diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..e43b0f988 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.DS_Store diff --git a/README.md b/README.md index 1a86026db..68ef7b531 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,17 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * AWS * ACM * [ACM Certificate Validation](en/aws/acm/acm-certificate-validation.md) + * APIGateway + * [API Gateway Certificate Rotation](en/aws/apigateway/api-gateway-certificate-rotation.md) + * [API Gateway Client Certificate](en/aws/apigateway/api-gateway-client-certificate.md) + * [API Gateway CloudWatch Logs](en/aws/apigateway/api-gateway-cloudwatch-logs.md) + * [API Gateway Content Encoding](en/aws/apigateway/api-gateway-content-encoding.md) + * [API Gateway Detailed CloudWatch Metrics](en/aws/apigateway/api-gateway-detailed-cloudwatch-metrics.md) + * [API Gateway Private Endpoints](en/aws/apigateway/api-gateway-private-endpoints.md) + * [API Gateway Response Caching](en/aws/apigateway/api-gateway-response-caching.md) + * [API Gateway Tracing Enabled](en/aws/apigateway/api-gateway-tracing-enabled.md) + * [API Gateway WAF Enabled](en/aws/apigateway/api-gateway-waf-enabled.md) + * [API Stage-Level Cache Encryption](en/aws/apigateway/api-stage-level-cache-encryption.md) * AutoScaling * [ASG Multiple AZ](en/aws/autoscaling/asg-multiple-az.md) * CloudFront @@ -31,15 +42,24 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [CloudTrail To CloudWatch](en/aws/cloudtrail/cloudtrail-to-cloudwatch.md) * CloudWatchLogs * [CloudWatch Monitoring Metrics](en/aws/cloudwatchlogs/cloudwatch-monitoring-metrics.md) + * CodeBuild + * [Project Artifacts Encrypted](en/aws/codebuild/project-artifacts-encrypted.md) * ConfigService * [Config Service Enabled](en/aws/configservice/config-service-enabled.md) * EC2 + * [Amazon EBS Public Snapshots](en/aws/ec2/amazon-ebs-public-snapshots.md) + * [App-Tier EC2 Instance IAM Role](en/aws/ec2/app-tier-ec2-instance-iam-role.md) + * [Automate EBS Snapshot Lifecycle](en/aws/ec2/automate-ebs-snapshot-lifecycle.md) + * [Cross Organization VPC Peering Connections](en/aws/ec2/cross-organization-vpc-peering-connections.md) * [Cross VPC Public Private Communication](en/aws/ec2/cross-vpc-public-private-communication.md) * [Default Security Group](en/aws/ec2/default-security-group.md) * [Default VPC In Use](en/aws/ec2/default-vpc-in-use.md) * [Detect EC2 Classic Instances](en/aws/ec2/detect-ec2-classic-instances.md) + * [EBS Backup Enabled](en/aws/ec2/ebs-backup-enabled.md) * [EBS Encrypted Snapshots](en/aws/ec2/ebs-encrypted-snapshots.md) * [EBS Encryption Enabled](en/aws/ec2/ebs-encryption-enabled.md) + * [EBS Encryption Enabled By Default](en/aws/ec2/ebs-encryption-enabled-by-default.md) + * [EBS Volumes Too Old Snapshots](en/aws/ec2/ebs-volumes-too-old-snapshots.md) * [EC2 Instance Key Based Login](en/aws/ec2/ec2-instance-key-based-login.md) * [EC2 Max Instances](en/aws/ec2/ec2-max-instances.md) * [Elastic IP Limit](en/aws/ec2/elastic-ip-limit.md) @@ -47,6 +67,7 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Excessive Security Groups](en/aws/ec2/excessive-security-groups.md) * [Instance IAM Role](en/aws/ec2/instance-iam-role.md) * [Instance Limit](en/aws/ec2/instance-limit.md) + * [Managed NAT Gateway In Use](en/aws/ec2/managed-nat-gateway-in-use.md) * [NAT Multiple AZ](en/aws/ec2/nat-multiple-az.md) * [Open All Ports Protocols](en/aws/ec2/open-all-ports-protocols.md) * [Open CIFS](en/aws/ec2/open-cifs.md) @@ -66,19 +87,44 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Open Telnet](en/aws/ec2/open-telnet.md) * [Open VNC Client](en/aws/ec2/open-vnc-client.md) * [Open VNC Server](en/aws/ec2/open-vnc-server.md) + * [Outdated Amazon Machine Images](en/aws/ec2/outdated-amazon-machine-images.md) * [Overlapping Security Groups](en/aws/ec2/overlapping-security-groups.md) * [Public AMI](en/aws/ec2/public-ami.md) * [Subnet IP Availability](en/aws/ec2/subnet-ip-availability.md) + * [Unrestricted Network ACL Outbound Traffic](en/aws/ec2/unrestricted-network-acl-outbound-traffic.md) + * [Unused Amazon Machine Images](en/aws/ec2/unused-amazon-machine-images.md) + * [Unused Elastic Network Interfaces](en/aws/ec2/unused-elastic-network-interfaces.md) + * [Unused Virtual Private Gateway](en/aws/ec2/unused-virtual-private-gateway.md) + * [Unused VPC Internet Gateways](en/aws/ec2/unused-vpc-internet-gateways.md) * [VPC Elastic IP Limit](en/aws/ec2/vpc-elastic-ip-limit.md) + * [VPC Endpoint Cross Account Access](en/aws/ec2/vpc-endpoint-cross-account-acess.md) + * [VPC Endpoint Exposed](en/aws/ec2/vpc-endpoint-exposed.md) * [VPC Flow Logs Enabled](en/aws/ec2/vpc-flow-logs-enabled.md) * [VPC Multiple Subnets](en/aws/ec2/vpc-multiple-subnets.md) + * [VPC Subnet Instances Present](en/aws/ec2/vpc-subnet-instances-present.md) + * [VPN Tunnel State](en/aws/ec2/vpn-tunnel-state.md) + * [Web-Tier EC2 Instance IAM Role](en/aws/ec2/web-tier-ec2-instance-iam-role.md) + * EFS + * [EFS CMK Encrypted](en/aws/efs/efs-cmk-encrypted.md) + * [EFS Encryption Enabled](en/aws/efs/efs-encryption-enabled.md) + * EKS + * [EKS Kubernetes Version](en/aws/eks/eks-kubernetes-version.md) + * [EKS Latest Platform Version](en/aws/eks/eks-latest-platform-version.md) + * [EKS Logging Enabled](en/aws/eks/eks-logging-enabled.md) + * [EKS Private Endpoint](en/aws/eks/eks-private-endpoint.md) + * [EKS Secrets Encrypted](en/aws/eks/eks-secrets-encrypted.md) + * [EKS Security Groups](en/aws/eks/eks-security-groups.md) * ELB * [ELB HTTPS Only](en/aws/elb/elb-https-only.md) * [ELB Logging Enabled](en/aws/elb/elb-logging-enabled.md) * [ELB No Instances](en/aws/elb/elb-no-instances.md) * [Insecure Ciphers](en/aws/elb/insecure-ciphers.md) - * Firehose + * EventBridge + * [EventBridge Event Rules In Use](en/aws/eventbridge/eventbridge-event-rules-in-use.md) + * Firehose * [Firehose Delivery Streams Encrypted](en/aws/firehose/firehose-delivery-streams-encrypted.md) + * Glacier + * [S3 Glacier Vault Public Access](en/aws/glacier/S3-glacier-vault-public-access.md) * IAM * [Access Keys Extra](en/aws/iam/access-keys-extra.md) * [Access Keys Last Used](en/aws/iam/access-keys-last-used.md) @@ -102,14 +148,21 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Users MFA Enabled](en/aws/iam/users-mfa-enabled.md) * [Users Password Last Used](en/aws/iam/users-password-last-used.md) * KMS + * [App-Tier KMS Customer Master Key (CMK)](en/aws/kms/app-tier-kms-customer-master-key-(cmk).md) * [KMS Default Key Usage](en/aws/kms/kms-default-key-usage.md) + * [KMS Duplicate Grants](en/aws/kms/kms-duplicate-grants.md) + * [KMS Grant Least Privilege](en/aws/kms/kms-grant-least-privilege.md) * [KMS Key Policy](en/aws/kms/kms-key-policy.md) * [KMS Key Rotation](en/aws/kms/kms-key-rotation.md) * [KMS Scheduled Deletion](en/aws/kms/kms-scheduled-deletion.md) * Kinesis + * [Kinesis Data Streams Encrypted](en/aws/kinesis/kinesis-data-streams-encrypted.md) * [Kinesis Streams Encrypted](en/aws/kinesis/kinesis-streams-encrypted.md) * Lambda * [Lambda Old Runtimes](en/aws/lambda/lambda-old-runtimes.md) + * [Lambda Tracing Enabled](en/aws/lambda/lambda-tracing-enabled.md) + * Neptune + * [Neptune Database Instance Encrypted](en/aws/neptune/neptune-database-instance-encrypted.md) * RDS * [RDS Automated Backups](en/aws/rds/rds-automated-backups.md) * [RDS Encryption Enabled](en/aws/rds/rds-encryption-enabled.md) @@ -128,6 +181,11 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [S3 Bucket All Users Policy](en/aws/s3/s3-bucket-all-users-policy.md) * [S3 Bucket Logging](en/aws/s3/s3-bucket-logging.md) * [S3 Bucket Versioning](en/aws/s3/s3-bucket-versioning.md) + * [S3 Bucket Lifecycle Configuration](en/aws/s3/s3-bucket-lifecycle-configuration.md) + * [S3 Bucket Policy CloudFront OAI](en/aws/s3/s3-bucket-policy-cloudfront-oai.md) + * [S3 DNS Compliant Bucket Names](en/aws/s3/s3-dns-compliant-bucket-names.md) + * [S3 Transfer Acceleration Enabled](en/aws/s3/s3-transfer-acceleration-enabled.md) + * [S3 Versioned Buckets Lifecycle Configuration](en/aws/s3/s3-versioned-buckets-lifecycle-configuration.md) * SES * [Email DKIM Enabled](en/aws/ses/email-dkim-enabled.md) * SNS @@ -140,6 +198,10 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * SageMaker * [Notebook Data Encrypted](en/aws/sagemaker/notebook-data-encrypted.md) * [Notebook Direct Internet Access](en/aws/sagemaker/notebook-direct-internet-access.md) + * WAF + * [AWS WAF In Use](en/aws/waf/aws-waf-in-use.md) + * WAFV2 + * [AWS WAFV2 In Use](en/aws/wafv2/aws-wafv2-in-use.md) * Azure * Active Directory * [Ensure No Guest User](en/azure/activedirectory/ensure-no-guest-user.md) @@ -481,4 +543,4 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h ## Contributing -Please see the [contributor's guide](.github/CONTRIBUTING.md). \ No newline at end of file +Please see the [contributor's guide](.github/CONTRIBUTING.md). diff --git a/en/aws/apigateway/api-gateway-certificate-rotation.md b/en/aws/apigateway/api-gateway-certificate-rotation.md new file mode 100644 index 000000000..f8afb92d3 --- /dev/null +++ b/en/aws/apigateway/api-gateway-certificate-rotation.md @@ -0,0 +1,27 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / API Gateway / API Gateway Certificate Rotation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | API Gateway Certificate Rotation | +| **Cloud** | AWS | +| **Category** | API Gateway | +| **Description** | Ensures that Amazon API Gateway APIs have certificates with expiration date more than the rotation limit. | +| **More Info** | API Gateway APIs should have certificates with long term expiry date to avoid API insecurity after certificate expiration. | +| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html | +| **Recommended Action** | Rotate the certificate attached to API Gateway API | + +## Detailed Remediation Steps +You must rotate the certificate before a client certificate on an API stage expires to avoid any downtime for the API.
+To rotate a client certificate in the console for a previously deployed API, do the following:
+1. Open the API Gateway console at https://console.aws.amazon.com/apigateway/.
+2. In the main navigation pane, choose Client Certificates.
+3. From the Client Certificates pane, choose Generate Client Certificate.
+4. From navigation pane again click on APIs.
+5. Open the API for which you want to use the client certificate.
+6. Choose Stages under the selected API and then choose a stage.
+7. In the Stage Editor panel, select the new certificate under the Client Certificate section.
+8. To save the settings, choose Save Changes.
\ No newline at end of file diff --git a/en/aws/apigateway/api-gateway-client-certificate.md b/en/aws/apigateway/api-gateway-client-certificate.md new file mode 100644 index 000000000..2f0b7e0b1 --- /dev/null +++ b/en/aws/apigateway/api-gateway-client-certificate.md @@ -0,0 +1,30 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / API Gateway / API Gateway Client Certificate + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | API Gateway Client Certificate | +| **Cloud** | AWS | +| **Category** | API Gateway | +| **Description** | Ensures that Amazon API Gateway API stages use client certificates | +| **More Info** | API Gateway API stages should use client certificates to ensure API security authorization. | +| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html | +| **Recommended Action** | Attach client certificate to API Gateway API stages | + +## Detailed Remediation Steps +Generate a client certificate using the API Gateway console:
+1. Open the API Gateway console at https://console.aws.amazon.com/apigateway/.
+2. Choose a REST API. +3. In the main navigation pane, choose Client Certificates.
+4. From the Client Certificates pane, choose Generate Client Certificate.
+5. Optionally, for Edit, choose to add a descriptive title for the generated certificate and choose Save to save the description. API Gateway generates a new certificate and returns the new certificate GUID.
+ +Now you need to configure an API to use SSL certificate: +1. In the API Gateway console, create or open an API for which you want to use the client certificate. Make sure that the API has been deployed to a stage. For more information on how to deploy see https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-deploy-api-with-console.html#how-to-deploy-api-console
+2. Choose Stages under the selected API and then choose a stage.
+3. In the Stage Editor panel, select a certificate under the Client Certificate section.
+4. To save the settings, choose Save Changes.
+5. If the API has been deployed previously in the API Gateway console, you'll need to redeploy it for the changes to take effect. For more information, see https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-deploy-api-with-console.html#apigateway-how-to-redeploy-api-console
\ No newline at end of file diff --git a/en/aws/apigateway/api-gateway-cloudwatch-logs.md b/en/aws/apigateway/api-gateway-cloudwatch-logs.md new file mode 100644 index 000000000..95bc50f71 --- /dev/null +++ b/en/aws/apigateway/api-gateway-cloudwatch-logs.md @@ -0,0 +1,33 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / API Gateway / API Gateway CloudWatch Logs + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | API Gateway CloudWatch Logs | +| **Cloud** | AWS | +| **Category** | API Gateway | +| **Description** | Ensures that Amazon API Gateway API stages have Amazon CloudWatch Logs enabled | +| **More Info** | API Gateway API stages should have Amazon CloudWatch Logs enabled to help debug issues related to request execution or client access to your API. | +| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html | +| **Recommended Action** | Modify API Gateway API stages to enable CloudWatch Logs | + +## Detailed Remediation Steps +1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.
+2. Choose a REST API.
+3. Choose Settings from the primary navigation panel and enter an ARN of an IAM role with appropriate permissions in CloudWatch log role ARN. You need to do this once.
+4. Choose an existing API and then choose a stage.
+5. Choose Logs/Tracing in the Stage Editor.
+6. To enable execution logging:
+a. Choose Enable CloudWatch Logs under CloudWatch Settings.
+b. Choose Error or Info from the dropdown menu.
+c. If desired, choose Log full requests/responses data to log the full API requests and responses.
+Warning: This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable Log full requests/responses data for production APIs.
+d. If desired, choose Enable Detailed CloudWatch Metrics.
+7. To enable access logging:
+a. Choose Enable Access Logging under Custom Access Logging.
+b. Enter the ARN of a log group in Access Log Destination ARN. The ARN format is arn:aws:logs:{region}:{account-id}:log-group:log-group-name.
+c. Enter a log format in Log Format. You can choose CLF, JSON, XML, or CSV to use one of the provided examples as a guide.
+8. Choose Save Changes.
