GCP RecommendationsCloudSpend's Recommendations Report offers tailored insights to fine-tune your cloud resources and provides recommendations to optimize costs, improve fault tolerance and performance. The cost, availability, and security recommendation checks grouped by the GCP services are given below. Cost recommendationsThe cost recommendations available for the GCP services are provided below. Cloud SQL1. Enable Automatic Storage Increase(Priority: Moderate)Baseline:If Automated Backups are enabled, whenever your resource nears the full capacity, storage limit will be increased (permanently). Recommendation:In the Edit Configurations section, check whether the automatic storage increase is enabled under Storage settings. Compute Engine - VM1. Unlabeled compute instances (Priority: Low)Baseline:Checks whether the instance labels are empty. Description:GCP allows users to assign metadata in the form of labels (key-value pair) to better track and manage instances. Organizations come up with relevant label groupings and practical labeling strategies to manage their VM resource farm efficiently. Recommendation:Create a labeling strategy adhering to the GCP best practices. Google Kubernetes Engine1. Unlabeled clusters (Priority: Low)Baseline:Checks whether the cluster labels are empty. Description:As Google Cloud projects grow in complexity, user-defined labels enhance visibility and organization. Strategically labeling GKE clusters streamlines management and simplifies searches and group-related services, like production, staging, and development, for efficient control. Recommendation:Create a labeling strategy adhering to Google Cloud best practices. Cloud Run Functions (formerly Cloud Functions)1. Cloud Run Functions - Unlabeled functions (Priority: Low)Baseline:Checks whether the functions have user-defined labels. Description:Assigning labels to Cloud Run Functions helps in the better management and organization of resources. Labels can be used for cost tracking, resource grouping, and applying policies. Recommendation:Create and assign labels to your Cloud Run Functions to improve resource management and organization. Cloud Run1. Cloud Run - Unlabeled services (Category: Cost, Priority: Low)Baseline:Checks whether the service labels are empty. Description:As GCP projects grow in complexity, user-defined labels enhance visibility and organization. Strategically, labeling cloud run services streamlines management, simplifies searches, and groups related services, such as production, staging, and development, for efficient control. Recommendation:Create a labeling strategy adhering to GCP best practices. Cloud Storage1. Cloud Storage - Enable life cycle management (Priority: Moderate)Baseline:Checks the disabled life cycle management policies of your GCP storage buckets. Description:Life cycle management policies help manage the life cycle of objects in your storage buckets, such as transitioning objects to different storage classes or deleting them after a certain period. Recommendation:Implement life cycle management policies to optimize storage costs and manage object life cycles effectively. Availability recommendationsThe availability recommendations available for the GCP services are provided below. Cloud SQL1. Enable Automated Backups (Priority: High)Baseline:Automated backups ensure the protection of your valuable data by creating regular, scheduled backups of your Cloud SQL databases. In case of accidental data loss, database corruption, or other unforeseen issues, you can easily restore your data to the previous state. Recommendation:In the Backups section, check whether Automated Backups are enabled. 2. Enable High Availability (Priority: High)Baseline:Checks the instances that have configured ZONAL availability. Description:Data redundancy is maintained during planned maintenance or outages by enabling a High Availability (HA) configuration or database cluster in Google Cloud SQL. As it operates across both a primary and secondary zone within the designated Google Cloud region, a Cloud SQL instance configured for high availability is referred to as a regional instance. Recommendation:Make sure that HA and automatic failover support are set up for all of your production and mission-critical Google Cloud SQL database instances. 