GCP Recommendations 

1. Enable Automatic Storage Increase(Priority: Moderate)

Baseline:

If Automated Backups are enabled, whenever your resource nears the full capacity, storage limit will be increased (permanently).

Recommendation:

In the Edit Configurations section, check whether the automatic storage increase is enabled under Storage settings.

1. Unlabeled compute instances (Priority: Low)

Baseline:

Checks whether the instance labels are empty.

Description:

GCP allows users to assign metadata in the form of labels (key-value pair) to better track and manage instances. Organizations come up with relevant label groupings and practical labeling strategies to manage their VM resource farm efficiently.

Recommendation:

Create a labeling strategy adhering to the GCP best practices.

1. Enable Automated Backups (Priority: High)

Baseline:

Automated backups ensure the protection of your valuable data by creating regular, scheduled backups of your Cloud SQL databases. In case of accidental data loss, database corruption, or other unforeseen issues, you can easily restore your data to the previous state.

Recommendation:

In the Backups section, check whether Automated Backups are enabled.

2. Enable High Availability (Priority: High)

Baseline:

Checks the instances that have configured ZONAL availability.

Description:

Data redundancy is maintained during planned maintenance or outages by enabling a High Availability (HA) configuration or database cluster in Google Cloud SQL. As it operates across both a primary and secondary zone within the designated Google Cloud region, a Cloud SQL instance configured for high availability is referred to as a regional instance.

Recommendation:

Make sure that HA and automatic failover support are set up for all of your production and mission-critical Google Cloud SQL database instances.

3. Enable Point-in-Time Recovery (Priority: Moderate)

Baseline:

Checks the instances that have not configured a Point-in-Time Recovery flag.

Description:

Point-in-Time Recovery (PITR) allows you to restore a Google Cloud MySQL database instance to a precise moment—even down to the exact second. This feature is particularly valuable if data loss occurs due to an error or if the database becomes corrupted, enabling you to revert the database to its operational state before the issue.

Recommendation:

Ensure that the Point-in-Time Recovery (PITR) feature is enabled for all MySQL database instances in your GCP account. This allows you to restore data from a specific point in time while maintaining cost efficiency. Before enabling PITR, ensure that automated backups and binary logging are both activated for your MySQL database instances.

1. Underutilized Compute instance (Priority: Moderate)

Baseline:

Checks the resource utilization of Google Compute Engine instances and labels them as underutilized, if the CPU usage is less than 2% for the past 48 hours.

Recommendation:

For Google Compute Engine, you are billed based on the instance type and the number of consumed hours. You can lower your costs by identifying and stopping under utilized instances. In addition, Site24x7's Guidance Report also shows the Current Machine Type and recommend the desired instance type (Suggested Machine Type) that you can downgrade to, for better cost cutting.

2. High utilized Compute instance (Priority: High)

Baseline:

Checks the performance counters for GCP Compute and identifies instances that appear to be highly utilized.

Description:

A Compute instance is deemed as overutilized if it meets the following criteria:

• The average daily CPU usage for the Compute instance is more than 90% for the last seven days.
• The average daily memory utilization for the Compute instance is more than 90% for the last seven days (applicable only if you've deployed our agent on the Compute instance).

Recommendation:

Consider changing the instance size or add the instance to an autoscaling group.

3. Compute maintenance configuration (Priority: High)

Baseline:

Checks whether the instance On host maintenance is marked as TERMINATE.

Description:

Google Cloud Compute Engine enables VM instances to be migrated during infrastructure maintenance without any downtime. Set the On host maintenance option under the Availability policies to Migrate to ensure VMs are moved to a new hardware.

Recommendation:

Configure VM instances for live migration to ensure that they are moved to a new host, preventing downtime during maintenance.

4. Preemptible instances (Priority: High)

Baseline:

Checks whether the instance's preemptible flag is enabled.

Description:

Preemptible instances are cost-effective, short-lived VMs that Google Cloud can stop at any moment. Designed for interruptible workloads, they provide substantial cost savings but have a maximum runtime of 24 hours.

Recommendation:

To ensure that your instances are not preemptible, follow these steps:

1. Navigate to the GCP console > Compute Engine section.
2. Stop the VM instance you wish to modify.
3. Edit the VM instance settings and set Preemptibility to Regular instead of Preemptible.
4. Save the changes and restart the instance.

5. Auto restart disabled instances (Priority: Moderate)

Baseline:

Checks whether the instance's automaticRestart flag is enabled.

Description:

The Google Cloud Compute Engine service may stop due to non-user-initiated reasons, including maintenance events, hardware issues, and software failures.

Recommendations:

• Enable automatic restart to ensure that your instance is automatically restarted in case of VM host failure. 
• Automatic restart helps maintain availability by recovering instances without manual intervention.