\ No newline at end of file diff --git a/en/aws/apigateway/api-gateway-content-encoding.md b/en/aws/apigateway/api-gateway-content-encoding.md new file mode 100644 index 000000000..1e86ce1e8 --- /dev/null +++ b/en/aws/apigateway/api-gateway-content-encoding.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / API Gateway / API Gateway Content Encoding + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | API Gateway Content Encoding | +| **Cloud** | AWS | +| **Category** | API Gateway | +| **Description** | Ensures that Amazon API Gateway APIs have content encoding enabled. | +| **More Info** | API Gateway API should have content encoding enabled to enable compression of response payload. | +| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-gzip-compression-decompression.html | +| **Recommended Action** | Enable content encoding and set minimum compression size of API Gateway API response | + +## Detailed Remediation Steps +1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.
+2. Choose an existing API.
+3. In the primary navigation pane, choose Settings under the API you chose.
+4. Under the Content Encoding section in the Settings pane, select the Content Encoding enabled option to enable payload compression. Enter a number for the minimum compression size (in bytes) next to Minimum body size required for compression.
+5. Choose Save Changes.
\ No newline at end of file diff --git a/en/aws/apigateway/api-gateway-detailed-cloudwatch-metrics.md b/en/aws/apigateway/api-gateway-detailed-cloudwatch-metrics.md new file mode 100644 index 000000000..d0f413d89 --- /dev/null +++ b/en/aws/apigateway/api-gateway-detailed-cloudwatch-metrics.md @@ -0,0 +1,23 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / API Gateway / API Gateway Detailed CloudWatch Metrics + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | API Gateway Detailed CloudWatch Metrics | +| **Cloud** | AWS | +| **Category** | API Gateway | +| **Description** | Ensures that API Gateway API stages have detailed CloudWatch metrics enabled. | +| **More Info** | API Gateway API stages should have detailed CloudWatch metrics enabled to monitor logs and events. | +| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-metrics.html | +| **Recommended Action** | Add CloudWatch role ARN to API settings and enabled detailed metrics for each stage | + +## Detailed Remediation Steps +1. Open the API Gateway console at https://console.aws.amazon.com/apigateway/.
+2. Choose an API.
+3. Choose a stage.
+4. On the Logs/Tracing tab, choose Enable Detailed CloudWatch Metrics.
+5. Choose Resources in the left side navigation panel.
+6. To redeploy the API with the new settings, choose the Actions dropdown, and then choose Deploy API.
\ No newline at end of file diff --git a/en/aws/apigateway/api-gateway-private-endpoints.md b/en/aws/apigateway/api-gateway-private-endpoints.md new file mode 100644 index 000000000..8615811a0 --- /dev/null +++ b/en/aws/apigateway/api-gateway-private-endpoints.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / API Gateway / API Gateway Private Endpoints + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | API Gateway Private Endpoints | +| **Cloud** | AWS | +| **Category** | API Gateway | +| **Description** | Ensures that Amazon API Gateway APIs are only accessible through private endpoints. | +| **More Info** | API Gateway APIs should be only accessible through private endpoints to ensure API security | +| **AWS Link** | https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints | +| **Recommended Action** | Set API Gateway API endpoint configuration to private | + +## Detailed Remediation Steps +To convert a public endpoint from regional or edge-optimized to Private:
+1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.
+2. Choose an existing API.
+3. Choose Settings.
+4. Change the Endpoint Type option under Endpoint Configuration from Edge Optimized or from Regional to Private.
+5. You need to specify one or more VPC endpoints with your API and API Gateway will generate new Route 53 Alias records which you can use to invoke your API.
+6. If you don't have a VPC, then create one and then Create the VPC endpoint for API Gateway. See this for more details: https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/
+7. Choose Save Changes to start the update.
\ No newline at end of file diff --git a/en/aws/apigateway/api-gateway-response-caching.md b/en/aws/apigateway/api-gateway-response-caching.md new file mode 100644 index 000000000..e47d4495c --- /dev/null +++ b/en/aws/apigateway/api-gateway-response-caching.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / API Gateway / API Gateway Response Caching + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | API Gateway Response Caching | +| **Cloud** | AWS | +| **Category** | API Gateway | +| **Description** | Ensure that response caching is enabled for your Amazon API Gateway REST APIs. | +| **More Info** | A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services.You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API. | +| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html | +| **Recommended Action** | Modify API Gateway API stages to enable API cache | + +## Detailed Remediation Steps +To configure API caching for a given stage: +1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.
+2. Choose an existing API.
+3. Choose Stages.
+4. In the Stages list for the API, choose the stage.
+5. Choose the Settings tab.
+6. Choose Enable API cache.
+7. Wait for the cache creation to complete.
\ No newline at end of file diff --git a/en/aws/apigateway/api-gateway-tracing-enabled.md b/en/aws/apigateway/api-gateway-tracing-enabled.md new file mode 100644 index 000000000..fbb535365 --- /dev/null +++ b/en/aws/apigateway/api-gateway-tracing-enabled.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / API Gateway / API Gateway Tracing Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | API Gateway Tracing Enabled | +| **Cloud** | AWS | +| **Category** | API Gateway | +| **Description** | Ensures that Amazon API Gateway API stages have tracing enabled for AWS X-Ray. | +| **More Info** | API Gateway API stages should have tracing enabled to send traces to AWS X-Ray for enhanced distributed tracing. | +| **AWS Link** | https://docs.aws.amazon.com/xray/latest/devguide/xray-services-apigateway.html | +| **Recommended Action** | Enable tracing on API Gateway API stages | + +## Detailed Remediation Steps +Enable active tracing on your API stages to sample incoming requests and send traces to X-Ray.
+1. Open the API Gateway console at https://console.aws.amazon.com/apigateway/.
+2. Choose an API.
+3. Choose a stage.
+4. On the Logs/Tracing tab, choose Enable X-Ray Tracing and then choose Save Changes.
+5. Choose Resources in the left side navigation panel.
+6. To redeploy the API with the new settings, choose the Actions dropdown, and then choose Deploy API.
+Note: API Gateway uses sampling rules that you define in the X-Ray console to determine which requests to record.
+For more info see: https://docs.aws.amazon.com/xray/latest/devguide/xray-console-sampling.html
\ No newline at end of file diff --git a/en/aws/apigateway/api-gateway-waf-enabled.md b/en/aws/apigateway/api-gateway-waf-enabled.md new file mode 100644 index 000000000..5f861d88e --- /dev/null +++ b/en/aws/apigateway/api-gateway-waf-enabled.md @@ -0,0 +1,27 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / API Gateway / API Gateway WAF Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | API Gateway WAF Enabled | +| **Cloud** | AWS | +| **Category** | API Gateway | +| **Description** | Ensures that API Gateway APIs are associated with a Web Application Firewall. | +| **More Info** | API Gateway APIs should be associated with a Web Application Firewall to ensure API security. | +| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html | +| **Recommended Action** | Associate API Gateway API with Web Application Firewall | + +## Detailed Remediation Steps +To associate an AWS WAF regional Web ACL with an API Gateway API stage using the API Gateway console
+1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.
+2. In the APIs navigation pane, choose the API, and then choose Stages.
+3. In the Stages pane, choose the name of the stage.
+4. In the Stage Editor pane, choose the Settings tab.
+5. To associate a Regional web ACL with the API stage:
+a. In the AWS WAF web ACL dropdown list, choose the Regional web ACL that you want to associate with this stage. +Note:
+If the web ACL you need doesn't exist yet, choose Create WebACL. Then choose Go to AWS WAF to open the AWS WAF console in a new browser tab and create a Regional web ACL. Then return to the API Gateway console to associate the web ACL with the stage.
+6. Choose Save Changes.
\ No newline at end of file diff --git a/en/aws/apigateway/api-stage-level-cache-encryption.md b/en/aws/apigateway/api-stage-level-cache-encryption.md new file mode 100644 index 000000000..e218c1745 --- /dev/null +++ b/en/aws/apigateway/api-stage-level-cache-encryption.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / API Gateway / API Stage-Level Cache Encryption + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | API Stage-Level Cache Encryption | +| **Cloud** | AWS | +| **Category** | API Gateway | +| **Description** | Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached responses. | +| **More Info** | It is strongly recommended to enforce encryption for API cached responses in order to protect your data from unauthorized access. | +| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html | +| **Recommended Action** | Modify API Gateway API stages to enable encryption on cache data | + +## Detailed Remediation Steps +To configure API caching for individual methods using the console:
+1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.
+2. Go to the API Gateway console.
+3. Choose the API.
+4. Choose Stages.
+5. In the Stages list for the API, expand the stage and choose a method in the API.
+6. Choose Override for this method in Settings.
+7. In Cache Settings, choose Encrypt cache data. (This section is shown only if stage-level caching is enabled.)
\ No newline at end of file diff --git a/en/aws/autoscaling/app-tier-launch-configurations-iam-roles.md b/en/aws/autoscaling/app-tier-launch-configurations-iam-roles.md index 1705200a2..db5173764 100644 --- a/en/aws/autoscaling/app-tier-launch-configurations-iam-roles.md +++ b/en/aws/autoscaling/app-tier-launch-configurations-iam-roles.md @@ -33,5 +33,5 @@ 16. On the "Launch Configuration" page, scroll down and click on the "Copy launch configuration" button.
17. On the "Create launch configuration" page, scroll down and select the "IAM instance profile" from the dropdown under the Additional configuration.
18. Click on the "Create launch configuration" button at the bottom to make the changes.
-19. Repeat steps number 8 - 18 to update App-Tier Auto Scaling launch configuration and attach a customer created App-Tier IAM role.
- +19. Repeat steps number 8 - 18 to update App-Tier Auto Scaling launch configuration and attach a customer created App-Tier IAM role.

+Note: AWS has [officially announced](https://aws.amazon.com/blogs/compute/amazon-ec2-auto-scaling-will-no-longer-add-support-for-new-ec2-features-to-launch-configurations/) that they will be discontinuing support for AWS Launch Configurations, with the support end date set for December 31, 2023. It's recommended to migrate from a launch configuration to a launch template, following [these steps](https://docs.aws.amazon.com/autoscaling/ec2/userguide/migrate-to-launch-templates.html). diff --git a/en/aws/autoscaling/launch-configuration-referencing-missing-security-groups.md b/en/aws/autoscaling/launch-configuration-referencing-missing-security-groups.md index 8db2c06b9..8264020d0 100644 --- a/en/aws/autoscaling/launch-configuration-referencing-missing-security-groups.md +++ b/en/aws/autoscaling/launch-configuration-referencing-missing-security-groups.md @@ -27,4 +27,5 @@ 10. On the "Launch Configuration" page, scroll down and click on the "Copy launch configuration" button.
11. On the "Create launch configuration" page, scroll down and select the "Create a new Security group" option and open the Inbound ports as per the requirements.
12. Click on the "Create launch configuration" button at the bottom to make the changes.
-13. Repeat steps number 8 - 12 to ensure that the launch configuration security group has not been deleted.
+13. Repeat steps number 8 - 12 to ensure that the launch configuration security group has not been deleted.

+Note: AWS has [officially announced](https://aws.amazon.com/blogs/compute/amazon-ec2-auto-scaling-will-no-longer-add-support-for-new-ec2-features-to-launch-configurations/) that they will be discontinuing support for AWS Launch Configurations, with the support end date set for December 31, 2023. It's recommended to migrate from a launch configuration to a launch template, following [these steps](https://docs.aws.amazon.com/autoscaling/ec2/userguide/migrate-to-launch-templates.html). \ No newline at end of file diff --git a/en/aws/autoscaling/web-tier-launch-configurations-iam-roles.md b/en/aws/autoscaling/web-tier-launch-configurations-iam-roles.md index 23d0f5749..058be24c9 100644 --- a/en/aws/autoscaling/web-tier-launch-configurations-iam-roles.md +++ b/en/aws/autoscaling/web-tier-launch-configurations-iam-roles.md @@ -33,7 +33,9 @@ 16. On the "Launch Configuration" page, scroll down and click on the "Copy launch configuration" button.
17. On the "Create launch configuration" page, scroll down and select the "IAM instance profile" from the dropdown under the Additional configuration.
18. Click on the "Create launch configuration" button at the bottom to make the changes.
-19. Repeat steps number 8 - 18 to update Web-Tier Auto Scaling launch configuration and attach a customer created App-Tier IAM role.
+19. Repeat steps number 8 - 18 to update Web-Tier Auto Scaling launch configuration and attach a customer created App-Tier IAM role.

+ +Note: AWS has [officially announced](https://aws.amazon.com/blogs/compute/amazon-ec2-auto-scaling-will-no-longer-add-support-for-new-ec2-features-to-launch-configurations/) that they will be discontinuing support for AWS Launch Configurations, with the support end date set for December 31, 2023. It's recommended to migrate from a launch configuration to a launch template, following [these steps](https://docs.aws.amazon.com/autoscaling/ec2/userguide/migrate-to-launch-templates.html). diff --git a/en/aws/codebuild/codebuild-valid-source-providers.md b/en/aws/codebuild/codebuild-valid-source-providers.md new file mode 100644 index 000000000..53656a647 --- /dev/null +++ b/en/aws/codebuild/codebuild-valid-source-providers.md @@ -0,0 +1,17 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / CodeBuild / CodeBuild Valid Source Providers + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | CodeBuild Valid Source Providers | +| **Cloud** | AWS | +| **Category** | CodeBuild | +| **Description** | Ensure that CodeBuild projects are using only valid source providers. | +| **More Info** | CodeBuild should use only desired source providers in order to follow your organizations's security and compliance requirements. | +| **AWS Link** | https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ProjectSource.html | +| **Recommended Action** | Edit CodeBuild project source provider information and remove disallowed source providers. | + +## Detailed Remediation Steps \ No newline at end of file diff --git a/en/aws/codebuild/project-artifacts-encrypted.md b/en/aws/codebuild/project-artifacts-encrypted.md new file mode 100644 index 000000000..5e0801b6a --- /dev/null +++ b/en/aws/codebuild/project-artifacts-encrypted.md @@ -0,0 +1,34 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / CodeBuild / Project Artifacts Encrypted + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Project Artifacts Encrypted | +| **Cloud** | AWS | +| **Category** | CodeBuild | +| **Description** | Ensure that your AWS CodeBuild project artifacts are encrypted with desired encryption level. | +| **More Info** | AWS CodeBuild encrypts artifacts such as a cache, logs, exported raw test report data files, and build results by default using AWS managed keys. Use customer-managed key instead, in order to to gain more granular control over encryption/decryption process. | +| **AWS Link** | https://docs.aws.amazon.com/codebuild/latest/userguide/security-encryption.html | +| **Recommended Action** | Encrypt them using customer-managed keys to gain more control over data encryption and decryption process. | +## Detailed Remediation Steps +1. Log into the AWS Management Console. +2. Select the "Services" option and search for "Key Management Service".
+3. From "Key Management Service (KMS)" on the left hand side and select "Customer managed keys".
+4. On the Customer managed keys page there are two options: + * Click on the Alias or the Key ID of the custom key that you would like to use and copy its ARN from the top bar.
+ * Press "Create Key on the top right" and create a custom key. After that is done, copy the key's ARN.
+5. Select the "Services" option again and search for "CodeBuild". +6. On the left hand side select "Build projects".
+7. If creating a new build project + 1. Press "create build project" on the top right. + 2. Scroll all the way down to the Artifacts section and select "Additional configuration".
+ 3. Insert the ARN of the custom key into the "Encryption key" field.
+ 4. Fill out the rest and press "Create build project". +8. If editing an existing build project. + 1. Click on the name of the project that needs to be edited. + 2. On the top right click "Edit" and select "Artifacts" from the drop down menu.
+ 3. Click on "Additional configuration" and paste the ARN of the custom key into the "Encryption key" field.
+ 4. Press "Update artifacts". \ No newline at end of file diff --git a/en/aws/ec2/amazon-ebs-public-snapshots.md b/en/aws/ec2/amazon-ebs-public-snapshots.md new file mode 100644 index 000000000..ce8fcc2e9 --- /dev/null +++ b/en/aws/ec2/amazon-ebs-public-snapshots.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / Amazon EBS Public Snapshots + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Amazon EBS Public Snapshots | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensure that Amazon EBS volume snapshots are not shared to all AWS accounts | +| **More Info** | AWS Elastic Block Store (EBS) volume snapshots should not be not publicly shared with other AWS account to avoid data exposure | +| **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html | +| **Recommended Action** | Modify the permissions of public snapshots to remove public access | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for EC2.
+3. In the navigation pane, under Elastic Block Store, click on Snapshots.
+4. Select the snapshot to modify, and then choose Actions, Modify permissions.
+5. Change the snapshot's permissions. Current setting indicates the snapshot's current sharing permissions.