3. Enable Point-in-Time Recovery (Priority: Moderate)Baseline:Checks the instances that have not configured a Point-in-Time Recovery flag. Description:Point-in-Time Recovery (PITR) allows you to restore a Google Cloud MySQL database instance to a precise moment—even down to the exact second. This feature is particularly valuable if data loss occurs due to an error or if the database becomes corrupted, enabling you to revert the database to its operational state before the issue. Recommendation:Ensure that the Point-in-Time Recovery (PITR) feature is enabled for all MySQL database instances in your GCP account. This allows you to restore data from a specific point in time while maintaining cost efficiency. Before enabling PITR, ensure that automated backups and binary logging are both activated for your MySQL database instances. Compute Engine - VM1. Underutilized Compute instance (Priority: Moderate)Baseline:Checks the resource utilization of Google Compute Engine instances and labels them as underutilized, if the CPU usage is less than 2% for the past 48 hours. Recommendation:For Google Compute Engine, you are billed based on the instance type and the number of consumed hours. You can lower your costs by identifying and stopping under utilized instances. In addition, Site24x7's Guidance Report also shows the Current Machine Type and recommend the desired instance type (Suggested Machine Type) that you can downgrade to, for better cost cutting. 2. High utilized Compute instance (Priority: High)Baseline:Checks the performance counters for GCP Compute and identifies instances that appear to be highly utilized. Description:A Compute instance is deemed as overutilized if it meets the following criteria:
Recommendation:Consider changing the instance size or add the instance to an autoscaling group. 3. Compute maintenance configuration (Priority: High)Baseline:Checks whether the instance On host maintenance is marked as TERMINATE. Description:Google Cloud Compute Engine enables VM instances to be migrated during infrastructure maintenance without any downtime. Set the On host maintenance option under the Availability policies to Migrate to ensure VMs are moved to a new hardware. Recommendation:Configure VM instances for live migration to ensure that they are moved to a new host, preventing downtime during maintenance. 4. Preemptible instances (Priority: High)Baseline:Checks whether the instance's preemptible flag is enabled. Description:Preemptible instances are cost-effective, short-lived VMs that Google Cloud can stop at any moment. Designed for interruptible workloads, they provide substantial cost savings but have a maximum runtime of 24 hours. Recommendation:To ensure that your instances are not preemptible, follow these steps:
5. Auto restart disabled instances (Priority: Moderate)Baseline:Checks whether the instance's automaticRestart flag is enabled. Description:The Google Cloud Compute Engine service may stop due to non-user-initiated reasons, including maintenance events, hardware issues, and software failures. Recommendations:
6. Stopped instances (Priority: Moderate)Baseline:Checks whether the instances that have been stopped are present for more than the allowed number of days. Description:When instances are stopped, you can still be charged for storage. However, when you terminate them, you'll be freed of all charges. Additionaly, if an instance has not run for a specified time, it can pose a high risk since the instance may not be actively maintained. Recommendation:Ensure that there are no stopped instances after the specified period. Compute Engine - Disks1. Unattached Disks (Priority: Moderate)Baseline:Check Compute Engine disk configuration for the associated instance ID. Description:Compute Engine disks can persist independently even after instance termination or after you explicitly unmount and detach the volume from the instance. As you may know, unattached volumes are still charged based on the provisioned storage and for input/output operations per second (IOPS). Recommendation:Associate the configured Compute Engine disks with an active instance or delete the disk. Kubernetes Cluster1. Enable auto repair cluster nodes (Priority: Moderate)Baseline:Checks whether the cluster node auto repair property is disabled. Description:Auto-repair helps maintain the health of your GKE cluster nodes. When enabled, GKE periodically checks the health of each node, and if a node fails multiple health checks within a set timeframe, GKE automatically initiates a repair process. Recommendation:Enable the auto-repair feature for all GKE cluster nodes to maintain their health and ensure smooth operation. Filestore1. Restrict unauthorized access (Priority:High)Baseline:Checks whether Filestore's access control is restricted to an IP