1. Unattached Disks (Priority: Moderate)

Baseline: 

Check Compute Engine disk configuration for the associated instance ID.

Description:

Compute Engine disks can persist independently even after instance termination or after you explicitly unmount and detach the volume from the instance. As you may know, unattached volumes are still charged based on the provisioned storage and for input/output operations per second (IOPS).

Recommendation:

Associate the configured Compute Engine disks with an active instance or delete the disk.

1. Enable auto repair cluster nodes (Priority: Moderate)

Baseline:

Checks whether the cluster node auto repair property is disabled.

Description:

Auto-repair helps maintain the health of your GKE cluster nodes. When enabled, GKE periodically checks the health of each node, and if a node fails multiple health checks within a set timeframe, GKE automatically initiates a repair process.

Recommendation:

Enable the auto-repair feature for all GKE cluster nodes to maintain their health and ensure smooth operation.

1. VM instance deletion protection (Priority: High)

Baseline:

Check the configuration of VM instances to see whether the Deletion protection option is enabled or not in the GCP console.

Description:

To protect your instance from accidental deletion, you can enable the Deletion protection option in the GCP console.

Recommendation:

The Deletion protection option is disabled by default. Enable this option to prevent unexpected instance termination.

2. Public IP instances (Priority: High)

Baseline:

Checks whether the network interface's External IPv4 is assigned and named as External NAT.

Description:

Assigning public IP addresses to your Google Cloud Compute Engine instances can expose them to unnecessary security risks.

Recommendation:

Consider using any of the alternate approaches below instead of public IP.

• Use private IPs for internal communication.
• Use Cloud NAT for secure outbound traffic.
• Apply firewalls & IAM to restrict access.

3. Auto-delete for attached disks (Priority: Moderate)

Baseline:

Checks whether the instance's attached disks have the autoDelete flag enabled.

Description:

By default, Google Cloud deletes persistent disks when a Compute Engine instance is deleted. It may result in unintentional data loss.

Recommendations:

• Disable the autoDelete flag when deleting an instance to avoid accidental data loss.
• Manually manage disk deletion for data retention and backup.

4. IP forwarding for VM instances (Priority: Moderate)

Baseline:

Checks whether the instance's IP forward flag is enabled.

Description:

IP forwarding allows a VM to route traffic between different networks. When enabled, the VM can forward packets from one network to another, acting like a router.

Recommendations:

• Disable IP forwarding for instances that don’t need to route traffic between different networks in compliance with GCP’s security best practices.
• Enable IP forwarding only when necessary for use cases like gateways or routers, ensuring alignment with GCP's least-privilege access model.

5. Interactive serial console support (Priority: Moderate)

Baseline:

Checks whether the instance metadata's serial-port-enable key is set to True.

Description:

The IP-based access controls are not supported by the interactive serial console. Enabling it allows anyone with the correct username, SSH key, project ID, instance name, and zone to attempt a connection, regardless of the IP address.

Recommendation:

You can explicitly disable it by setting the serial-port-enable key to False.

1. Enable Integrity Monitoring for Cluster Nodes (Priority: Moderate)

Baseline:

In the Google Cloud console's Security section, check the Integrity monitoring feature status. Ensure that the Integrity Monitoring feature is enabled for your Google Kubernetes Engine (GKE) cluster nodes in order to monitor and automatically check the runtime boot integrity of your shielded cluster nodes using Google Cloud Monitoring service.

Recommendation:

Enable Integrity Monitoring for Cluster Nodes.

2. Configure Shielded GKE Cluster Nodes (Priority: Moderate)

Baseline:

Ensure that your Google Kubernetes Engine (GKE) cluster pool nodes are shielded in order to provide strong cryptographic identity. This limits the ability of an attacker to impersonate a node in your GKE cluster even if the attacker is able to extract the node credentials.

Recommendation:

Configure Shielded GKE Cluster Nodes. Check the Shielded GKE Nodes configuration attribute value.

3. Restrict Network Access to GKE Clusters(Priority: Moderate)

Baseline:

Adding master authorized networks can provide network level protection and additional security benefits for your Google Kubernetes Engine (GKE) cluster. Authorized networks grant access to a specific set of trusted IP addresses, such as those that originate from a secure network. This can help protect access to your GKE cluster in case of a vulnerability in the cluster's authentication or authorization mechanism.

Recommendation:

Check the Master authorized networks attribute value. If the Master authorized networks value is set to Disabled, anyone on the Internet can perform network connections to the cluster control plane.

4. Enable release channel for version upgrade (Priority: Moderate)

Baseline:

Checks whether the instance has configured the release channel as Rapid.