+6. To share the snapshot privately with specific AWS accounts, choose Private. Then, in the Sharing accounts section, choose Add account, and enter the 12-digit account ID (without hyphens) of the account to share with.
+7. Choose Save changes.
+8. Repeat the steps 4 - 7 for all snapshots that are shared publicly.
\ No newline at end of file diff --git a/en/aws/ec2/app-tier-ec2-instance-iam-role.md b/en/aws/ec2/app-tier-ec2-instance-iam-role.md new file mode 100644 index 000000000..c18f4d973 --- /dev/null +++ b/en/aws/ec2/app-tier-ec2-instance-iam-role.md @@ -0,0 +1,15 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / App-Tier EC2 Instance IAM Role + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | App-Tier EC2 Instance IAM Role | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensure IAM roles attached with App-Tier EC2 instances have IAM policies attached | +| **More Info** | EC2 instances should have IAM roles configured with necessary permission to access other AWS services | +| **AWS Link** | https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/ | +| **Recommended Action** | Modify EC2 instances to attach IAM roles with required IAM policies | \ No newline at end of file diff --git a/en/aws/ec2/automate-ebs-snapshot-lifecycle.md b/en/aws/ec2/automate-ebs-snapshot-lifecycle.md new file mode 100644 index 000000000..08bdf146a --- /dev/null +++ b/en/aws/ec2/automate-ebs-snapshot-lifecycle.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / Automate EBS Snapshot Lifecycle + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Automate EBS Snapshot Lifecycle | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensure DLM is used to automate EBS volume snapshots management | +| **More Info** | Amazon Data Lifecycle Manager (DLM) service enables you to manage the lifecycle of EBS volume snapshots. Using DLM helps in enforcing regular backup schedule, retaining backups, deleting outdated EBS snapshots | +| **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html | +| **Recommended Action** | Create lifecycle policy for EBS volumes | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for EC2.
+3. In the navigation pane, under Elastic Block Store, click on Lifecycle Manager.
+4. Select a lifecycle policy from the list. Click Next Step.
+5. Enter the policy settings as needed. For example, add tags, and enable the policy. Click Next.
+6. Create the schedule as needed.
+7. Review and Create.
\ No newline at end of file diff --git a/en/aws/ec2/cross-organization-vpc-peering-connections.md b/en/aws/ec2/cross-organization-vpc-peering-connections.md new file mode 100644 index 000000000..78009cf1e --- /dev/null +++ b/en/aws/ec2/cross-organization-vpc-peering-connections.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / Cross Organization VPC Peering Connections + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Cross Organization VPC Peering Connections | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensures that VPC peering communication is only between AWS accounts, members of the same AWS Organization | +| **More Info** | VPC peering communication should be only between AWS accounts to keep organization resources private and isolated | +| **AWS Link** | https://docs.aws.amazon.com/vpc/latest/peering/working-with-vpc-peering.html | +| **Recommended Action** | Update VPC peering connections to allow connections to AWS Accounts, members of the same organization | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for VPC.
+3. In the navigation pane, choose Peering Connections.
+4. Select the VPC peering connection that allows communication with accounts outside the AWS organization, and choose Actions, Delete Peering connection.
+5. Repeat steps 3-4 for all VPC peering connections that allow connections outside AWS organization.
\ No newline at end of file diff --git a/en/aws/ec2/ebs-backup-enabled.md b/en/aws/ec2/ebs-backup-enabled.md new file mode 100644 index 000000000..10b30a345 --- /dev/null +++ b/en/aws/ec2/ebs-backup-enabled.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / EBS Backup Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | EBS Backup Enabled | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Checks whether EBS Backup is enabled | +| **More Info** | EBS volumes should have backups in the form of snapshots | +| **AWS Link** | https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/new-ebs-volume-backups.html | +| **Recommended Action** | Ensure that each EBS volumes contain at least a backup in the form of a snapshot. | + +## Detailed Remediation Steps +1. Log into the AWS Management Console. +2. Select the "Services" option and search for EC2.
+3. On Amazon EC2 console, on the Elastic Block Store Volumes page, select the volume that you want to back up.
+4. Then on the Actions menu, choose Create Snapshot.
+5. You can search for volumes that are attached to a specific instance by entering the instance ID in the filter box.
+6. Enter a description and add the appropriate tags.
+7. Add a Name tag to make it easier to find the volume later.
+8. Add any other appropriate tags based on your tagging strategy.
+9. Repeat steps 3 - 8 for each EBS volume that does not have a snapshot.
\ No newline at end of file diff --git a/en/aws/ec2/ebs-encryption-enabled-by-default.md b/en/aws/ec2/ebs-encryption-enabled-by-default.md new file mode 100644 index 000000000..4e17dc27d --- /dev/null +++ b/en/aws/ec2/ebs-encryption-enabled-by-default.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / EBS Encryption Enabled By Default + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | EBS Encryption Enabled By Default | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensure the setting for encryption by default is enabled | +| **More Info** | AWS account should be configured to enable encryption for new EBS volumes and snapshots for all regions | +| **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default | +| **Recommended Action** | Enable EBS Encryption by Default | + +## Detailed Remediation Steps +1. Log into the AWS Management Console. +2. Select the "Services" option and search for EC2.
+3. On Amazon EC2 console,from the navigation bar, select the Region.
+4. From the navigation pane, select EC2 Dashboard.
+5. In the upper-right corner of the page, choose Account Attributes, EBS encryption.
+6. Choose Manage.
+7. Select Enable. You keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed encryption key.
+8. Choose Update EBS encryption.
\ No newline at end of file diff --git a/en/aws/ec2/ebs-volume-has-tags.md b/en/aws/ec2/ebs-volume-has-tags.md index 82935c643..036a0f740 100644 --- a/en/aws/ec2/ebs-volume-has-tags.md +++ b/en/aws/ec2/ebs-volume-has-tags.md @@ -1,6 +1,6 @@ [![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) -# AWS / EC2 / EBS Encryption Enabled +# AWS / EC2 / EBS Volume has tags ## Quick Info diff --git a/en/aws/ec2/ebs-volumes-too-old-snapshots.md b/en/aws/ec2/ebs-volumes-too-old-snapshots.md new file mode 100644 index 000000000..b8f3a3925 --- /dev/null +++ b/en/aws/ec2/ebs-volumes-too-old-snapshots.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / EBS Volumes Too Old Snapshots + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | EBS Volumes Too Old Snapshots | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensure that EBS volume snapshots are deleted after defined time period | +| **More Info** | EBS volume snapshots older than indicated should be deleted after defined time period for cost optimization | +| **AWS Link** | https://docs.amazonaws.cn/en_us/AWSEC2/latest/UserGuide/ebs-deleting-snapshot.html | +| **Recommended Action** | Delete the EBS snapshots past their defined expiration date, the default expiration time is 30 days | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for EC2.
+3. In the navigation pane, under Elastic Block Store, click on Snapshots.
+4. Select the snapshot to delete, and then choose Actions, Delete snapshot.
+5. Choose Delete.
\ No newline at end of file diff --git a/en/aws/ec2/managed-nat-gateway-in-use.md b/en/aws/ec2/managed-nat-gateway-in-use.md new file mode 100644 index 000000000..e3fc3a4c2 --- /dev/null +++ b/en/aws/ec2/managed-nat-gateway-in-use.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / Managed NAT Gateway In Use + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Managed NAT Gateway In Use | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA) | +| **More Info** | VPCs should use highly available Managed NAT Gateways in order to enable EC2 instances to connect to the internet or with other AWS components | +| **AWS Link** | https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html | +| **Recommended Action** | Update VPCs to use Managed NAT Gateways instead of NAT instances | + +## Detailed Remediation Steps +Creating a Managed NAT Gateway
+1. Log into the AWS Management Console.
+2. Select the "Services" option and search for VPC.
+3. At the navigation area on the left. Locate and click on NAT Gateways:
+4. Then click on Create NAT Gateway and choose one of your subnets.
+5. Choose one of your existing Elastic IP addresses, or create a new one.
+6. Then click on Create a NAT Gateway, and observe the confirmation.
+7. you will need to edit your VPC’s route tables to send traffic destined for the Internet toward the gateway. The gateway’s internal (private) IP address will be chosen automatically, and will be on the subnet associated with the gateway.
\ No newline at end of file diff --git a/en/aws/ec2/outdated-amazon-machine-images.md b/en/aws/ec2/outdated-amazon-machine-images.md new file mode 100644 index 000000000..a300f6d9f --- /dev/null +++ b/en/aws/ec2/outdated-amazon-machine-images.md @@ -0,0 +1,48 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / Outdated Amazon Machine Images + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Outdated Amazon Machine Images | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensures that deprecated Amazon Machine Images are not in use. | +| **More Info** | Deprecated Amazon Machine Images should not be used to make an instance. | +| **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html | +| **Recommended Action** | Delete the instances using deprecated AMIs | + +## Detailed Remediation Steps + To delete the AMI so that users and services cannot use it, you must deregister it
+ When you deregister an AMI, it doesn't affect any instances that you've already launched from the AMI or any snapshots created during the AMI creation process. You'll continue to incur usage costs for these instances and storage costs for the snapshot. Therefore, you should terminate any instances and delete any snapshots that you're finished with.
+ +The procedure that you'll use to clean up your AMI depends on whether it's backed by Amazon EBS or instance store. For more information, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html#display-ami-root-device-type
+ +To clean up your Amazon EBS-backed AMI.
+1. Log into the AWS Management Console.
+2. Select the "Services" option and search for EC2.
+3. In the navigation pane, choose AMIs.
+4.Select the AMI to deregister, and take note of its ID—this can help you find the snapshots to delete in the next step.
+5. Choose Actions, Deregister AMI. When prompted for confirmation, choose Deregister AMI.
+Note: +It might take a few minutes before the console removes the AMI from the list. Choose Refresh to refresh the status.
+Delete snapshots that are no longer needed.
+1. In the navigation pane, choose Snapshots.
+2. Select a snapshot to delete (look for the AMI ID from the prior step in the Description column).
+3. Choose Actions, Delete snapshot. When prompted for confirmation, choose Delete.
+ +(Optional) Terminate instances
+1. If you are finished with an instance that you launched from the AMI, you can terminate it.
+2. In the navigation pane, choose Instances, and then select the instance to terminate.
+3. Choose Instance state, Terminate instance. When prompted for confirmation, choose Terminate.
+ +Clean up your instance store-backed AMI
+1. Deregister the AMI using the deregister-image command as follows.
+aws ec2 deregister-image --image-id ami_id
+2. Delete the bundle in Amazon S3 using the ec2-delete-bundle (AMI tools) command as follows.
+ec2-delete-bundle -b myawsbucket/myami -a your_access_key_id -s your_secret_access_key -p image
+3. (Optional) If you are finished with an instance that you launched from the AMI, you can terminate it using the terminate-instances command as follows.
+aws ec2 terminate-instances --instance-ids instance_id
+4. (Optional) If you are finished with the Amazon S3 bucket that you uploaded the bundle to, you can delete the bucket. To delete an Amazon S3 bucket, open the Amazon S3 console, select the bucket, choose Actions, and then choose Delete.
\ No newline at end of file diff --git a/en/aws/ec2/unrestricted-network-acl-outbound-traffic.md b/en/aws/ec2/unrestricted-network-acl-outbound-traffic.md new file mode 100644 index 000000000..5809d35a5 --- /dev/null +++ b/en/aws/ec2/unrestricted-network-acl-outbound-traffic.md @@ -0,0 +1,35 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / Unrestricted Network ACL Outbound Traffic + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Unrestricted Network ACL Outbound Traffic | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensures that no Amazon Network ACL allows outbound/egress traffic to all ports | +| **More Info** | Amazon Network ACL should not allow outbound/egress traffic to all ports to avoid unauthorized access at the subnet level | +| **AWS Link** | https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html | +| **Recommended Action** | Update Network ACL to allow outbound/egress traffic to specific port ranges only | + +## Detailed Remediation Steps +To delete a rule from a network ACL +1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
+2. In the navigation pane, choose Network ACLs, and then select the network ACL.
+3. In the details pane, select Outbound Rules tab, and then choose Edit. Choose Remove for the rule that allow outbound traffic to all ports, and then choose Save.
+ +Then you may add new rules to allow outbound traffic to specific port ranges as needed
+To add rules to a network ACL:
+1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
+2. In the navigation pane, choose Network ACLs.
+3. In the details pane, choose the Outbound Rules tab, and then choose Edit. +4. In Rule #, enter a rule number (for example, 100). The rule number must not already be in use in the network ACL. We process the rules in order, starting with the lowest number.
+5. Select a rule from the Type list. For example, to add a rule for HTTP, choose HTTP. To add a rule to allow all TCP traffic, choose All TCP. For some of these options (for example, HTTP), the port filled automatically. To use a protocol that's not listed, choose Custom Protocol Rule.
+6. (Optional) If you're creating a custom protocol rule, select the protocol's number and name from the Protocol list.
+7. (Optional) If the protocol you selected requires a port number, enter the port number or port range separated by a hyphen (for example, 49152-65535).
+8. In the Destination field, enter the CIDR range that the rule applies to.
+9. From the Allow/Deny list, select ALLOW to allow the specified traffic or DENY to deny the specified traffic.
+10. (Optional) To add another rule, choose Add another rule, and repeat steps 4 to 9 as required.
+11. When you are done, choose Save.
\ No newline at end of file diff --git a/en/aws/ec2/unused-amazon-machine-images.md b/en/aws/ec2/unused-amazon-machine-images.md new file mode 100644 index 000000000..8be1ef171 --- /dev/null +++ b/en/aws/ec2/unused-amazon-machine-images.md @@ -0,0 +1,44 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / Unused Amazon Machine Images + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Unused Amazon Machine Images | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensures that all Amazon Machine Images are in use to ensure cost optimization | +| **More Info** | All unused/deregistered Amazon Machine Images should be deleted to avoid extraneous cost | +| **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/deregister-ami.html | +| **Recommended Action** | Delete the unused/deregistered AMIs | + +## Detailed Remediation Steps +The procedure that you'll use to clean up your AMI depends on whether it's backed by Amazon EBS or instance store. For more information, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html#display-ami-root-device-type.
+To clean up your Amazon EBS-backed AMI.
+1. Log into the AWS Management Console.
+2. Select the "Services" option and search for EC2.
+3. In the navigation pane, choose AMIs.
+4.Select the AMI to deregister, and take note of its ID—this can help you find the snapshots to delete in the next step.
+5. Choose Actions, Deregister AMI. When prompted for confirmation, choose Deregister AMI.
+Note: +It might take a few minutes before the console removes the AMI from the list. Choose Refresh to refresh the status.
+Delete snapshots that are no longer needed.
+1. In the navigation pane, choose Snapshots.
+2. Select a snapshot to delete (look for the AMI ID from the prior step in the Description column).
+3. Choose Actions, Delete snapshot. When prompted for confirmation, choose Delete.
+ +(Optional) Terminate instances
+1. If you are finished with an instance that you launched from the AMI, you can terminate it.
+2. In the navigation pane, choose Instances, and then select the instance to terminate.
+3. Choose Instance state, Terminate instance. When prompted for confirmation, choose Terminate.
+ +Clean up your instance store-backed AMI
+1. Deregister the AMI using the deregister-image command as follows.
+aws ec2 deregister-image --image-id ami_id
+2. Delete the bundle in Amazon S3 using the ec2-delete-bundle (AMI tools) command as follows.
+ec2-delete-bundle -b myawsbucket/myami -a your_access_key_id -s your_secret_access_key -p image
+3. (Optional) If you are finished with an instance that you launched from the AMI, you can terminate it using the terminate-instances command as follows.
+aws ec2 terminate-instances --instance-ids instance_id
+4. (Optional) If you are finished with the Amazon S3 bucket that you uploaded the bundle to, you can delete the bucket. To delete an Amazon S3 bucket, open the Amazon S3 console, select the bucket, choose Actions, and then choose Delete.