address or range. Description:By default, Filestore allows unrestricted access for clients in the same project and VPC network, which can result in data breaches. To enhance security, implement IP-based access control to limit access to trusted IP addresses and block all others. Recommendation:Ensure that you establish trusted IP addresses or ranges to prevent any unauthorized access to sensitive data. Cloud Run Functions (formerly Cloud Functions)1. Enable CMEKs (Priority: High)Baseline:Checks whether the functions' CMEKs are configured. Description:Google Cloud automatically encrypts data stored with Google-managed keys. For additional control, consider using CMEKs through Cloud KMS for secure key management, rotation, and revocation. Recommendation:Use CMEKs instead of Google-managed encryption keys for greater control and compliance. 2. Minimum instance configuration (Priority: Moderate)Baseline:Checks whether the functions are configured for minimum instance settings. Description:Cloud Run functions can experience cold starts, increasing latency. To minimize this, set a minimum number of function instances. This ensures faster response times and better reliability by keeping some instances warm and ready, reducing latency. This is important for production workloads with consistent traffic or low-latency needs. Recommendation:Reduce cold start times and improve performance by setting enough warm instances for Cloud Run functions. Cloud Run1. Cloud Run - Enable end-to-end HTTP/2 (Priority: Moderate)Baseline:Checks whether end-to-end HTTP/2 is disabled for Cloud Run services. Description:Enabling end-to-end HTTP/2 improves performance by allowing multiplexing of requests and reducing latency, which can enhance the user experience for applications running on Cloud Run. Recommendation:Enable end-to-end HTTP/2 for your Cloud Run services to improve performance and reduce latency. 2. Cloud Run - Minimum instances (Priority: Moderate)Baseline:Checks whether the minimum number of instances is configured for Cloud Run services. Description:Configuring the minimum number of instances helps to ensure that your Cloud Run services are always available and can handle sudden spikes in traffic. Recommendation:Set a minimum number of instances for your Cloud Run services to ensure availability and handle traffic spikes effectively. Cloud Storage1. Cloud Storage - Enable versioning (Priority: Moderate)Baseline:Checks whether the versioning settings are enabled for your GCP storage buckets. Description:Enabling versioning helps protect against accidental deletions and overwrites by keeping multiple versions of an object. Recommendation:Enable versioning for your storage buckets to protect against data loss and maintain object history. Security recommendationsThe security recommendations available for the GCP services are provided below. Compute Engine - VM1. VM instance deletion protection (Priority: High)Baseline:Check the configuration of VM instances to see whether the Deletion protection option is enabled or not in the GCP console. Description:To protect your instance from accidental deletion, you can enable the Deletion protection option in the GCP console. Recommendation:The Deletion protection option is disabled by default. Enable this option to prevent unexpected instance termination. 2. Public IP instances (Priority: High)Baseline:Checks whether the network interface's External IPv4 is assigned and named as External NAT. Description:Assigning public IP addresses to your Google Cloud Compute Engine instances can expose them to unnecessary security risks. Recommendation:Consider using any of the alternate approaches below instead of public IP.
3. Auto-delete for attached disks (Priority: Moderate)Baseline:Checks whether the instance's attached disks have the autoDelete flag enabled. Description:By default, Google Cloud deletes persistent disks when a Compute Engine instance is deleted. It may result in unintentional data loss. Recommendations:
4. IP forwarding for VM instances (Priority: Moderate)Baseline:Checks whether the instance's IP forward flag is enabled. Description:IP forwarding allows a VM to route traffic between different networks. When enabled, the VM can forward packets from one network to another, acting like a router. Recommendations:
