-sql-mysql-no-local-infile Disable local_infile setting in MySQL |
| google-sql-no-contained-db-auth Contained database authentication should be disabled |
| google-sql-no-cross-db-ownership-chaining Cross-database ownership chaining should be disabled |
| google-sql-no-public-access Ensure that Cloud SQL Database Instances are not publicly exposed |
| google-sql-pg-log-checkpoints Ensure that logging of checkpoints is enabled. |
| google-sql-pg-log-connections Ensure that logging of connections is enabled. |
| google-sql-pg-log-disconnections Ensure that logging of disconnections is enabled. |
| google-sql-pg-log-errors Ensure that Postgres errors are logged |
| google-sql-pg-log-lock-waits Ensure that logging of lock waits is enabled. |
| google-sql-pg-no-min-statement-logging Ensure that logging of long statements is disabled. |
| google-storage-enable-ubla Ensure that Cloud Storage buckets have uniform bucket-level access enabled |
| google-storage-no-public-access Ensure that Cloud Storage bucket is not anonymously or publicly accessible. |