\ No newline at end of file diff --git a/en/aws/ec2/unused-elastic-network-interfaces.md b/en/aws/ec2/unused-elastic-network-interfaces.md new file mode 100644 index 000000000..b9fa60b1c --- /dev/null +++ b/en/aws/ec2/unused-elastic-network-interfaces.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / Unused Elastic Network Interfaces + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Unused Elastic Network Interfaces | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensures that unused AWS Elastic Network Interfaces (ENIs) are removed | +| **More Info** | Unused AWS ENIs should be removed to follow best practices and to avoid reaching the service limit | +| **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html | +| **Recommended Action** | Delete the unused AWS Elastic Network Interfaces | + +## Detailed Remediation Steps +1. Log into the AWS Management Console. +2. Select the "Services" option and search for EC2.
+3. In the navigation pane, choose Network Interfaces.
+4. Select the checkbox for the network the unused interface you need to delete, and then choose Actions, Delete.
+5. When prompted for confirmation, choose Delete.
\ No newline at end of file diff --git a/en/aws/ec2/unused-virtual-private-gateway.md b/en/aws/ec2/unused-virtual-private-gateway.md new file mode 100644 index 000000000..9ea7944d4 --- /dev/null +++ b/en/aws/ec2/unused-virtual-private-gateway.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / Unused Virtual Private Gateway + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Unused Virtual Private Gateway | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensures that unused Virtual Private Gateways (VGWs) are removed. | +| **More Info** | Unused VGWs should be remove to follow best practices and to avoid reaching the service limit. | +| **AWS Link** | https://docs.aws.amazon.com/vpn/latest/s2svpn/delete-vpn.html | +| **Recommended Action** | Remove the unused Virtual Private Gateways (VGWs) | + +## Detailed Remediation Steps +To detach a virtual private gateway using the console
+1. In the navigation pane, choose Virtual Private Gateways.
+2. Select the virtual private gateway and choose Actions, Detach from VPC.
+3. Choose Yes, Detach.
+ +If you no longer require a detached virtual private gateway, you can delete it. You can't delete a virtual private gateway that's still attached to a VPC. detach it first as mentioned in the above steps.
+To delete a virtual private gateway using the console
+1. In the navigation pane, choose Virtual Private Gateways.
+2. Select the virtual private gateway to delete and choose Actions, Delete Virtual Private Gateway.
\ No newline at end of file diff --git a/en/aws/ec2/unused-vpc-internet-gateways.md b/en/aws/ec2/unused-vpc-internet-gateways.md new file mode 100644 index 000000000..cc3d39319 --- /dev/null +++ b/en/aws/ec2/unused-vpc-internet-gateways.md @@ -0,0 +1,31 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / Unused VPC Internet Gateways + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Unused VPC Internet Gateways | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensures that unused VPC Internet Gateways and Egress-Only Internet Gateways are removed | +| **More Info** | Unused VPC Internet Gateways and Egress-Only Internet Gateways must be removed to avoid reaching the internet gateway limit | +| **AWS Link** | https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html | +| **Recommended Action** | Remove the unused/detached Internet Gateways and Egress-Only Internet Gateways | + +## Detailed Remediation Steps +To detach an internet gateway
+1. Log into the AWS Management Console.
+2. Select the "Services" option and search for VPC.
+3. In the navigation pane, choose Elastic IPs and select the Elastic IP address.
+4. Choose Actions, Disassociate address. Choose Disassociate address.
+5. In the navigation pane, choose Internet gateways.
+6. Select the internet gateway and choose Actions, Detach from VPC.
+7. In the Detach from VPC dialog box, choose Detach internet gateway.
+ +To delete an internet gateway
+1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
+2. In the navigation pane, choose Internet gateways.
+3. Select the internet gateway and choose Actions, Delete internet gateway.
+4. In the Delete internet gateway dialog box, enter delete, and choose Delete internet gateway.
\ No newline at end of file diff --git a/en/aws/ec2/vpc-endpoint-cross-account-access.md b/en/aws/ec2/vpc-endpoint-cross-account-access.md new file mode 100644 index 000000000..cd84509a3 --- /dev/null +++ b/en/aws/ec2/vpc-endpoint-cross-account-access.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / VPC Endpoint Cross Account Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VPC Endpoint Cross Account Access | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensures that Amazon VPC endpoints do not allow unknown cross account access. | +| **More Info** | VPC endpoints should not allow unknown cross account access to avoid any unsigned requests made to the services inside VPC. | +| **AWS Link** | https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html | +| **Recommended Action** | Update VPC endpoint access policy in order to remove untrusted cross account access | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for VPC.
+3. To update a VPC endpoint policy, in the navigation pane, choose Endpoints.
+4. Select the VPC endpoint.
+5. Choose Actions, Manage policy.
+6. Update the policy to not allow unknown cross account access.
+7. Choose Save.
\ No newline at end of file diff --git a/en/aws/ec2/vpc-endpoint-exposed.md b/en/aws/ec2/vpc-endpoint-exposed.md new file mode 100644 index 000000000..f38609b33 --- /dev/null +++ b/en/aws/ec2/vpc-endpoint-exposed.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / VPC Endpoint Exposed + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VPC Endpoint Exposed | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensure Amazon VPC endpoints are not publicly exposed | +| **More Info** | VPC endpoints should not be publicly accessible in order to avoid any unsigned requests made to the services inside VPC | +| **AWS Link** | https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html | +| **Recommended Action** | Update VPC endpoint access policy in order to stop any unsigned requests | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for VPC.
+3. To update a VPC endpoint policy, in the navigation pane, choose Endpoints.
+4. Select the VPC endpoint.
+5. Choose Actions, Manage policy.
+6. Update the policy to prevent any unsigned requests.
+7. Choose Save.
\ No newline at end of file diff --git a/en/aws/ec2/vpc-subnet-instances-present.md b/en/aws/ec2/vpc-subnet-instances-present.md new file mode 100644 index 000000000..1d7b99d3e --- /dev/null +++ b/en/aws/ec2/vpc-subnet-instances-present.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / VPC Subnet Instances Present + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VPC Subnet Instances Present | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensures that there are instances attached to every subnet | +| **More Info** | All subnets should have instances associated and unused subnets should be removed to avoid reaching the limit | +| **AWS Link** | https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html | +| **Recommended Action** | UUpdate VPC subnets and attach instances to it or remove the unused VPC subnets | + +## Detailed Remediation Steps +To update a VPC endpoint policy
+1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
+2. In the navigation pane, choose Endpoints.
+3. Select the VPC endpoint.
+4. Choose Actions, Manage policy.
+5. Choose Full Access to allow full access to the service, or choose Custom and attach a custom policy.
+6. Choose Save.
\ No newline at end of file diff --git a/en/aws/ec2/vpn-tunnel-state.md b/en/aws/ec2/vpn-tunnel-state.md new file mode 100644 index 000000000..cdb39e139 --- /dev/null +++ b/en/aws/ec2/vpn-tunnel-state.md @@ -0,0 +1,60 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / VPN Tunnel State + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VPN Tunnel State | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensures that each AWS Virtual Private Network (VPN) connection has all tunnels up. | +| **More Info** | AWS Virtual Private Network (VPN) should have tunnels up to ensure network traffic flow over Virtual Private Network. | +| **AWS Link** | https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html | +| **Recommended Action** | Establish a successful VPN connection using IKE or IPsec configuration | + +## Detailed Remediation Steps +You can modify the tunnel options for the VPN tunnels in your Site-to-Site VPN connection. You can modify one VPN tunnel at a time. +Important +When you modify a VPN tunnel, connectivity over the tunnel is interrupted for up to several minutes. Ensure that you plan for the expected downtime. + +To modify the VPN tunnel options using the console
+ +1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
+2. In the navigation pane, choose Site-to-Site VPN Connections.
+3. Select the Site-to-Site VPN connection, and choose Actions, Modify VPN Tunnel Options.
+4. For VPN Tunnel Outside IP Address, choose the tunnel endpoint IP of the VPN tunnel that you're modifying options for.
+5. Choose or enter new values for the tunnel options. For more information, see https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html.
+6. Choose Save.
+ +If you don't have any tunnel configured and need to create a Site-to-Site VPN connection
+1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
+2. In the navigation pane, choose Site-to-Site VPN Connections, Create VPN connection.
+3. (Optional) For Name tag, enter a name for your Site-to-Site VPN connection. Doing so creates a tag with a key of Name and the value that you specify.
+4. For Target gateway type, choose either Virtual private gateway or Transit gateway. Then, choose the virtual private gateway or transit gateway that you created earlier.
+5. For Customer gateway, select Existing, then choose the customer gateway that you created earlier from the drop-down list under Customer gateway ID.
+6. Select one of the routing options based on whether your customer gateway device supports Border Gateway Protocol (BGP):
+a. If your customer gateway device supports BGP, choose Dynamic (requires BGP).
+b. If your customer gateway device does not support BGP, choose Static. For Static IP Prefixes, specify each IP prefix for the private network of your Site-to-Site VPN connection.
+7. (Optional) If your target gateway type is transit gateway, for Tunnel Inside IP Version, specify whether the VPN tunnels support IPv4 or IPv6 traffic. IPv6 traffic is only supported for VPN connections on a transit gateway.
+8. (Optional) If you specified IPv4 for Tunnel Inside IP Version, you can optionally specify the IPv4 CIDR ranges for the customer gateway and AWS sides that are allowed to communicate over the VPN tunnels. The default is 0.0.0.0/0.
+9. For Outside IP address type, leave the default option of PublicIpv4 selected.
+10. (Optional) For Tunnel Options, you can specify the following information for each tunnel:
+a. A size /30 IPv4 CIDR block from the 169.254.0.0/16 range for the inside tunnel IPv4 addresses.
+b. If you specified IPv6 for Tunnel Inside IP Version, a /126 IPv6 CIDR block from the fd00::/8 range for the inside tunnel IPv6 addresses.
+c. The IKE pre-shared key (PSK). The following versions are supported: IKEv1 or IKEv2.
+d. Advanced tunnel information, which includes the following:
+Encryption algorithms for phases 1 and 2 of the IKE negotiations
+Integrity algorithms for phases 1 and 2 of the IKE negotiations
+Diffie-Hellman groups for phases 1 and 2 of the IKE negotiations
+IKE version
+Phase 1 and 2 lifetimes
+Rekey margin time
+Rekey fuzz
+Replay window size
+Dead peer detection interval
+Dead peer detection timeout action
+Startup action
+VPN tunnel logging options
+11. Choose Create VPN connection. It might take a few minutes to create the Site-to-Site VPN connection.
\ No newline at end of file diff --git a/en/aws/ec2/web-tier-ec2-instance-iam-role.md b/en/aws/ec2/web-tier-ec2-instance-iam-role.md new file mode 100644 index 000000000..5fdf142df --- /dev/null +++ b/en/aws/ec2/web-tier-ec2-instance-iam-role.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EC2 / Web-Tier EC2 Instance IAM Role +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Web-Tier EC2 Instance IAM Role | +| **Cloud** | AWS | +| **Category** | EC2 | +| **Description** | Ensure IAM roles attached with Web-Tier EC2 instances have IAM policies attached | +| **More Info** | EC2 instances should have IAM roles configured with necessary permission to access other AWS services | +| **AWS Link** | https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/ | +| **Recommended Action** | Modify EC2 instances to attach IAM roles with required IAM policies | + +## Detailed Remediation Steps +1. Create an IAM role.
+2. Attach the IAM role to an existing EC2 instance that was originally launched without an IAM role.
+3. Replace the attached IAM role.
+Note: You may attach an existing IAM role to an existing EC2 instance that was originally launched without an IAM role, in this case you don't need to create a new IAM Role.
+Note: Before you can create an IAM role from the AWS CLI, you must create a trust policy. A trust policy permits AWS services such as EC2 to assume an IAM role on behalf of your application.
+for detailed steps refer to this link: https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/
\ No newline at end of file diff --git a/en/aws/efs/efs-cmk-encrypted.md b/en/aws/efs/efs-cmk-encrypted.md new file mode 100644 index 000000000..ef43b04ba --- /dev/null +++ b/en/aws/efs/efs-cmk-encrypted.md @@ -0,0 +1,39 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EFS / EFS CMK Encrypted + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | EFS CMK Encrypted | +| **Cloud** | AWS | +| **Category** | EFS | +| **Description** | Ensure EFS file systems are encrypted using Customer Master Keys (CMKs). | +| **More Info** | EFS file systems should use KMS Customer Master Keys (CMKs) instead of AWS managed keys for encryption in order to have full control over data encryption and decryption. | +| **AWS Link** | https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html | +| **Recommended Action** | Encryption of data at rest can only be enabled during file system creation. Encryption of data in transit is configured when mounting your file system. 1. Backup your data in not encrypted efs 2. Recreate the EFS and select 'Enable encryption of data at rest' | + +## Detailed Remediation Steps +Backup your data in not encrypted efs:
+1. Open the Amazon Elastic File System console at https://console.aws.amazon.com/efs/.
+2. From Navigation pane: Click on AWS Backup.
+3. Click on Ceate On-demand backup.
+4. Select Resource type :EFS, and select the File System ID you need to create back up for.
+5. Fill other required info as needed then click Create backup.
+6. For more info on backup options follow this link: https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html#restoring-backup-efs
+ +Create a new EFS and select: +1. Open the Amazon Elastic File System console at https://console.aws.amazon.com/efs/.
+2. Choose Create file system to open the Create file system dialog box.
+3. (Optional) Enter a Name for your file system.
+4. For Virtual Private Cloud (VPC), choose your VPC, or keep it set to your default VPC.
+5. Choose availability and durability.
+6. Click on Customize.
+7. Under Customize encryption settings, select KMS key. If you don't already have KMS key, click on Create an AWS KMS Key.
+8. See this link for more info on creating KMS keys: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
+9. Continue the steps by selecting VPC and Mount targets.
+10. Select the required policy options.
+11. Click Next to review the settings.
+12. Click Create.
. +13. Then follow this link to restore EFS backup to the newly created EFS. https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-efs.html
\ No newline at end of file diff --git a/en/aws/eks/eks-Has-Tags.md b/en/aws/eks/eks-has-tags.md similarity index 100% rename from en/aws/eks/eks-Has-Tags.md rename to en/aws/eks/eks-has-tags.md diff --git a/en/aws/eks/eks-kubernetes-version.md b/en/aws/eks/eks-kubernetes-version.md index 597438e6a..fb387dd41 100644 --- a/en/aws/eks/eks-kubernetes-version.md +++ b/en/aws/eks/eks-kubernetes-version.md @@ -16,6 +16,12 @@ ## Detailed Remediation Steps - +1. Log into the AWS Management Console.
+2. Search for EKS.
+3. In the navigation pane click on clusters.
+4. Click on the cluster you need to check if it has latest EKS Kubernetes version.
+5. If there is a new Kubernetes versions available for this cluster, it will show on top with UPDATE NOW button.
+6. Click on UPDATE NOW, a pop-up screen will show from which you can choose the Kubernetes version. the default version will be automatically selected.
+7. Click Update. diff --git a/en/aws/eks/eks-latest-platform-version.md b/en/aws/eks/eks-latest-platform-version.md new file mode 100644 index 000000000..b3b9256c8 --- /dev/null +++ b/en/aws/eks/eks-latest-platform-version.md @@ -0,0 +1,20 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EKS / EKS Latest Platform Version + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | EKS Latest Platform Version | +| **Cloud** | AWS | +| **Category** | EKS | +| **Description** | Ensure that EKS clusters are using latest platform version | +| **More Info** | Amazon EKS platform versions represent the capabilities of the Amazon EKS cluster control plane, such as which Kubernetes API server flags are enabled, as well as the current Kubernetes patch version. Clusters should be kept up to date of latest platforms to ensure Kubernetes security patches are applied. | +| **AWS Link** | https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html | +| **Recommended Action** | Check for the version on all EKS clusters to be the latest platform version. | + +## Detailed Remediation Steps +1. Amazon EKS automatically upgrades all existing clusters to the latest Amazon EKS platform version.
+2. If your cluster is more than two platform versions behind the current platform version, then it's possible that Amazon EKS wasn't able to automatically update your cluster.
+3. Check this link to troubleshoot the issue: https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html#troubleshooting-platform-version
\ No newline at end of file diff --git a/en/aws/eks/eks-logging-enabled.md b/en/aws/eks/eks-logging-enabled.md index dc9999146..b6426111b 100644 --- a/en/aws/eks/eks-logging-enabled.md +++ b/en/aws/eks/eks-logging-enabled.md @@ -15,7 +15,14 @@ | **Recommended Action** | Enable all EKS cluster logs to be sent to CloudWatch with proper log retention limits. | ## Detailed Remediation Steps - +1. Log into the AWS Management Console.