5. Interactive serial console support (Priority: Moderate)Baseline:Checks whether the instance metadata's serial-port-enable key is set to True. Description:The IP-based access controls are not supported by the interactive serial console. Enabling it allows anyone with the correct username, SSH key, project ID, instance name, and zone to attempt a connection, regardless of the IP address. Recommendation:You can explicitly disable it by setting the serial-port-enable key to False. Kubernetes Cluster1. Enable Integrity Monitoring for Cluster Nodes (Priority: Moderate)Baseline:In the Google Cloud console's Security section, check the Integrity monitoring feature status. Ensure that the Integrity Monitoring feature is enabled for your Google Kubernetes Engine (GKE) cluster nodes in order to monitor and automatically check the runtime boot integrity of your shielded cluster nodes using Google Cloud Monitoring service. Recommendation:Enable Integrity Monitoring for Cluster Nodes. 2. Configure Shielded GKE Cluster Nodes (Priority: Moderate)Baseline:Ensure that your Google Kubernetes Engine (GKE) cluster pool nodes are shielded in order to provide strong cryptographic identity. This limits the ability of an attacker to impersonate a node in your GKE cluster even if the attacker is able to extract the node credentials. Recommendation:Configure Shielded GKE Cluster Nodes. Check the Shielded GKE Nodes configuration attribute value. 3. Restrict Network Access to GKE Clusters(Priority: Moderate)Baseline:Adding master authorized networks can provide network level protection and additional security benefits for your Google Kubernetes Engine (GKE) cluster. Authorized networks grant access to a specific set of trusted IP addresses, such as those that originate from a secure network. This can help protect access to your GKE cluster in case of a vulnerability in the cluster's authentication or authorization mechanism. Recommendation:Check the Master authorized networks attribute value. If the Master authorized networks value is set to Disabled, anyone on the Internet can perform network connections to the cluster control plane. 4. Enable release channel for version upgrade (Priority: Moderate)Baseline:Checks whether the instance has configured the release channel as Rapid. Description:Google Kubernetes Engine (GKE) release channels automatically choose cluster versions to maintain a balance between new features and stability. The Stable channel offers fewer updates for proven reliability, ideal for production. The Regular channel provides more frequent updates with newer features but less validation. All channels receive critical security patches. Recommendation:To simplify version management and automate GKE cluster upgrades, subscribe to the Regular or Stable release channel. 5. Enable auto-upgrade cluster nodes (Priority: Moderate)Baseline:Checks whether the cluster node auto upgrade property is disabled. Description:Turning on auto-upgrades for your GKE cluster nodes streamlines upgrade management by automatically and securely updating Kubernetes to the latest supported version. This ensures access to the most recent security fixes, features, and enhancements. Recommendation:Enable the auto-upgrade feature for all nodes in your GKE clusters to ensure they stay up to date with the latest supported Kubernetes version. Cloud SQL1. Check for MySQL Major Version (Priority: Moderate)Baseline:Ensure that your Google Cloud MySQL database instances are using the latest major version of MySQL database in order to receive the latest database features and benefit from enhanced performance and security. Recommendation:Upgrade the database version. 2. Check for PostgreSQL Major Version (Priority: Moderate)Baseline:Ensure that your Google Cloud PostgreSQL database instances are using the latest major version of PostgreSQL database in order to receive the latest database features and benefit from enhanced performance and security. Recommendation:Upgrade the database version. 3. Rotate server certificate (Priority: High)Baseline:Checks whether the instance's serverCaCert expiration time is less than 30 days. Description:If the SSL/TLS protocol is mandatory for all incoming connections to Cloud SQL database instances, access is restricted to authenticated clients with valid SSL certificates. Failure to renew (rotate) SSL certificates before they expire will render them invalid, potentially disrupting secure communication between clients and database instances. Recommendation:Make sure to rotate all server certificates configured for your Cloud SQL database instances before they expire. This helps maintain secure incoming connections and ensures that web clients use valid SSL certificates to access your databases. 