Description:

Google Kubernetes Engine (GKE) release channels automatically choose cluster versions to maintain a balance between new features and stability. The Stable channel offers fewer updates for proven reliability, ideal for production. The Regular channel provides more frequent updates with newer features but less validation. All channels receive critical security patches.

Recommendation:

To simplify version management and automate GKE cluster upgrades, subscribe to the Regular or Stable release channel.

5. Enable auto-upgrade cluster nodes (Priority: Moderate)

Baseline:

Checks whether the cluster node auto upgrade property is disabled.

Description:

Turning on auto-upgrades for your GKE cluster nodes streamlines upgrade management by automatically and securely updating Kubernetes to the latest supported version. This ensures access to the most recent security fixes, features, and enhancements.

Recommendation:

Enable the auto-upgrade feature for all nodes in your GKE clusters to ensure they stay up to date with the latest supported Kubernetes version.

1. Check for MySQL Major Version (Priority: Moderate)

Baseline:

Ensure that your Google Cloud MySQL database instances are using the latest major version of MySQL database in order to receive the latest database features and benefit from enhanced performance and security.

Recommendation:

Upgrade the database version.

2. Check for PostgreSQL Major Version (Priority: Moderate)

Baseline:

Ensure that your Google Cloud PostgreSQL database instances are using the latest major version of PostgreSQL database in order to receive the latest database features and benefit from enhanced performance and security.

Recommendation:

Upgrade the database version.

3. Rotate server certificate (Priority: High)

Baseline:

Checks whether the instance's serverCaCert expiration time is less than 30 days.

Description:

If the SSL/TLS protocol is mandatory for all incoming connections to Cloud SQL database instances, access is restricted to authenticated clients with valid SSL certificates. Failure to renew (rotate) SSL certificates before they expire will render them invalid, potentially disrupting secure communication between clients and database instances.

Recommendation:

Make sure to rotate all server certificates configured for your Cloud SQL database instances before they expire. This helps maintain secure incoming connections and ensures that web clients use valid SSL certificates to access your databases.

4. Enable customer-managed encryption (Priority: High)

Baseline:

Checks whether the instances are encrypted using Customer Master Keys (CMKs) instead of GCP managed-keys.

Description:

Google Cloud SQL encrypts data at rest using Google-managed keys by default, without any user intervention. However, if you require full control over encryption, you can use CMKs through Cloud Key Management Service (Cloud KMS), which is ideal for sensitive or mission-critical data, especially in enterprise environments with strict security and compliance needs.

Recommendation:

Ensure that your Google Cloud SQL database instances are encrypted with CMKs to enhance control over your data's encryption and decryption processes. You can create and manage these CMKs through Cloud KMS, which offers secure and efficient key management, along with controlled key rotation and revocation features.

5. Allow SSL/TLS connections only (Priority: Moderate)

Baseline:

Checks whether the instances allow connections in unencrypted mode.

Description:

When Cloud SQL database connections are vulnerable to Man-in-the-Middle (MITM) attacks, sensitive data like user credentials, queries, and results can be exposed. To protect data in transit, it is strongly advised to enforce SSL/TLS for all incoming connections to Cloud SQL database instances, especially when using public IP addresses.

Recommendation:

Ensure that SSL/TLS encryption is applied to all incoming connections to your Cloud SQL database instances to prevent unauthorized access and eavesdropping. To enforce SSL/TLS, configure the SSL enforcement mode to "ENCRYPTED_ONLY" for all SQL database instances.

6. Public IP enabled SQL instances (Priority: Moderate)

Baseline:

Checks whether any of the instance's ipAddress type is configured as PRIMARY.

Description:

Each Google Cloud SQL database instance is assigned a public IP address by default. To minimize the attack surface of your application, it's recommended to only use private IPs for Cloud SQL databases. Private IPs enhance cloud network security and reduce latency for your database applications.

Recommendation:

Ensure that your Google Cloud SQL database instances are configured to use private IP addresses instead of public IPs to enhance security and reduce exposure to potential threats.

7. Publicly accessible SQL instances (Priority: Moderate)

Baseline:

Checks whether the instance is configured as IPv4 enabled and authorized Network IP address is wild-card.

Description:

Allowing public access (e.g., 0.0.0.0/0) to an SQL database instance lets any IPv4 client attempt to log in, though valid credentials are still required. To reduce the attack surface, only trusted IPs and networks should be whitelisted for access.

Recommendation:

Make that your Google Cloud SQL database instances are set up only to accept connections from authorized IP addresses and trusted networks.

8. Delete protection disabled instances (Priority: High)

Baseline:

Checks whether the instance's configuration has disabled the delete protection.

Description:

Instance deletion protection enables you to prevent the accidental removal of existing and new instances. Using instance deletion protection, you can safeguard instances that are important to your applications and services.

Recommendation:

Enable delete protection to prevent accidental instance removal.