+2. Navigate to the EKS page.
+3. In the navigation pane click on clusters.
+4. Click the cluster name you need to enable logging for.
+5. Click on logging tab.
+6. Click on Manage logging.
+7. Enable logs for the all cluster logs: API serverLogs, AuditLogs, AuthenticatorLogs, Controller managerLogs , SchedulerLogs.
+8. Click save.
diff --git a/en/aws/eks/eks-private-endpoint.md b/en/aws/eks/eks-private-endpoint.md index b8723b418..0b6fe9141 100644 --- a/en/aws/eks/eks-private-endpoint.md +++ b/en/aws/eks/eks-private-endpoint.md @@ -15,7 +15,11 @@ | **Recommended Action** | Enable the private endpoint setting for all EKS clusters. | ## Detailed Remediation Steps - +1. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.
+2. Choose the name of the cluster to display your cluster information.
+3. Choose the Networking tab and Click Manage Networking.
+4. Under Cluster endpoint access select Private.
+5. Click Save.
diff --git a/en/aws/eks/eks-secrets-encrypted.md b/en/aws/eks/eks-secrets-encrypted.md new file mode 100644 index 000000000..8f32a0ab6 --- /dev/null +++ b/en/aws/eks/eks-secrets-encrypted.md @@ -0,0 +1,23 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EKS / EKS Secrets Encrypted + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | EKS Secrets Encrypted | +| **Cloud** | AWS | +| **Category** | EKS | +| **Description** | Ensures EKS clusters are configured to enable envelope encryption of Kubernetes secrets using KMS | +| **More Info** | Amazon EKS clusters should be configured to enable envelope encryption for Kubernetes secrets to adhere to security best practice for applications that store sensitive data. | +| **AWS Link** | https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/ | +| **Recommended Action** | Modify EKS clusters to enable envelope encryption for Kubernetes secrets | + +## Detailed Remediation Steps +1. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters
+2. Choose the name of the cluster to display your cluster information.
+3. Choose the Preview tab and under section Secrets encryption Click Enable.
+4. Select KMS Key and click enable.
+5. It will as you to confirm because once encryption enabled it can't be removed or undone.
+6. Click Confirm.
\ No newline at end of file diff --git a/en/aws/eks/eks-security-groups.md b/en/aws/eks/eks-security-groups.md index 38ee053e4..3330e61aa 100644 --- a/en/aws/eks/eks-security-groups.md +++ b/en/aws/eks/eks-security-groups.md @@ -15,7 +15,16 @@ | **Recommended Action** | Configure security groups for the EKS control plane to allow access only on port 443. | ## Detailed Remediation Steps - +Security groups can be assigned to EKS control plane only during creation. To add additional security groups you have to re-create your cluster.
+To add security group to EKS at creation time, follow these steps:
+1. Log into the AWS Management Console.
+2. Search for EKS.
+3. In the navigation pane click on clusters.
+4. Click Add Cluster, Ceate.
+5. At Step 2: Specify networking, select security group Id, under the Security groupsInfo.
+6. If you don't have a security group, create one using VPC console, https://us-west-2.console.aws.amazon.com/vpc/home?#securityGroups
+7. For this securoty group allow inbound traffic on port 443 only.
+8. Continue the steps to create the cluster.
diff --git a/en/aws/elasticache/elastiCache-cluster-has-tags.md b/en/aws/elasticache/elasticache-cluster-has-tags.md similarity index 100% rename from en/aws/elasticache/elastiCache-cluster-has-tags.md rename to en/aws/elasticache/elasticache-cluster-has-tags.md diff --git a/en/aws/eventbridge/event-bus-cross-account-access.md b/en/aws/eventbridge/event-bus-cross-account-access.md new file mode 100644 index 000000000..465f0654b --- /dev/null +++ b/en/aws/eventbridge/event-bus-cross-account-access.md @@ -0,0 +1,17 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EventBridge / Event Bus Cross Account Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Event Bus Cross Account Access | +| **Cloud** | AWS | +| **Category** | EventBridge | +| **Description** | Ensure that EventBridge event bus is configured to allow access to whitelisted AWS account principals. | +| **More Info** | EventBridge event bus policy should be configured to allow access only to whitelisted/trusted cross-account principals. | +| **AWS Link** | https://docs.amazonaws.cn/en_us/eventbridge/latest/userguide/eb-event-bus-perms.html | +| **Recommended Action** | Configure EventBridge event bus policies that allow access to whitelisted/trusted cross-account principals. | + +## Detailed Remediation Steps \ No newline at end of file diff --git a/en/aws/eventbridge/eventbridge-event-rules-in-use.md b/en/aws/eventbridge/eventbridge-event-rules-in-use.md new file mode 100644 index 000000000..25278f9d3 --- /dev/null +++ b/en/aws/eventbridge/eventbridge-event-rules-in-use.md @@ -0,0 +1,17 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / EventBridge / EventBridge Event Rules In Use + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | EventBridge Event Rules In Use | +| **Cloud** | AWS | +| **Category** | EventBridge | +| **Description** | Ensure that Amazon EventBridge Events service is in use in order to enable you to react selectively and efficiently to system events. | +| **More Info** | Amazon EventBridge Events delivers a near real-time stream of system events that describe changes in Amazon Web Services (AWS) resources. Using simple rules that you can quickly set up, you can match events and route them to one or more target functions or streams. | +| **AWS Link** | https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html | +| **Recommended Action** | Create EventBridge event rules to meet regulatory and compliance requirement within your organization. | + +## Detailed Remediation Steps \ No newline at end of file diff --git a/en/aws/glacier/s3-glacier-vault-public-access.md b/en/aws/glacier/s3-glacier-vault-public-access.md new file mode 100644 index 000000000..30a1720ee --- /dev/null +++ b/en/aws/glacier/s3-glacier-vault-public-access.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / Glacier / S3 Glacier Vault Public Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | S3 Glacier Vault Public Access | +| **Cloud** | AWS | +| **Category** | Glacier | +| **Description** | Ensure that S3 Glacier Vault public access block is enabled for the account | +| **More Info** | Blocking S3 Glacier Vault public access at the account level ensures objects are not accidentally exposed | +| **AWS Link** | http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html | +| **Recommended Action** | Add access policy for the S3 Glacier Vault to block public access for the AWS account | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for S3 Glacier.
+3. On the navigation pane to the left, click on vaults.
+4. Click the vault name that you need you need to edit its policy to block public access.
+5. Select Vault Policies tab.
+6. Click on Edit vault access policy.
+7. Edit the policy by removing public access (e.g. "Resource": "*" or "Principal": "*", and "Effect": "Allow") and make sure the policy grant access only to fixed values (values that don't contain a wildcard or an AWS Identity and Access Management Policy Variable).
+8. See this resource to understand when a policy considered public: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html#access-control-block-public-access-policy-status
\ No newline at end of file diff --git a/en/aws/iam/iamRolesHasTags.md b/en/aws/iam/iamroleshastags.md similarity index 100% rename from en/aws/iam/iamRolesHasTags.md rename to en/aws/iam/iamroleshastags.md diff --git a/en/aws/iam/password-expiration.md b/en/aws/iam/password-expiration.md index d57972f6d..38e0ef90e 100644 --- a/en/aws/iam/password-expiration.md +++ b/en/aws/iam/password-expiration.md @@ -9,16 +9,16 @@ | **Plugin Title** | Password Expiration | | **Cloud** | AWS | | **Category** | IAM | -| **Description** | Ensures password policy enforces a password expiration | +| **Description** | Ensures password policy enforces a strong password expiration configuration | | **More Info** | A strong password policy enforces minimum length, expirations, reuse, and symbol usage | | **AWS Link** | http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html | -| **Recommended Action** | Enable password expiration for the account | +| **Recommended Action** | Enable a strong password expiration policy for the account | ## Detailed Remediation Steps 1. Log into the AWS Management Console. 2. Select the "Services" option and search for IAM.
3. Scroll down the left navigation panel and choose "Account Settings".
4. Under the "Password Policy" configuration panel scroll down and check the "Enable password expiration". If the "Enable password expiration" checkbox is not ticked then the password won't expire in any number of days.
-5. Click on the "Enable password expiration" checkbox and mention the days under "Password expiration period (in days)" so that the password will be expired after the defined days. For better security reasons define the number of days to at least more than 120.
+5. Click on the "Enable password expiration" checkbox and mention the days under "Password expiration period (in days)" so that the password will be expired after the defined days. For enhanced security, specify the number of days to be less than or equal to 90.
6. Click on the "Apply Password Policy" button to make the necessary changes.
7. Now "Password Policy" will enforce a password expiration for all the IAM users.
diff --git a/en/aws/kinesis/kinesis-data-streams-encrypted.md b/en/aws/kinesis/kinesis-data-streams-encrypted.md new file mode 100644 index 000000000..9acd4c50c --- /dev/null +++ b/en/aws/kinesis/kinesis-data-streams-encrypted.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / Kinesis / Kinesis Data Streams Encrypted + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Kinesis Data Streams Encrypted | +| **Cloud** | AWS | +| **Category** | Kinesis | +| **Description** | Ensures Kinesis data streams are encrypted using AWS KMS key of desired encryption level | +| **More Info** | Data sent to Kinesis data streams can be encrypted using KMS server-side encryption. Existing streams can be modified to add encryption with minimal overhead. Use customer-managed keys instead in order to gain more granular control over encryption/decryption process. | +| **AWS Link** | https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html | +| **Recommended Action** | Enable encryption using desired level for all Kinesis streams | + +## Detailed Remediation Steps +1. Log into the AWS Management Console. +2. Select the "Services" option and search for "Kinesis".
+3. Under the "Amazon Kinesis dashboard" select a Kinesis stream.
+4. Select the "Configuration" tab and scroll down to "Encryption".
+5. In Server-side encryption, choose edit.
+6. Check "Enable server-side encryption".
+7. Select Use customer-managed CMK, then choose Save.
+8. Choose the "Customer-managed CMK in KMS" from the dropdown list.
+9. Click on the "Save" button to make the necessary changes. On the successful configuration changes, one will get "Successfully updated" message.
\ No newline at end of file diff --git a/en/aws/kms/app-tier-kms-customer-master-key-(cmk).md b/en/aws/kms/app-tier-kms-customer-master-key-(cmk).md new file mode 100644 index 000000000..03394cf32 --- /dev/null +++ b/en/aws/kms/app-tier-kms-customer-master-key-(cmk).md @@ -0,0 +1,30 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / KMS / App-Tier KMS Customer Master Key (CMK) + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | App-Tier KMS Customer Master Key (CMK) | +| **Cloud** | AWS | +| **Category** | KMS | +| **Description** | Ensures that there is one Amazon KMS Customer Master Key (CMK) present in the account for App-Tier resources. | +| **More Info** | Amazon KMS should have Customer Master Key (CMK) for App-Tier to protect data in transit. | +| **AWS Link** | https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html | +| **Recommended Action** | Create a Customer Master Key (CMK) with App-Tier tag | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for KMS.
+3. To change the AWS Region, use the Region selector in the upper-right corner of the page.
+4. In the navigation pane, choose Customer managed keys.
+5. Choose Create key.
+4. Select the key type. If you are creating a KMS key to encrypt data you store or manage in an AWS service, create a symmetric encryption KMS key, this list of AWS services that are integrated with AWS KMS use only symmetric encryption KMS keys https://aws.amazon.com/kms/features/#AWS_Service_Integration.
+5. For help deciding which type of KMS key to create see https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
+6. On the "Add alias and description" page provide the "Alias" and "Description" for the new "KMS key" and click on the "Next" button.
+7. On the "Add tags" page provide a unique key for "Tag key","Tag value" and click on the "Next" button.
+8. On the "Define key administrative permissions" page select the "IAM users" and roles who can administer the new "KMS key" through the KMS API.
+9. Click on the "Next" button at the bottom to continue the new "KMS key" process.
+10. On the "Define key usage permissions" page select the IAM users and roles that can use the CMK to encrypt and decrypt data with the "AWS KMS API" and click on the "Next" button.
+11. On the "Review and edit key policy" page review the policy and click on the "Finish" button to create a new "KMS key" which can be used to encrypt/decrypt the data.
\ No newline at end of file diff --git a/en/aws/kms/kms-duplicate-grants.md b/en/aws/kms/kms-duplicate-grants.md new file mode 100644 index 000000000..8a5969b77 --- /dev/null +++ b/en/aws/kms/kms-duplicate-grants.md @@ -0,0 +1,23 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / KMS / KMS Duplicate Grants + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | KMS Duplicate Grants | +| **Cloud** | AWS | +| **Category** | KMS | +| **Description** | Ensure that AWS KMS keys does not have duplicate grants to adhere to AWS security best practices. | +| **More Info** | Duplicate grants have the same key ARN, API actions, grantee principal, encryption context, and name. If you retire or revoke the original grant but leave the duplicates, the leftover duplicate grants constitute unintended escalations of privilege. | +| **AWS Link** | http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html | +| **Recommended Action** | Delete duplicate grants for AWS KMS keys | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for KMS.
+3. To delete a grant, retire or revoke it.
+4. To identify the grant to retire, use a grant token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key.
+5. Follow this guide https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html to retire grant either by sending a request or using language-specific AWS SDKs.
+6. To revoke a grant follow this document https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html
\ No newline at end of file diff --git a/en/aws/kms/kms-grant-least-privilege.md b/en/aws/kms/kms-grant-least-privilege.md new file mode 100644 index 000000000..6c0011c25 --- /dev/null +++ b/en/aws/kms/kms-grant-least-privilege.md @@ -0,0 +1,15 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / KMS / KMS Grant Least Privilege + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | KMS Grant Least Privilege | +| **Cloud** | AWS | +| **Category** | KMS | +| **Description** | Ensure that AWS KMS key grants use the principle of least privileged access | +| **More Info** | AWS KMS key grants should be created with minimum set of permissions required by grantee principal to adhere to AWS security best practices | +| **AWS Link** | https://docs.aws.amazon.com/kms/latest/developerguide/grants.html | +| **Recommended Action** | Create KMS grants with minimum permission required | \ No newline at end of file diff --git a/en/aws/lambda/lambda-environment-variables-client-side-encryption.md b/en/aws/lambda/lambda-environment-variables-client-side-encryption.md new file mode 100644 index 000000000..a12bea330 --- /dev/null +++ b/en/aws/lambda/lambda-environment-variables-client-side-encryption.md @@ -0,0 +1,36 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / Lambda / Lambda Environment Variables Client Side Encryption + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Lambda Environment Variables Client Side Encryption | +| **Cloud** | AWS | +| **Category** | Lambda | +| **Description** | Ensure that all sensitive AWS Lambda environment variable values are client side encrypted. | +| **More Info** | AWS Lambda lets you encrypt environment variable values prior to sending them to Lambda. Environment variables are often used to store sensitive information such as passwords. Such variable valuesshould be encrypted for security best practices. | +| **AWS Link** | https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html | +| **Recommended Action** | Encrypt environment variables that store sensitive information. | + +## Detailed Remediation Steps + +1. Use the AWS Key Management Service (AWS KMS) to create any customer managed keys for Lambda to use for server-side and client-side encryption. For more information, see https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html.
+2. Using the Lambda console, navigate to the Edit environment variables page.
+a. Open the Functions page of the Lambda console.
+b. Choose a function.
+c. Choose Configuration, then choose Environment variables from the left navigation bar.
+d. In the Environment variables section, choose Edit.
+e. Expand Encryption configuration.
+3. Optionally, enable console encryption helpers to use client-side encryption to protect your data in transit.
+a. Under Encryption in transit, choose Enable helpers for encryption in transit.
+b. For each environment variable that you want to enable console encryption helpers for, choose Encrypt next to the environment variable.
+c. Under AWS KMS key to encrypt in transit, choose a customer managed key that you created at the beginning of this procedure.
+d. Choose Execution role policy and copy the policy. This policy grants permission to your function's execution role to decrypt the environment variables. Save this policy to use in the last step of this procedure.
+e. Add code to your function that decrypts the environment variables. Choose Decrypt secrets snippet to see an example.
+4. Optionally, specify your customer managed key for encryption at rest.
+a. Choose Use a customer master key.
+b. Choose a customer managed key that you created at the beginning of this procedure.
+5. Choose Save.
+6. Set up permissions. If you're using a customer managed key with server-side encryption, grant permissions to any AWS Identity and Access Management (IAM) users or roles that you want to be able to view or manange environment variables on the function. For more information, see https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#managing-permissions-to-your-server-side-encryption-key. If you're enabling client-side encryption for security in transit, your function needs permission to call the kms:Decrypt API operation. Add the policy that you saved previously in this procedure to the function's execution role https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html.
\ No newline at end of file diff --git a/en/aws/lambda/lambda-tracing-enabled.md b/en/aws/lambda/lambda-tracing-enabled.md new file mode 100644 index 000000000..6b5b21219 --- /dev/null +++ b/en/aws/lambda/lambda-tracing-enabled.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / Lambda / Lambda Tracing Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Lambda Tracing Enabled | +| **Cloud** | AWS | +| **Category** | Lambda | +| **Description** | Ensures AWS Lambda functions have active tracing for X-Ray. | +| **More Info** | AWS Lambda functions should have active tracing in order to gain visibility into the functions execution and performance. | +| **AWS Link** | https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html | +| **Recommended Action** | Modify Lambda functions to activate tracing. | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for Lambda.
+3. Scroll down the left navigation panel and choose "Functions".
+4. Select the Lambda function that needs to be verify from "Functions name".
+5. On the "Lambda Functions" page scroll down and choose "Configuration".
+6. Scroll down the "Configuration" tab and choose the "Monitoring and operations tools".
+7. Under X-Ray, toggle on Active tracing.
+8. Click on the "Save" button at the top of the dashboard.
+9. Repeat steps 4 - 8 to enable active tracing for other "Lambda functions" in the selected region.
\ No newline at end of file diff --git a/en/aws/neptune/neptune-database-instance-encrypted.md b/en/aws/neptune/neptune-database-instance-encrypted.md new file mode 100644 index 000000000..073299f4c --- /dev/null +++ b/en/aws/neptune/neptune-database-instance-encrypted.md @@ -0,0 +1,23 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / Neptune / Neptune Database Instance Encrypted + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Neptune Database Instance Encrypted | +| **Cloud** | AWS | +| **Category** | Neptune | +| **Description** | Ensure that your AWS Neptune database instances are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys | +| **More Info** | Neptune encrypted instances provide an additional layer of data protection by helping to secure your data from unauthorized access to the underlying storage. You can use Neptune encryption to increase data protection of your applications that are deployed in the cloud. You can also use it to fulfill compliance requirements for data-at-rest encryption. | +| **AWS Link** | https://docs.aws.amazon.com/neptune/latest/userguide/encrypt.html | +| **Recommended Action** | Encrypt Neptune database with desired encryption level | + +## Detailed Remediation Steps +1. You cannot convert an unencrypted DB instance to an encrypted one. You can only enable encryption for a DB instance when you create it.
+2. To enable encryption for a new Neptune DB instance, choose Yes in the Enable encryption section on the Neptune console. For information about creating a Neptune DB instance, see https://docs.aws.amazon.com/neptune/latest/userguide/get-started-create-cluster.html
+3. However, you can restore an unencrypted DB cluster snapshot to an encrypted DB cluster. To do this, specify a KMS encryption key when you restore from the unencrypted DB cluster snapshot.
+4. Also, DB instances that are encrypted can't be modified to disable encryption.
+5. You can't have an encrypted Read Replica of an unencrypted DB instance, or an unencrypted Read Replica of an encrypted DB instance.
+6. Encrypted Read Replicas must be encrypted with the same key as the source DB instance.
\ No newline at end of file diff --git a/en/aws/s3/s3-bucket-lifecycle-configuration.md b/en/aws/s3/s3-bucket-lifecycle-configuration.md new file mode 100644 index 000000000..77e518dfc --- /dev/null +++ b/en/aws/s3/s3-bucket-lifecycle-configuration.md @@ -0,0 +1,27 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / S3 / S3 Bucket Lifecycle Configuration + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | S3 Bucket Lifecycle Configuration | +| **Cloud** | AWS | +| **Category** | S3 | +| **Description** | Ensures that S3 buckets have lifecycle configuration enabled to automatically transition S3 bucket objects. | +| **More Info** | S3 bucket should have lifecycle configuration enabled to automatically downgrade the storage class for your objects. | +| **AWS Link** | https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-set-lifecycle-configuration-intro.html | +| **Recommended Action** | Update S3 bucket and create lifecycle rule configuration. | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for S3.
+3. Scroll down the left navigation pane and choose "Buckets".
+4. Select the "Bucket" that needs to add policy to and click on its identifier(name) from the "Bucket name" column.
+5. Click on the "Management" tab on the top menu.
+6. Click on Create Lifecycle rule.
+7. Choose the rule scope (all bucket objects OR limit scope to specific objects using filters/ tags prefix) .
+8. Check Lifecycle rule actions you need to apply.
+9. Click on the "Save" button to make the necessary changes.
+10. Repeat steps number 4 - 9 to enable lifecycle configurations in other S3 buckets.
\ No newline at end of file diff --git a/en/aws/s3/s3-bucket-policy-cloudfront-oai.md b/en/aws/s3/s3-bucket-policy-cloudfront-oai.md new file mode 100644 index 000000000..b4bb2dde2 --- /dev/null +++ b/en/aws/s3/s3-bucket-policy-cloudfront-oai.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / S3 / S3 Bucket Policy CloudFront OAI + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | S3 Bucket Policy CloudFront OAI | +| **Cloud** | AWS | +| **Category** | S3 | +| **Description** | Ensures S3 bucket is origin to only one distribution and allows only that distribution | +| **More Info** | Access to CloudFront origins should only happen via ClouFront URL and not from S3 URL or any source in order to restrict access to private data | +| **AWS Link** | https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html | +| **Recommended Action** | Review the access policy for S3 bucket which is an origin to a CloudFront distribution. Make sure the S3 bucket is origin to only one distribution. Modify the S3 bucket access policy to allow CloudFront OAI for only the associated CloudFront distribution and restrict access from any other source. | + +## Detailed Remediation Steps +1. Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v3/home.
+2. Choose the ID of a distribution that has an S3 origin.
+3. Choose the Origins tab.
+4. Select the Amazon S3 origin, and then choose Edit.
+5. For S3 bucket access, choose Yes use OAI.
+6. If you already have an OAI that you want to use, select the OAI from the drop-down list. If you already have an OAI, we recommend that you reuse it to simplify maintenance.
+7. If you want to create an OAI, choose Create new OAI. You can replace the autogenerated OAI name with a custom name if desired.
+8. If you want CloudFront to automatically update the Amazon S3 bucket policy to allow read access to the OAI, choose Yes, update the bucket policy.
+9. If you want to manually update permissions on your Amazon S3 bucket, choose No, I will update the bucket policy. For more information, see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-granting-permissions-to-oai
+10. If you update the bucket policy manually, make sure that you: Specify the correct OAI as the Principal in the policy. and give the OAI the permissions it needs to access objects on behalf of viewers.
+11. At the bottom of the page, choose Save changes.
+12. If you have more than one Amazon S3 origin, repeat the steps to add an OAI for each one.
\ No newline at end of file diff --git a/en/aws/s3/s3-dns-compliant-bucket-names.md b/en/aws/s3/s3-dns-compliant-bucket-names.md new file mode 100644 index 000000000..3b7625fce --- /dev/null +++ b/en/aws/s3/s3-dns-compliant-bucket-names.md @@ -0,0 +1,15 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / S3 / S3 DNS Compliant Bucket Names + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | S3 DNS Compliant Bucket Names | +| **Cloud** | AWS | +| **Category** | S3 | +| **Description** | Ensures that S3 buckets have DNS complaint bucket names. | +| **More Info** | S3 bucket names must be DNS-compliant and not contain period "." to enable S3 Transfer Acceleration and to use buckets over SSL. | +| **AWS Link** | https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html | +| **Recommended Action** | Recreate S3 bucket to use "-" instead of "." in S3 bucket names. | \ No newline at end of file diff --git a/en/aws/s3/s3-transfer-acceleration-enabled.md b/en/aws/s3/s3-transfer-acceleration-enabled.md new file mode 100644 index 000000000..debbde8a9 --- /dev/null +++ b/en/aws/s3/s3-transfer-acceleration-enabled.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / S3 / S3 Transfer Acceleration Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | S3 Transfer Acceleration Enabled | +| **Cloud** | AWS | +| **Category** | S3 | +| **Description** | Ensures that S3 buckets have transfer acceleration enabled to increase the speed of data transfers. | +| **More Info** | S3 buckets should have transfer acceleration enabled to increase the speed of data transfers in and out of Amazon S3 using AWS edge network. | +| **AWS Link** | https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration-examples.html | +| **Recommended Action** | Modify S3 bucket to enable transfer acceleration. | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for S3.
+3. Scroll down the left navigation pane and Click on "Buckets".
+4. Select the "Bucket" that needs to add policy to and click on its identifier(name) from the "Bucket name" column.
+5. Click on the "Properties" tab on the top menu.
+6. Click Edit Transfer acceleration.
+7. Select Enable.
+8. Click on the "Save" button to make the necessary changes.
+9. Repeat steps 4 - 8 to enable transfer accelaration for other S3 buckets in the region.
\ No newline at end of file diff --git a/en/aws/s3/s3-versioned-buckets-lifecycle-configuration.md b/en/aws/s3/s3-versioned-buckets-lifecycle-configuration.md new file mode 100644 index 000000000..9776cf4d2 --- /dev/null +++ b/en/aws/s3/s3-versioned-buckets-lifecycle-configuration.md @@ -0,0 +1,28 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / S3 / S3 Versioned Buckets Lifecycle Configuration + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | S3 Versioned Buckets Lifecycle Configuration | +| **Cloud** | AWS | +| **Category** | S3 | +| **Description** | Ensure that S3 buckets having versioning enabled also have lifecycle policy configured for non-current objects. | +| **More Info** | When object versioning is enabled on a bucket, every modification/update to an object results in a new version of the object that will be stored indefinitely. Enable a lifecycle policy, so that non-current object versions are removed or transitioned in a predictable manner. | +| **AWS Link** | https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-to-set-lifecycle-configuration-intro.html | +| **Recommended Action** | Configure lifecycle rules for buckets which have versioning enabled. | + +## Detailed Remediation Steps +1. Log into the AWS Management Console.
+2. Select the "Services" option and search for S3.
+3. Scroll down the left navigation pane and choose "Buckets".
+4. Select the "Bucket" that needs to create lifecycle rule for by clicking on its identifier(name) from the "Bucket name" column.
+5. Click on the "Management" tab on the top menu.
+6. Click on Create Lifecycle rule.
+7. Choose the rule scope (all bucket objects OR limit scope to specific objects using filters/ tags prefix) .
+8. Check Lifecycle rule actions you need to apply.
+9. Make sure to specify a rule for Move noncurrent versions of objects between storage classes.
+10. Click on the "Save" button to make the necessary changes.
+11. Repeat steps 4 - 10 to enable lifecycle configurations in other S3 buckets.
\ No newline at end of file diff --git a/en/aws/waf/aws-waf-in-use.md b/en/aws/waf/aws-waf-in-use.md new file mode 100644 index 000000000..d3ede2851 --- /dev/null +++ b/en/aws/waf/aws-waf-in-use.md @@ -0,0 +1,30 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / WAF / AWS WAF In Use + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | AWS WAF In Use | +| **Cloud** | AWS | +| **Category** | WAF | +| **Description** | Ensure that AWS Web Application Firewall (WAF) is in use to achieve availability and security for AWS-powered web applications | +| **More Info** | Using WAF for your web application running in AWS environment can help against common web-based attacks, SQL injection attacks, DDOS attacks and more | +| **AWS Link** | https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html | +| **Recommended Action** | Create one or more WAF ACLs with proper actions and rules | + +## Detailed Remediation Steps +1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.
+2. From the AWS WAF home page, choose Create web ACL.
+3. For Name, enter the name that you want to use to identify this web ACL.
+4. For Description - (optional), enter a longer description for the web ACL.
+5. For CloudWatch metric name, change the default name if applicable. Follow the guidance on the console for valid characters. The name can't contain special characters, white space, or metric names reserved for AWS WAF, including "All" and "Default_Action."
+6. Choose the AWS resources that you want AWS WAF to inspect web requests for. these steps covers the steps for Amazon CloudFront. The process is essentially the same for an Amazon API Gateway REST API, an Application Load Balancer, an AWS AppSync GraphQL API, or an Amazon Cognito user pool.
+7. Choose CloudFront distributions. The Region automatically populates to Global (CloudFront) for CloudFront distributions.
+8. (Optional) For Associated AWS resources, choose Add AWS resources. In the dialog box, choose the resources that you want to associate, and then choose Add. AWS WAF returns you to the Describe web ACL and associated AWS resources page.
+9. Choose Next.
+10. Add the rules and rule groups that you want to use to filter web requests. For example, you can specify the IP addresses that the requests originate from and values in the request that are used only by attackers. For each rule, you specify how to handle matching web requests. You can block them, allow them, count them, or insert a CAPTCHA check against them. You define an action for each rule that you define inside a web ACL and for each rule that you define inside a rule group.
+11. Specify a default action for the web ACL, either Block or Allow. This is the action that AWS WAF takes when a web request doesn't match any of the rules.
+12. Review then click on Create web ACL.
+13. To Associate a web ACL with an AWS resource, see this link: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html
\ No newline at end of file diff --git a/en/aws/waf/aws-wafv2-in-use.md b/en/aws/waf/aws-wafv2-in-use.md new file mode 100644 index 000000000..720dea640 --- /dev/null +++ b/en/aws/waf/aws-wafv2-in-use.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AWS / WAFV2 / AWS WAFV2 In Use + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | AWS WAFV2 In Use | +| **Cloud** | AWS | +| **Category** | WAF | +| **Description** | Ensure that AWS Web Application Firewall V2 (WAFV2) is in use to achieve availability and security for AWS-powered web applications. | +| **More Info** | Using WAF for your web application running in AWS environment can help you against common web-based attacks, SQL injection attacks, DDOS attacks and more | +| **AWS Link** | https://docs.aws.amazon.com/waf/latest/developerguide/getting-started.html | +| **Recommended Action** | Create one or more WAF ACLs with proper actions and rules | + +## Detailed Remediation Steps +1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.
+2. From the AWS WAF home page, choose Create web ACL.
+3. For Name, enter the name that you want to use to identify this web ACL.
+4. For Description - (optional), enter a longer description for the web ACL.
+5. For CloudWatch metric name, change the default name if applicable. Follow the guidance on the console for valid characters. The name can't contain special characters, white space, or metric names reserved for AWS WAF, including "All" and "Default_Action."
+6. Choose the AWS resources that you want AWS WAF to inspect web requests for. these steps covers the steps for Amazon CloudFront. The process is essentially the same for an Amazon API Gateway REST API, an Application Load Balancer, an AWS AppSync GraphQL API, or an Amazon Cognito user pool.
+7. Choose CloudFront distributions. The Region automatically populates to Global (CloudFront) for CloudFront distributions.
+8. (Optional) For Associated AWS resources, choose Add AWS resources. In the dialog box, choose the resources that you want to associate, and then choose Add. AWS WAF returns you to the Describe web ACL and associated AWS resources page.
+9. Choose Next.
+10. Add the rules and rule groups that you want to use to filter web requests. For example, you can specify the IP addresses that the requests originate from and values in the request that are used only by attackers. For each rule, you specify how to handle matching web requests. You can block them, allow them, count them, or insert a CAPTCHA check against them. You define an action for each rule that you define inside a web ACL and for each rule that you define inside a rule group.
+11. Specify a default action for the web ACL, either Block or Allow. This is the action that AWS WAF takes when a web request doesn't match any of the rules.
+12. Review then click on Create web ACL.