4. Enable customer-managed encryption (Priority: High)Baseline:Checks whether the instances are encrypted using Customer Master Keys (CMKs) instead of GCP managed-keys. Description:Google Cloud SQL encrypts data at rest using Google-managed keys by default, without any user intervention. However, if you require full control over encryption, you can use CMKs through Cloud Key Management Service (Cloud KMS), which is ideal for sensitive or mission-critical data, especially in enterprise environments with strict security and compliance needs. Recommendation:Ensure that your Google Cloud SQL database instances are encrypted with CMKs to enhance control over your data's encryption and decryption processes. You can create and manage these CMKs through Cloud KMS, which offers secure and efficient key management, along with controlled key rotation and revocation features. 5. Allow SSL/TLS connections only (Priority: Moderate)Baseline:Checks whether the instances allow connections in unencrypted mode. Description:When Cloud SQL database connections are vulnerable to Man-in-the-Middle (MITM) attacks, sensitive data like user credentials, queries, and results can be exposed. To protect data in transit, it is strongly advised to enforce SSL/TLS for all incoming connections to Cloud SQL database instances, especially when using public IP addresses. Recommendation:Ensure that SSL/TLS encryption is applied to all incoming connections to your Cloud SQL database instances to prevent unauthorized access and eavesdropping. To enforce SSL/TLS, configure the SSL enforcement mode to "ENCRYPTED_ONLY" for all SQL database instances. 6. Public IP enabled SQL instances (Priority: Moderate)Baseline:Checks whether any of the instance's ipAddress type is configured as PRIMARY. Description:Each Google Cloud SQL database instance is assigned a public IP address by default. To minimize the attack surface of your application, it's recommended to only use private IPs for Cloud SQL databases. Private IPs enhance cloud network security and reduce latency for your database applications. Recommendation:Ensure that your Google Cloud SQL database instances are configured to use private IP addresses instead of public IPs to enhance security and reduce exposure to potential threats. 7. Publicly accessible SQL instances (Priority: Moderate)Baseline:Checks whether the instance is configured as IPv4 enabled and authorized Network IP address is wild-card. Description:Allowing public access (e.g., 0.0.0.0/0) to an SQL database instance lets any IPv4 client attempt to log in, though valid credentials are still required. To reduce the attack surface, only trusted IPs and networks should be whitelisted for access. Recommendation:Make that your Google Cloud SQL database instances are set up only to accept connections from authorized IP addresses and trusted networks. 8. Delete protection disabled instances (Priority: High)Baseline:Checks whether the instance's configuration has disabled the delete protection. Description:Instance deletion protection enables you to prevent the accidental removal of existing and new instances. Using instance deletion protection, you can safeguard instances that are important to your applications and services. Recommendation:Enable delete protection to prevent accidental instance removal. Google Kubernetes Engine1. Enable critical notifications (Priority: Moderate)Baseline:Checks whether the cluster's Pub/Sub notifications are disabled. Description:Configuring Google Kubernetes Engine (GKE) cluster notifications via Pub/Sub ensures timely alerts for upgrades, security updates, and new releases, minimizing downtime and keeping you informed of risks and optimization opportunities. Recommendation:Enable critical alert notifications for your GKE clusters to receive essential Pub/Sub messages from Google Cloud regarding upgrades, security updates, and other important information. 2. Enable intranode visibility (Priority: Moderate)Baseline:Checks whether the cluster's intranode visibility is disabled. Description:Intranode visibility routes all pod-to-pod traffic through the Google Cloud Virtual Private Cloud (VPC) network, even on the same node, ensuring consistent firewall rules, flow logs, and packet mirroring. Benefits:
