Policy: GCP > CIS v3.0 > 4 - Virtual Machines

Targets

This policy targets the following resource types:

• GCP > Project

Primary Policy

This policy is used with the following primary policy:

• GCP > CIS v3.0

Related Policies

• 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
• 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
• 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
• 4.04 - Ensure Oslogin Is Enabled for a Project
• 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
• 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
• 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys
• 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
• 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
• 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
• 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
• 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
• Maximum Attestation Duration

Controls

Setting this policy configures these controls:

• GCP > CIS v3.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
• GCP > CIS v3.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
• GCP > CIS v3.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
• GCP > CIS v3.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
• GCP > CIS v3.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
• GCP > CIS v3.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
• GCP > CIS v3.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
• GCP > CIS v3.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
• GCP > CIS v3.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
• GCP > CIS v3.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
• GCP > CIS v3.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
• GCP > CIS v3.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects

Policy Specification

string

Per GCP > CIS v3.0

Category

• CIS

In Your Workspace

• Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/gcp-cisv3-0#/policy/types/s04

GraphQL

query policyType(id: "tmod:@turbot/gcp-cisv3-0#/policy/types/s04") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/gcp-cisv3-0#/policy/types/s04'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/gcp-cisv3-0#/policy/types/s04'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/gcp-cisv3-0#/policy/types/s04"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/gcp-cisv3-0#/policy/types/s04"