\ No newline at end of file diff --git a/en/azure/securitycenter/monitor-external-accounts-with-write-permissions.md b/en/azure/securitycenter/monitor-external-accounts-with-write-permissions.md new file mode 100644 index 000000000..dd9dafa7e --- /dev/null +++ b/en/azure/securitycenter/monitor-external-accounts-with-write-permissions.md @@ -0,0 +1,31 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Monitor External Accounts with Write Permissions + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Monitor External Accounts with Write Permissions | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that External Accounts with Write Permissions are being Monitored in Security Center | +| **More Info** | External Accounts with Write Permissions should be monitored to meet you organization's security compliance requirements. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | +| **Recommended Action** | Enable Monitor for External Accounts with Write Permissions by ensuring AuditIfNotExists setting is used for 'External accounts with write permissions should be removed from your subscription' from the Azure Security Center. | + +## Detailed Remediation Steps + +1. ASC Default policies should monitor for this by default. If no ASC Default policy found, this policy can be manually assigned and enabled. +2. Log into the Microsoft Azure Management Console. +3. Select the "Search resources, services, and docs" option at the top and search for Resource Groups. +4. Select the corresponding resource group by clicking on the 'name' link. +5. On the navigation pane to the left, select "Policies" in the Settings section. +6. In the policies section, select "Assign Policy" at the top of the section menu. +7. Assign the scope this policy should cover and any necessary exclusions. +8. In the Policy Definition section, select "External accounts with write permissions should be removed from your subscription". +9. Ensure that Policy Enforcement is set to 'enabled' and then select Next. +10. In the Parameters section, set the Effect to 'AuditIfNotExists'. +11. Optional - Assign Remediation and Non-Compliance Messages. +12. Review and Create the policy. + diff --git a/en/azure/securitycenter/monitor-ip-forwarding.md b/en/azure/securitycenter/monitor-ip-forwarding.md new file mode 100644 index 000000000..d7c104a2f --- /dev/null +++ b/en/azure/securitycenter/monitor-ip-forwarding.md @@ -0,0 +1,30 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Monitor IP Forwarding + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Monitor IP Forwarding | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that Virtual Machine IP Forwarding Monitoring is enabled in Security Center. | +| **More Info** | IP Forwarding feature should be monitored to meet you organization's security compliance requirements. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | +| **Recommended Action** | Enable IP Forwarding Monitoring by ensuring AuditIfNotExists setting is used for 'IP Forwarding on your virtual machine should be disabled' from the Azure Security Center. | + +## Detailed Remediation Steps + +1. ASC Default policies should monitor for this by default. If no ASC Default policy found, this policy can be manually assigned and enabled. +2. Log into the Microsoft Azure Management Console. +3. Select the "Search resources, services, and docs" option at the top and search for Resource Groups. +4. Select the corresponding resource group by clicking on the 'name' link. +5. On the navigation pane to the left, select "Policies" in the Settings section. +6. In the policies section, select "Assign Policy" at the top of the section menu. +7. Assign the scope this policy should cover and any necessary exclusions. +8. In the Policy Definition section, select "IP Forwarding on your virtual machine should be disabled". +9. Ensure that Policy Enforcement is set to 'enabled' and then select Next. +10. In the Parameters section, set the Effect to 'AuditIfNotExists'. +11. Optional - Assign Remediation and Non-Compliance Messages. +12. Review and Create the policy. diff --git a/en/azure/securitycenter/monitor-next-generation-firewall.md b/en/azure/securitycenter/monitor-next-generation-firewall.md new file mode 100644 index 000000000..a11bd577d --- /dev/null +++ b/en/azure/securitycenter/monitor-next-generation-firewall.md @@ -0,0 +1,31 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Monitor Total Number of Subscription Owners + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Monitor Next Generation Firewall | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that Next Generation Firewall (NGFW) Monitoring is enabled in Security Center. | +| **More Info** | When this setting is enabled, Security Center will search for deployments where a NGFW is recommended. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | +| **Recommended Action** | Enable Next Generation Firewall Monitoring by ensuring AuditIfNotExists setting is used for 'All network ports should be restricted on network security groups associated to your virtual machine' from the Azure Security Center. | + +## Detailed Remediation Steps + +1. ASC Default policies should monitor for this by default. If no ASC Default policy found, this policy can be manually assigned and enabled. +2. Log into the Microsoft Azure Management Console. +3. Select the "Search resources, services, and docs" option at the top and search for Resource Groups. +4. Select the corresponding resource group by clicking on the 'name' link. +5. On the navigation pane to the left, select "Policies" in the Settings section. +6. In the policies section, select "Assign Policy" at the top of the section menu. +7. Assign the scope this policy should cover and any necessary exclusions. +8. In the Policy Definition section, select "[Preview]: All Internet traffic should be routed via your deployed Azure Firewall". +9. Ensure that Policy Enforcement is set to 'enabled' and then select Next. +10. In the Parameters section, set the Effect to 'AuditIfNotExists'. +11. Optional - Assign Remediation and Non-Compliance Messages. +12. Review and Create the policy. + diff --git a/en/azure/securitycenter/monitor-total-number-of-subscription-owners.md b/en/azure/securitycenter/monitor-total-number-of-subscription-owners.md new file mode 100644 index 000000000..f4b15f855 --- /dev/null +++ b/en/azure/securitycenter/monitor-total-number-of-subscription-owners.md @@ -0,0 +1,31 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Monitor Total Number of Subscription Owners + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Monitor Total Number of Subscription Owners | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that Total Number of Subscription Owners is being Monitored in Security Center. | +| **More Info** | Total Number of Subscription Owners should be monitored to meet you organization's security compliance requirements. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | +| **Recommended Action** | Enable Monitor for Total Number of Subscription Owners by ensuring AuditIfNotExists setting is used for 'A maximum of 3 owners should be designated for your subscription' from the Azure Security Center. | + +## Detailed Remediation Steps + +1. ASC Default policies should monitor for this by default. If no ASC Default policy found, this policy can be manually assigned and enabled. +2. Log into the Microsoft Azure Management Console. +3. Select the "Search resources, services, and docs" option at the top and search for Resource Groups. +4. Select the corresponding resource group by clicking on the 'name' link. +5. On the navigation pane to the left, select "Policies" in the Settings section. +6. In the policies section, select "Assign Policy" at the top of the section menu. +7. Assign the scope this policy should cover and any necessary exclusions. +8. In the Policy Definition section, select "A maximum of 3 owners should be designated for your subscription". +9. Ensure that Policy Enforcement is set to 'enabled' and then select Next. +10. In the Parameters section, set the Effect to 'AuditIfNotExists'. +11. Optional - Assign Remediation and Non-Compliance Messages. +12. Review and Create the policy. + diff --git a/en/azure/storageaccounts/blobs-soft-deletion-enabled.md b/en/azure/storageaccounts/blobs-soft-deletion-enabled.md new file mode 100644 index 000000000..cc4d835a1 --- /dev/null +++ b/en/azure/storageaccounts/blobs-soft-deletion-enabled.md @@ -0,0 +1,27 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Blobs Soft Deletion Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Blobs Soft Deletion Enabled | +| **Cloud** | AZURE | +| **Category** | Storage Accounts | +| **Description** | Ensure that soft delete feature is enabled for all Microsoft Storage Account blobs. | +| **More Info** | When soft delete for blobs is enabled for a storage account, blobs, blob versions, and snapshots in that storage account may be recovered after they are deleted, within a retention period that you specify. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-blob-overview | +| **Recommended Action** | Enable soft delete for blobs and set deletion retention policy to keep blobs for more than desired number of days. | + +## Detailed Remediation Steps + +1. ASC Default policies should monitor for this by default. If no ASC Default policy found, this policy can be manually assigned and enabled. +2. Log into the Microsoft Azure Management Console. +3. Select the "Search resources, services, and docs" option at the top and search for Storage Accounts. +4. Select the corresponding storage account by clicking on the "name" link. +5. Locate the Data Protection option under Data management. +6. In the Recovery section, select Turn on soft delete for blobs. +7. Specify a retention period between 30 and 365 days. +8. Save your changes. +9. Repeat steps 4-8 for all other applicable Storage Accounts. diff --git a/en/azure/storageaccounts/storage-accounts-minimum-tls-version.md b/en/azure/storageaccounts/storage-accounts-minimum-tls-version.md new file mode 100644 index 000000000..7b89a6e1a --- /dev/null +++ b/en/azure/storageaccounts/storage-accounts-minimum-tls-version.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Storage Accounts Minimum TLS Version + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Storage Accounts Minimum TLS Version | +| **Cloud** | AZURE | +| **Category** | Storage Accounts | +| **Description** | Ensures Microsoft Azure Storage Accounts are using the latest TLS version 1.2 to enforce stricter security measure. | +| **More Info** | Azure Storage accounts permit clients to send and receive data with the oldest version of TLS, TLS 1.0, and above. To enforce stricter security measures, you can configure your storage account to require that clients send and receive data with a newer version of TLS. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version | +| **Recommended Action** | Modify Storage Account configuration and set desired minimum TLS version | + +## Detailed Remediation Steps + +1. ASC Default policies should monitor for this by default. If no ASC Default policy found, this policy can be manually assigned and enabled. +2. Log into the Microsoft Azure Management Console. +3. Select the "Search resources, services, and docs" option at the top and search for Storage Accounts. +4. Select the corresponding storage account by clicking on the "name" link. +5. Locate the Configuration option under Settings. +6. In the Minimum TLS Version section, select Version 1.2. +7. Save your changes. +8. Repeat steps 4-7 for all other applicable Storage Accounts. diff --git a/en/azure/virtualmachines/accelerated-networking-enabled.md b/en/azure/virtualmachines/accelerated-networking-enabled.md new file mode 100644 index 000000000..11ff1702c --- /dev/null +++ b/en/azure/virtualmachines/accelerated-networking-enabled.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Accelerated Networking Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Accelerated Networking Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** |Ensures that accelerated networking is enabled on Azure virtual machines(VM).| +| **More Info** | Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/create-vm-accelerated-networking-powershell | +| **Recommended Action** | Enable accelerated networking in virtual machine network interfaces. | + +## Detailed Remediation Steps + +{Listed Remediation Steps} +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for "Virtual Machines". +3. Select the appropriate Virtual Machine by clicking on the "Name" link. +4. In the Settings section on the left menu, select "Networking" +5. Select the Network Interface by clicking on the "Name" link +6. In Network Interface Oververview, select "Enabled Accelerated Networking" to enable accelerated networking. +7. Repeat steps 3-6 for all other Virtual Machines. diff --git a/en/azure/virtualmachines/automatic-instance-repairs-enabled.md b/en/azure/virtualmachines/automatic-instance-repairs-enabled.md new file mode 100644 index 000000000..2f707defc --- /dev/null +++ b/en/azure/virtualmachines/automatic-instance-repairs-enabled.md @@ -0,0 +1,27 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Automatic Instance Repairs Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Automatic Instance Repairs Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that automatic instance repairs is enabled for Azure virtual machine scale sets. | +| **More Info** | Enabling automatic instance repairs for Azure virtual machine scale sets helps achieve high availability for applications by maintaining a set of healthy instances. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs | +| **Recommended Action** | Enable automatic instance repairs for Azure virtual machine scale sets. | + +## Detailed Remediation Steps + +{Listed Remediation Steps} +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for "Virtual machine scale sets". +3. Select the scale set by clicking on the "Name" link. +4. Select "Health and Repair" in the left hand menu under Settings. +5. Select "Enabled" in Enable application health monitoring. +6. Select "On" for Enable automatic repairs. Note that the "Health" extension will need to be added to the Virtual Machines associated with this scale set and the scale set may need restarted prior to the changes successfully being made. +7. Save the changes. +8. Repeat steps 3-7 for all other scale sets. \ No newline at end of file diff --git a/en/azure/virtualmachines/automatic-os-upgrades-enabled.md b/en/azure/virtualmachines/automatic-os-upgrades-enabled.md new file mode 100644 index 000000000..682fa1af8 --- /dev/null +++ b/en/azure/virtualmachines/automatic-os-upgrades-enabled.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Automatic OS Upgrades Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Automatic OS Upgrades Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensure that automatic operating system (OS) upgrades are enabled for Microsoft Azure virtual machine scale sets. | +| **More Info** | Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for all instances in the scale set. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade | +| **Recommended Action** | Enable automatic OS upgrades under operating system settings. | + +## Detailed Remediation Steps + +{Listed Remediation Steps} +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for "Virtual machine scale sets". +3. Select the corresponding scale set by clicking on the "name" link +4. Once the scale set is selected, select "Upgrade policy" in the left side menu under Settings. +5. Select "Automatic" in the drop down menu for "Upgrade Mode" and save the changes. +6. Repeat steps 3-5 for all applicable scale set instances. \ No newline at end of file diff --git a/en/azure/virtualmachines/disk-volumes-byok-encryption-enabled.md b/en/azure/virtualmachines/disk-volumes-byok-encryption-enabled.md new file mode 100644 index 000000000..cd3687733 --- /dev/null +++ b/en/azure/virtualmachines/disk-volumes-byok-encryption-enabled.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Disk Volumes BYOK Encryption Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disk Volumes BYOK Encryption Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled. | +| **More Info** | Encrypting virtual machine disk volumes helps protect and safeguard your data to meet organizational security and compliance commitments. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault | +| **Recommended Action** | Ensure that virtual machine disks are created using BYOK encryption. | + +## Detailed Remediation Steps + +{Listed Remediation Steps} +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for Virtual Machines. +3. Select the corresponding virtual machine by clicking on the "Name" link. +4. In the left side menu, select "Disk" and click on the corresponding disk "Name" link. +5. In the left side menu, select "Encryption" and change the Encryption type to one of the customer-managed key options. Select the appropriate encryption sets and then click "Save" to confirm the changes. +6. Note that if no encryption sets are available, you will need to configure both the Azure "Key Vaults" as well as the "Disk Encryption Sets" resources. Please visit https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault for more information. +7. Repeat steps 3 - 6 for all other applicable virtual machines. \ No newline at end of file diff --git a/en/azure/virtualmachines/guest-level-diagnostics-enabled.md b/en/azure/virtualmachines/guest-level-diagnostics-enabled.md new file mode 100644 index 000000000..35cda14c9 --- /dev/null +++ b/en/azure/virtualmachines/guest-level-diagnostics-enabled.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Guest Level Diagnostics Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Guest Level Diagnostics Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that the guest level diagnostics are enabled. | +| **More Info** | Guest Level Diagnostics should be enabled to collect information about VMs processing and state of VM applications. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-vm-agent | +| **Recommended Action** | Enable guest level diagnostics for all virtual machines. | + +## Detailed Remediation Steps + +{Listed Remediation Steps} +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for Virtual Machines. +3. Select the corresponding virtual machine by clicking on the "Name" link. +4. Ensure that the Virtual Machine is currently running. +5. In the left menu pane, select "Diagnostic settings" under Monitoring. +6. In the Diagnostic Settings Overview, select a storage account under "Pick a storage account" and then select "Enable guest-level monitoring". +7. Repeat steps 3 - 6 for all other applicable Virtual Machines. diff --git a/en/azure/virtualmachines/managed-vm-machine-image.md b/en/azure/virtualmachines/managed-vm-machine-image.md new file mode 100644 index 000000000..57ac5f456 --- /dev/null +++ b/en/azure/virtualmachines/managed-vm-machine-image.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Managed VM Machine Image + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Managed VM Machine Image | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that VM is launched from a managed VM image. | +| **More Info** | A managed VM image contains the information necessary to create a VM, including the OS and data disks. Virtual Machines should be launched using managed images to ensure security practices and consistency across all the instances. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-vm-generalized-managed | +| **Recommended Action** | Ensure that VM is launched using managed VM image. | + +## Detailed Remediation Steps + +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for Virtual Machines. +3. Select the applicable Virtual Machine from the list of Virtual Machines by clicking on the "name" link. +4. In the left side menu for the Virtual Machine, select "Disks" under Settings. +5. At the top of the Disks section, select "Migrate to managed disks". +6. If your VM is in an availability set, there will be a warning on the Migrate to managed disks blade that you need to convert the availability set first. The warning should have a link you can click to convert the availability set. Once the availability set is converted or if your VM is not in an availability set, click Migrate to start the process of migrating your disks to managed disks. +7. The VM will be stopped and restarted after migration is complete. +8. Repeat steps 3-5 for all other applicable disks. \ No newline at end of file diff --git a/en/azure/virtualmachines/no-empty-scale-sets.md b/en/azure/virtualmachines/no-empty-scale-sets.md new file mode 100644 index 000000000..fc9b6e64d --- /dev/null +++ b/en/azure/virtualmachines/no-empty-scale-sets.