Recommendation:Enable intranode visibility on your GKE clusters to monitor and secure intranode pod traffic using VPC flow logs and tools. 3. Enable workload vulnerability scanning (Priority: Moderate)Baseline:Checks whether the cluster's workload vulnerability scanning is disabled. Description:Enable GKE workload vulnerability scanning to detect and fix security issues in container images and packages, reducing risks. Choose basic or advanced scanning, with a scanning pod deployed to each node. Recommendation:Enable workload vulnerability scanning for your GKE clusters to identify vulnerabilities in container images, ensure security compliance, and safeguard your clusters from potential threats. 4. Enable cluster logging (Priority: Moderate)Baseline:Checks whether the cluster's logging feature is disabled. Description:Cloud Logging, a GKE add-on, collects logs and metrics and sends them to a remote aggregator, reducing tampering risks. It provides insights into cluster health, performance, and security, aiding troubleshooting, proactive maintenance, and compliance. Recommendation:Enable logging for your GKE clusters to collect logs from your Kubernetes applications and the underlying GKE infrastructure. 5. Enable cluster monitoring (Priority: Moderate)Baseline:Checks whether the cluster's monitoring feature is disabled. Description:Cloud Monitoring, a GKE add-on, collects metrics from applications and infrastructures. Without it, identifying performance issues, security threats, and failures is challenging. Enabling monitoring provides insights into cluster health, reliability, and performance, aiding troubleshooting, proactive maintenance, and compliance. Recommendation:Make sure to enable Cloud Monitoring for your GKE clusters to gather metrics from both your Kubernetes applications and the underlying GKE infrastructure supporting them. 6. Enable the security posture feature (Priority: Moderate)Baseline:Checks whether the cluster's security posture feature is disabled. Description:Security posture auditing evaluates GKE workloads against best practices, providing a centralized view of vulnerabilities to help you address issues proactively. It ensures a secure containerized environment and is available only for GKE Enterprise edition clusters. Recommendation:Enable the Security Posture dashboard for your GKE clusters. It integrates with Cloud Logging, Policy Controller, and Binary Authorization to identify vulnerabilities, misconfigurations, and compliance risks, enhancing security and adherence to regulations. Filestore1. Enable deletion protection (Priority: Moderate)Baseline:Checks whether Filestore's deletion protection is disabled. Description:With deletion protection enabled, your Filestore instances are safeguarded from accidental deletion. This prevents users from deleting instances via the Google Cloud console, CLI, or API unless the feature is explicitly disabled. Recommendation:Enable the deletion protection feature in your Filestore instances to prevent accidental deletion. 2. Configure on-demand backup and restoration (Priority: Moderate)Baseline:Checks whether Filestore's on-demand backup and restoration are configured. Description:On-demand Filestore backups are stored externally, with the first backup being a full copy, and subsequent ones capturing only changes. They provide essential data protection by enabling point-in-time recovery and quick restoration in case of accidental deletion, corruption, or disasters, ensuring minimal downtime and business continuity. Recommendation:Utilize on-demand backup and restoration for Filestore to improve data protection, aid in disaster recovery, and adhere to compliance regulations without affecting the provisioned capacity or application performance. 3. Enable customer-managed encryption keys (Priority: High)Baseline:Checks whether Filestore's customer-managed encryption keys (CMEKs) are configured. Description:Google Cloud automatically encrypts data stored with Google-managed keys. For additional control, consider using CMEKs through Google Cloud Key Management Service (KMS) for secure key management, rotation, and revocation. CMEKs are not supported for GKE's Basic tier.
Recommendation:Use CMEKs instead of Google-managed encryption keys for greater control and security compliance. Cloud KMS1. Cloud KMS | Key rotation (Priority: Low)Baseline:Checks whether the Cloud KMS key rotation interval is less than 90 days. Description:Rotate Cloud KMS keys every 90 days to align with security and compliance requirements. These keys are used for encrypting and decrypting data, and new versions with updated key material are automatically created at set intervals for rotation. Recommendation:User-managed Cloud KMS keys are powerful but risky if mishandled. Optimal rotation reduces the chance of compromise. Rotating a key keeps its previous version active for decrypting older data.
