![]() ![]() Let’s get started! Guidance from the CIS Benchmarks We’ll focus on providing insights into understanding the usage of a service account within Google Cloud, which can enable us to reduce risk of unintended application failures when rotating service account keys. In this post, we will look at ways you can reduce risk when the use of service account keys can’t be avoided. There are a number of reasons why teams may opt to generate service account keys, ranging from developer validation to third-party software integration requirements. There are multiple methods of authenticating using service accounts, including using service accounts as part of Google Compute Engine instances, impersonating service accounts, or using service accounts with a key file - an option which should be carefully considered.Ī common objective is to achieve keyless service account architectures on Google Cloud, but this can be difficult across an entire organization. $ function inspec-docker _scan.Service accounts on Google Cloud are used when a workload needs to access resources or conduct actions without end-user involvement. Use this Cloud Shell Walkthrough for a hands-on example. ![]() kms_rotation_period_seconds - (Default: 7776000, type: int, CIS IAM 1.10) - The maximum allowed age of KMS keys (90 days in seconds).sa_key_older_than_seconds - (Default: 7776000, type: int, CIS IAM 1.15) - The maximum allowed age of GCP User-managed Service Account Keys (90 days in seconds).gcp_project_id - (Default: null, type: String) - The target GCP Project you are scanning.pass them in via a YAML file as shown in the Example - via the -input-file flagįurther details can be found here: (Required) User Provided Inputs - via the CLI or Input Files.update them via the cli - via the -input flag.Pro tip: Do not change the inputs in the inspec.yml file directly, either: You are able to provide inputs at runtime either via the cli or via YAML files to help the profile work best in your deployment. This profile uses InSpec Inputs to make the tests more flexible. Usage Profile Inputs (see inspec.yml file) Cloud SQL Database Services 6.4 - "Ensure that MySQL Database Instance does not allows root login from any Host".Cloud SQL Database Services 6.3 - "Ensure that MySql database instance does not allow anyone to connect with administrative privileges".Identity and Access Management 1.15 - "Ensure API keys are rotated every 90 days".Identity and Access Management 1.14 - "Ensure API keys are restricted to only APIs that application needs access".Identity and Access Management 1.13 - "Ensure API keys are restricted to use by only specified Hosts and Apps".Identity and Access Management 1.12 - "Ensure API keys are not created for a project".Identity and Access Management 1.3 - "Ensure that Security Key Enforcement is enabled for all admin accounts".Identity and Access Management 1.2 - "Ensure that multi-factor authentication is enabled for all non-service accounts".The following GCP CIS v1.2.0 Benchmark Controls are not covered: This code is intended to help users assess their security posture on the Google Cloud against the CIS Benchmark. ![]() This is not an officially supported Google product. This repository holds the Google Cloud Platform (GCP) Center for Internet Security (CIS) version 1.2 Benchmark Inspec Profile.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |