This bundle can be installed via kpt:
export BUNDLE=cis-v1.1
kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
kpt fn source policy-library/samples/ | \
kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
kpt fn sink policy-library/policies/constraints/| Constraint | Control | Description |
|---|---|---|
| block_serviceaccount_token_creator | 1.0X | Ban any users from being granted Service Account Token Creator access |
| cmek_rotation | 1.08 | Checks that CMEK rotation policy is in place and is sufficiently short. |
| compute-enable-oslogin-project | 4.04 | Verifies that all VMs in a project have OS login enabled. |
| compute_block_ssh_keys | 4.03 | Checks if "Block Project-wide SSH keys" is enabled for VM instances |
| deny_role | 1.05 | Ban any users from being granted Service Account User access |
| disable_gke_dashboard | 7.06 | Ensure Kubernetes web UI / Dashboard is disabled |
| disable_gke_default_service_account | 7.17 | Ensure default Service account is not used for Project access in Kubernetes Clusters |
| disable_gke_legacy_abac | 7.03 | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
| dnssec_prevent_rsasha1_ksk | 3.04 | Ensure that RSASHA1 is not used for key-signing key in Cloud DNS |
| dnssec_prevent_rsasha1_zsk | 3.05 | Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS |
| enable_alias_ip_ranges | 7.13 | Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
| enable_auto_repair | 7.07 | Ensure automatic node repair is enabled on all node pools in a GKE cluster |
| enable_auto_upgrade | 7.08 | Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
| enable_gke_master_authorized_networks | 7.04 | Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
| enable_gke_stackdriver_kubernetes_engine_monitoring | 7.01 | Ensure Stackdriver Kubernetes Engine Monitoring is enabled |
| enable_network_flow_logs | 3.09 | Ensure VPC Flow logs is enabled for every subnet in VPC Network |
| enable_network_private_google_access | 3.08 | Ensure Private Google Access is enabled for all subnetworks in VPC |
| forbid_external_ip | 4.08 | Checks if Compute Engine instances have public IPs. |
| forbid_ip_forward | 4.04 | Checks if a VM has IP forwarding turned on. |
| gke_container_optimized_os | 7.09 | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters |
| gke_restrict_client_auth_methods | 7.12 | Checks that client certificate and password authentication methods are disabled for GKE clusters. |
| iam-restrict-service-account-key-age-ninety-days | 1.06 | Checks if service account keys are older than 90 days. |
| iam_restrict_service_account_key_type | 1.03 | Checks if any service accounts have user created keys. |
| prevent-public-ip-cloudsql | 6.05 | Prevents a public IP from being assigned to a Cloud SQL instance. |
| require_bq_table_iam | 5.03 | Checks if BigQuery datasets are publicly readable or allAuthenticatedUsers. |
| require_bucket_policy_only | 5.02 | Checks if Cloud Storage buckets have Bucket Only Policy turned on. |
| require_sql_ssl | 6.01 | Checks if Cloud SQL instances have SSL turned on. |
| restrict-firewall-rule-rdp-world-open | 3.07 | Checks for open firewall rules allowing RDP from the internet. |
| restrict-firewall-rule-ssh-world-open | 3.06 | Checks for open firewall rules allowing SSH from the internet. |
| restrict_gmail | 1.01 | Enforce corporate domain by banning gmail.com addresses |
| sql-world-readable | 6.02 | Checks if Cloud SQL instances are world readable. |