2. Cloud KMS | Publicly accessible keys (Priority: High)Baseline:Checks whether Cloud KMS keys are publicly accessible. Description:Make sure the IAM policy for Cloud KMS keys limits access to prevent anonymous or public users from accessing them. Remove permissions for allUsers and allAuthenticatedUsers to prevent access by these users. The allUsers role includes internet users, while the allAuthenticatedUsers role includes users and service accounts with a Google Cloud login. Recommendation:Make sure that Cloud KMS resources do not grant access to the allUsers and allAuthenticatedUsers roles in order to avoid data breaches. Cloud Run Functions (formerly Cloud Functions)1. Enable automatic runtime security updates (Priority: Moderate)Baseline:Checks whether automatic runtime security updates are configured for Cloud Run functions. Description:Google updates and secures Cloud Run functions through regular maintenance and stability testing. This includes updates to the execution environment, such as the OS and packages, to ensure a safe environment for your functions. Google Cloud also automatically manages security updates for your function runtime environment. Recommendation:Enable automatic runtime security updates for Cloud Run functions to ensure continuous security and protection against vulnerabilities without requiring manual intervention. 2. Cloud Run functions | Enable Serverless VPC Access (Priority: High)Baseline:Checks whether Serverless VPC Access is configured for the functions. Description:Serverless VPC Access allows for a secure, speedy connection between your VPC network and a serverless environment, like Cloud Run functions. Connectors handle traffic between the two setups. Simply create a VPC connector in your Google Cloud project, link it to a VPC network and region, and set up your serverless services to use the connector for fast, secure outbound network traffic. Recommendation:Configure Cloud Run functions with Serverless VPC Access for a direct connection to your VPC network. This enables connectivity to other VPC resources, such as VM instances, Memorystore instances, and internal IP addresses of other cloud resources. 3. Secure outbound network access (Priority: High)Baseline:Checks whether the functions have unrestricted network access. Description:Unrestricted outbound network access can lead to harmful actions, such as data theft, manipulator-in-the-middle attacks, and denial-of-service attacks. Limiting access to the necessary resources reduces these risks. Recommendation:Limit outbound network access to protect your functions and save on costs. Utilize VpcConnectorEgressSettings to limit external traffic and avoid external network communication. 4. A deprecated execution runtime environment version (Priority: High)Baseline:Checks whether the functions are using an outdated execution runtime environment. Description:Cloud Run functions' second generation has major improvements compared to the first generation, including faster cold starts and execution times, a wider range of runtime environments, enhanced networking and integrations with Google Cloud services, and better monitoring and debugging tools. Upgrading to the second generation is highly recommended for better performance, better flexibility, and smoother development and operations processes. It combines the strengths of Google Cloud Run and Google Cloud Eventarc, offering features like concurrent processing, traffic distribution, and a longer processing duration. Recommendation:Upgrade Cloud Run functions to the latest runtime version for improved security, improved performance, and access to new features. Older versions are no longer supported and may be less secure and efficient. 5. A deprecated runtime version (Priority: High)Baseline:Checks whether the functions are using a deprecated runtime version. Description:Updating to the latest language runtime for Cloud Run functions is essential for improved security, improved performance, and access to new features and libraries. This ensures that bug fixes, optimizations, and compatibility with other services are in place, minimizing vulnerabilities and keeping serverless applications smooth and efficient. Recommendation:Always use the latest language runtime for Cloud Run functions to follow best practices and access new features. Cloud Run1. Maximum instances (Priority: Moderate)Baseline:Checks whether the maximum number of instances are configured for Cloud Run services. Description:Configuring the maximum number of instances helps to control costs and ensure that the service does not scale beyond a certain limit, which is crucial for budget management and resource allocation. Recommendation:Set a maximum number of instances for your Cloud Run services to manage costs and resource usage effectively. 2. Automatic runtime security updates (Priority: High)Baseline:Checks whether the automatic runtime security updates are disabled for Cloud Run services. Description:Enabling automatic runtime security updates ensures that your Cloud Run services are always running the latest security patches, reducing the risk of vulnerabilities and improving overall security. Recommendation:Enable automatic runtime security updates for your Cloud Run services to maintain security and compliance. 3. Enable binary authorization (Priority: High)Baseline:Checks whether binary authorization is disabled for Cloud Run services. Description:Binary authorization ensures that only trusted container images are deployed to your Cloud Run services, enhancing security by preventing the execution of unverified or potentially harmful code. Recommendation:Enable binary authorization for your Cloud Run services to ensure that only trusted and verified container images are deployed. 4. Use CMEK encryption (Priority: High)Baseline:Checks whether customer-managed encryption keys (CMEKs) are used for Cloud Run services. Description:Using CMEKs allows you to have full control over the encryption keys used to protect your data, enhancing security and compliance with regulatory requirements. Recommendation:Use CMEKs for your Cloud Run services to enhance security and compliance. 5. Restrict outbound network (Priority: High)Baseline:Checks whether outbound network access is restricted for Cloud Run services. Description:Restricting outbound network access helps to minimize the attack surface and prevent unauthorized data exfiltration from your Cloud Run services. Recommendation:Restrict outbound network access for your Cloud Run services to enhance security and prevent unauthorized data exfiltration. 6. Deprecated runtime version (Priority: High)Baseline:Checks whether the runtime version used for Cloud Run services is deprecated. Description:Using a deprecated runtime version can expose your Cloud Run services to security vulnerabilities and compatibility issues. It is important to use the latest supported runtime version to ensure security and stability. Recommendation:Update your Cloud Run services to use the latest supported runtime version to ensure security and stability. 7. Publicly accessible (Priority: High)Baseline:Checks whether Cloud Run services are publicly accessible. Description:Making Cloud Run services publicly accessible can expose them to potential security risks. It is important to restrict public access to sensitive services to enhance security. Recommendation:Restrict public access to your Cloud Run services to enhance security and prevent unauthorized access. Cloud Storage1. Bucket policies with admin permissions (Priority: High)Baseline:Checks the IAM policies of your GCP storage buckets for policies that grant admin permissions. Description:Granting admin permissions to storage buckets can lead to unauthorized access and potential data breaches. Recommendation:Restrict admin permissions to only those users who absolutely need it. 2. Publicly accessible buckets (Priority: High)Baseline:Checks the access policies of your GCP storage buckets for public accessibility. Description:Publicly accessible storage buckets can expose sensitive data to unauthorized users. Recommendation:Restrict public access to storage buckets and ensure that only authorized users have access. 3. Enable object encryption with CMEKs (Priority: High)Baseline:Checks the encryption settings of your GCP storage buckets for object encryption with customer-managed encryption keys (CMEKs). Description:Enabling object encryption with CMEKs provides an additional layer of security for your data. Recommendation:Enable object encryption with CMEKs for all storage buckets to enhance data security. 4. Enable usage and logs (Priority: Moderate)Baseline:Checks the logging settings of your GCP storage buckets for usage and storage logs. Description:Enabling usage and storage logs helps monitor access and usage patterns, providing insights for security and optimization. Recommendation:Enable usage and storage logs for all storage buckets to monitor and analyze access and usage patterns. 5. Enable uniform access (Priority: High)Baseline:Checks the uniform bucket-level access settings of your GCP storage buckets. Description:Uniform bucket-level access simplifies permissions management by applying IAM policies uniformly across all objects in a bucket. Recommendation:Enable uniform bucket-level access to simplify permissions management and enhance security. 6. Configure CORS (Priority: Low)Baseline:Checks the cross-origin resource sharing (CORS) configurations of your GCP storage buckets. Description:CORS configurations allow your storage buckets to handle cross-origin requests, which can be necessary for web applications. Recommendation:Configure CORS settings appropriately to enable cross-origin requests while maintaining security. Cloud Pub or Sub1. Enable encryption with CMEKs (Priority: High)Baseline:Checks Pub/Sub topics to ensure they are encrypted using customer-managed encryption keys (CMEKs) via Cloud KMS. Description:Cloud Pub/Sub topics use Google-managed keys by default. For greater control over data encryption and compliance, configure topics to use CMEKs through Cloud KMS. Recommendation:Configure your Cloud Pub/Sub topics to use CMEKs via Cloud KMS to enhance data security and key management. 2. Cloud Pub/Sub - Publicly accessible topics (Category: Security, Priority: High)Baseline:Checks the IAM policies of your Cloud Pub/Sub topics to identify topics with public access. Description:Allowing public access to Cloud Pub/Sub topics may expose sensitive data and permit unauthorized publishing or subscribing. This configuration could introduce significant security risks. Recommendation:Restrict access to your Cloud Pub/Sub topics by ensuring that only authorized principals have permissions and removing any public access. ©2024, Zoho Corporation Pvt. Ltd. All Rights Reserved. |
|