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / No Empty Scale Sets + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | No Empty Scale Sets | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that virtual machine scale sets have virtual machine instances attached. | +| **More Info** | Azure virtual machine scale sets let you create and manage a group of load balanced VMs. Scale sets with no vm instances should be deleted to save cost of unused resources. | +| **AZURE Link** | Delete virtual machine scale sets that have no virtual machine instances. | +| **Recommended Action** | https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview | + +## Detailed Remediation Steps + +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for "Virtual machine scale sets" +3. Select a scale set by clicking on the "Name" link +4. Once open, in the "Overview" section, select "Move" to link the scale set to a virtual machine. +5. Repeat steps 3-4 for all other scale sets. +6. See https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/quick-create-portal if no scale sets are present. \ No newline at end of file diff --git a/en/azure/virtualmachines/old-vm-disk-snapshots.md b/en/azure/virtualmachines/old-vm-disk-snapshots.md new file mode 100644 index 000000000..78ecdaa81 --- /dev/null +++ b/en/azure/virtualmachines/old-vm-disk-snapshots.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machine / Old VM Disk Snapshots + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Old VM Disk Snapshots | +| **Cloud** | AZURE | +| **Category** | Virtual Machine | +| **Description** | Ensures that virtual machines do not have older disk snapshots. | +| **More Info** | A snapshot is a full, read-only copy of a virtual hard drive (VHD). You can take a snapshot of an OS or data disk VHD to use as a backup, or to troubleshoot virtual machine (VM) issues. VM snapshots older than a specific period of time should be deleted to save cost of unused resources. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/windows/snapshot-copy-managed-disk | +| **Recommended Action** | Ensure that there are no undesired old VM disk snapshots. | + +## Detailed Remediation Steps + +{Listed Remediation Steps} +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for "Snapshots". +3. Select the applicable Snapshot by clicking on the "Name" link. +4. In the left menu pane, select "Snapshot export" if applicable and export a version of the snapshot if required to keep. +5. Select the "Overview" menu section and click on "Delete" to remove the snapshot from the environment. +6. Repeat steps 3 - 5 for any other applicable snapshots. \ No newline at end of file diff --git a/en/azure/virtualmachines/password-authentication-disabled.md b/en/azure/virtualmachines/password-authentication-disabled.md new file mode 100644 index 000000000..7dff28969 --- /dev/null +++ b/en/azure/virtualmachines/password-authentication-disabled.md @@ -0,0 +1,20 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Password Authentication Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Password Authentication Disabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that password authentication is disabled on Azure virtual machines. | +| **More Info** | SSH provides secure sign-ins over unsecured connections. Although SSH provides an encrypted connection, using passwords with SSH connections still leaves the VM vulnerable so it is recommended to connect to VM over SSH instead of password. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed | +| **Recommended Action** | Disable password authentication on Azure virtual machine. | + +## Detailed Remediation Steps + +1. Option 1: Change the virtual machine's SSH configuration file to indicate "disable_password_authentication = true" +2. Option 2: SSH Authentication can be set at build time instead of password authentication. Rebuilding or migrating machines where feasible would satisfy this requirement. diff --git a/en/azure/virtualmachines/premium-ssd-disabled.md b/en/azure/virtualmachines/premium-ssd-disabled.md new file mode 100644 index 000000000..b15cd1a55 --- /dev/null +++ b/en/azure/virtualmachines/premium-ssd-disabled.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Premium SSD Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Premium SSD Disabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that the Azure virtual machines are configured to use standard SSD disk volumes instead of premium SSD disk volumes for managed disks. | +| **More Info** | Azure standard SSD disks store data on solid state drives (SSDs), like Azure's existing premium storage disks. Standard SSD disks are a cost-effective storage option optimized for workloads that need consistent performance at lower IOPS levels. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types | +| **Recommended Action** | Modify virtual machines disks to use standard SSD disk volumes instead of premium SSD disk volumes. | + +## Detailed Remediation Steps +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for Virtual Machines. +3. Select the Virtual Machine instance to modify by clicking on the "Name" link +4. Select "Disks" on the left menu side menu settings and then select the appropriate disk by clicking on the "Disk name" link. +5. Select "Side + Performanmce" on the left menu side menu settings. +6. Select "Standard SSD (locally-redundant storage" under "Disk SKU" +7. Select the disk size appropriate for the needs of your environment and then select "Resize" to apply the changes. \ No newline at end of file diff --git a/en/azure/virtualmachines/scale-sets-autoscale-notifications-enabled.md b/en/azure/virtualmachines/scale-sets-autoscale-notifications-enabled.md new file mode 100644 index 000000000..2881731b1 --- /dev/null +++ b/en/azure/virtualmachines/scale-sets-autoscale-notifications-enabled.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Scale Sets Autoscale Notifications Enabled +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Scale Sets Autoscale Notifications Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that Virtual Machine scale sets have autoscale notifications enabled. | +| **More Info** | Autoscale automatically creates new instances when certain metrics are surpassed, or can destroy instances that are being underutilized. Autoscale notifications should be enabled to know about the status of autoscale operation.| +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-overview | +| **Recommended Action** | Ensure that autoscale notifications are enabled for all Virtual Machine Scale Sets. | + +## Detailed Remediation Steps + +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for "Virtual machine scale sets". +3. Select the corresponding virtual machine scale set by clicking on the "Name" link. +4. In the left side menu, select "Scaling" from the Settings section. +5. In the Scaling section, select the "Notify" option. +6. In the Notify section, check the appropriate notification box for either administrators or co-administrators and save the changes. +7. Repeat steps 3 - 6 for all other applicable virtual machine scale sets. \ No newline at end of file diff --git a/en/azure/virtualmachines/scale-sets-health-monitoring-enabled.md b/en/azure/virtualmachines/scale-sets-health-monitoring-enabled.md new file mode 100644 index 000000000..f85040760 --- /dev/null +++ b/en/azure/virtualmachines/scale-sets-health-monitoring-enabled.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Scale Sets Health Monitoring Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Scale Sets Health Monitoring Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that health monitoring is enabled for virtual machine scale sets. | +| **More Info** | Scale set health monitoring feature reports on VM health from inside the scale set instance and can be configured to probe on an application endpoint and update the status of the application on that instance. That instance status is checked by Azure to determine whether an instance is eligible for upgrade operations. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-health-extension | +| **Recommended Action** | Enable health monitoring for virtual machine scale sets. | + +## Detailed Remediation Steps + +{Listed Remediation Steps} +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for "Virtual machine scale sets" +3. Select on the corresponding scale set by clicking on the "Name" link. +4. In the left side pane, select "Health and repair" under Settings. +5. Enable the application health monitoring and enable automatic repairs. Save the changes. +6. Restart the scale set for the changes to take effect. +7. Repeat steps 3 - 6 for any other applicable scale sets. \ No newline at end of file diff --git a/en/azure/virtualmachines/virtual-machine-boot-diagnostics-enabled.md b/en/azure/virtualmachines/virtual-machine-boot-diagnostics-enabled.md new file mode 100644 index 000000000..63d1bb727 --- /dev/null +++ b/en/azure/virtualmachines/virtual-machine-boot-diagnostics-enabled.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Virtual Machine Boot Diagnostics Enabled +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Virtual Machine Boot Diagnostics Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that the VM boot diagnostics is enabled for virtual machines. | +| **More Info** | Boot diagnostics is a debugging feature for Azure virtual machines (VM) that allows diagnosis of VM boot failures. Boot diagnostics enables a user to observe the state of their VM as it is booting up by collecting serial log information and screenshots. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/boot-diagnostics | +| **Recommended Action** | Enable boot diagnostics for all virtual machines. | + +## Detailed Remediation Steps + +{Listed Remediation Steps} +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for "Virtual Machines". +3. Select the corresponding virtual machine by clicking on the "Name" link. +4. In the left side menu, select "Boot diagnostics" from the Support + troubleshooting options. +5. Select the "Settings" option within the Boot diagnostics section +6. Select "Enable" for the appropriate storage account option based on specific need and save the changes. +7. Repeat steps 3 - 6 for other applicable Virtual machines. \ No newline at end of file diff --git a/en/azure/virtualmachines/virtual-machine-performance-diagnostics-enabled.md b/en/azure/virtualmachines/virtual-machine-performance-diagnostics-enabled.md new file mode 100644 index 000000000..0f5a3df54 --- /dev/null +++ b/en/azure/virtualmachines/virtual-machine-performance-diagnostics-enabled.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Virtual Machine Performance Diagnostics Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Virtual Machine Performance Diagnostics Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that performance diagnostics is enabled on virtual machines. | +| **More Info** | The performance diagnostics tool helps in troubleshooting performance issues that can affect a Windows or Linux virtual machine (VM). | +| **AZURE Link** | https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/performance-diagnostics | +| **Recommended Action** | Enable performance diagnostics on Azure virtual machines | + +## Detailed Remediation Steps + +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for Virtual Machines +3. Select the corresponding Virtual Machine by clicking on the "Name" link. +4. In the left side menu, select "Performance diagnostics" under Support + troubleshooting. +5. Click "Install performance diagnostics" to enable the Virtual Machine Performance Diagnostics. +6. Repeat steps 3 - 5 for any other applicable Virtual Machines. \ No newline at end of file diff --git a/en/azure/virtualmachines/vm-active-directory-authentication-enabled.md b/en/azure/virtualmachines/vm-active-directory-authentication-enabled.md new file mode 100644 index 000000000..f15a0791a --- /dev/null +++ b/en/azure/virtualmachines/vm-active-directory-authentication-enabled.md @@ -0,0 +1,23 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / VM Active Directory (AD) Authentication Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Active Directory (AD) Authentication Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that Azure Active Directory (AD) authentication is enabled for virtual machines. | +| **More Info** | Organizations can now improve the security of virtual machines (VMs) in Azure by integrating with Azure Active Directory (AD) authentication. Enabling Azure Active Directory (AD) authentication for Azure virtual machines (VMs) ensures access to VMs from one central point and simplifies access permission management. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows | +| **Recommended Action** | Enable Azure Active Directory (AD) authentication for Azure virtual machines. | + +## Detailed Remediation Steps + +1. Note that this service is only available in specific Azure Regions and for specific Windows Distributions. For an up to date list, please visit https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows +2. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for Virtual Machines. +3. There are two ways to enable Azure AD login for a Windows VM in Azure. The first is through the Azure portal when creating a Windows VM, the second is through the use of Azure Cloud Shell when creating a Windows VM or for an existing Windows VM. +4. Please visit https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows for step by step instructions on how to make the applicable changes based on your environment configuration. \ No newline at end of file diff --git a/en/azure/virtualmachines/vm-backups-enabled.md b/en/azure/virtualmachines/vm-backups-enabled.md new file mode 100644 index 000000000..e6ce8736f --- /dev/null +++ b/en/azure/virtualmachines/vm-backups-enabled.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / VM Backups Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Backups Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that Azure virtual machine backups are enabled. | +| **More Info** | Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-introduction | +| **Recommended Action** | Enable Azure virtual machine backups. | + +## Detailed Remediation Steps + +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for "Backup Center". +3. Select the "Backup Instances" option under "Manage" on the left side menu. +4. Select the "+ Backup" button to initiate the "Start: Configure Backup" form. +5. Select the appropriate "Vault" for use and select "Continue". +6. Adjust the Configure Backup settings based on the needs of your environment. +6. Under "Virtual Machines" add the appropriate virtual machines for backup and select "Enable Backup". \ No newline at end of file diff --git a/en/azure/virtualmachines/vm-daily-backup-retention-period.md b/en/azure/virtualmachines/vm-daily-backup-retention-period.md new file mode 100644 index 000000000..d1dc139df --- /dev/null +++ b/en/azure/virtualmachines/vm-daily-backup-retention-period.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / VM Daily Backup Retention Period + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Daily Backup Retention Period | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that VM daily backup retention policy is configured to retain backups for the desired number of days. | +| **More Info** | Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. These backups should be retained for a specific amount of time to recover destroyed VM.| +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-introduction | +| **Recommended Action** | Configure virtual machine daily backup retention policy to retain backups for desired number of days. | + +## Detailed Remediation Steps + +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for "Backup Center". +3. Select the "Backup Policies" option under "Manage" by clicking on the "Name" link to access the configuration changes. +4. In the selected "Policy" under the "Retention Range" section, select "Retention of daily backup point" and set the time and days to the desired retention amount. Save the changes. +5. Note that a minimum of 5 days is suggested for audit compliance. +6. Repeat steps number 3 - 4 to verify other "Policies" in the Backup Center. diff --git a/en/azure/virtualmachines/vm-instant-restore-backup-retention-period.md b/en/azure/virtualmachines/vm-instant-restore-backup-retention-period.md new file mode 100644 index 000000000..f8ab4a64d --- /dev/null +++ b/en/azure/virtualmachines/vm-instant-restore-backup-retention-period.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / VM Instant Restore Backup Retention Period + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Instant Restore Backup Retention Period | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that VM instant restore backup retention policy is configured to retain backups for the desired number of days. | +| **More Info** | Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. These backups should be retained for a specific amount of time to recover destroyed VM. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/backup/backup-instant-restore-capability | +| **Recommended Action** | Configure virtual machine instant restore backup retention policy to retain backups for desired number of days. | + +## Detailed Remediation Steps + +{Listed Remediation Steps} +1. Log into the Microsoft Azure Management Console. +2. Select the "Search resources, services, and docs" option at the top and search for Backup Center. +3. Select "Backup Policies" under the Manage section. +4. Select the policy impacting the at risk Virtual Machine by clicking on the "Name" link. +5. In the Modify Policy form, change the "Retain instant recovery snapshot(s) for" number of days to five(5) or greater and then click Save. +6. Apply these changes to all applicable policies. \ No newline at end of file diff --git a/en/azure/virtualmachines/vm-managed-disks-enabled.md b/en/azure/virtualmachines/vm-managed-disks-enabled.md new file mode 100644 index 000000000..e34a5da1e --- /dev/null +++ b/en/azure/virtualmachines/vm-managed-disks-enabled.md @@ -0,0 +1,20 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / VM Managed Disks Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Managed Disks Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that Azure virtual machines are configured to use Azure managed disks. | +| **More Info** | Azure managed disks are block-level storage volumes that are managed by Azure are like physical disks in an on-premises server but, virtualized. Azure managed disks provide high durability and security. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview | +| **Recommended Action** | Azure managed disks are block-level storage volumes that are managed by Azure and used with Azure Virtual Machines. | + +## Detailed Remediation Steps + +1. Azure managed disks are block-level storage volumes that are managed by Azure and used with Azure Virtual Machines. +2. For instructions on how to migrate your existing VHD to Azure, please see https://docs.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview#upload-your-vhd \ No newline at end of file diff --git a/en/google/bigquery/dataset-all-users-policy.md b/en/google/bigquery/dataset-all-users-policy.md new file mode 100644 index 000000000..2d2bb330d --- /dev/null +++ b/en/google/bigquery/dataset-all-users-policy.md @@ -0,0 +1,27 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / BigQuery / Dataset All Users Policy + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Dataset All Users Policy | +| **Cloud** | GOOGLE | +| **Category** | BigQuery | +| **Description** | Ensure that BigQuery datasets do not allow public read, write or delete access. | +| **More Info** | Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is being stored in the dataset. | +| **GOOGLE Link** | https://cloud.google.com/bigquery/docs/dataset-access-controls | +| **Recommended Action** | Ensure that each dataset is configured so that no member is set to allUsers or allAuthenticatedUsers. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "BigQuery". +3. In the Explorer pane, expand your project and select a dataset that allows public access. +4. Click Sharing then Permissions. +5. Review each attached role to find allUsers and/or allAuthenticatedUsers Roles. +6. Click on the role associated with the allUsers and/or allAuthenticatedUsers member to expand the role configuration panel. +7. Click the delete icon for each member of allUsers or allAuthenticatedUsers. On the popup click Remove to confirm your action. +8. Click Close to return to the selected BigQuery dataset dashboard. +9. Repeat step no. 4 – 7 for each publicly accessible dataset created within the selected project. +10. Repeat steps no. 3 – 9 for each project deployed in your Google Cloud account. diff --git a/en/google/bigquery/tables-cmk-encrypted.md b/en/google/bigquery/tables-cmk-encrypted.md new file mode 100644 index 000000000..a18b86630 --- /dev/null +++ b/en/google/bigquery/tables-cmk-encrypted.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / BigQuery / Tables CMK Encrypted + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Tables CMK Encrypted | +| **Cloud** | GOOGLE | +| **Category** | BigQuery | +| **Description** | Ensure that BigQuery dataset tables are encrypted using desired encryption protection level. | +| **More Info** | By default Google encrypts all dataset tables using Google-managed encryption keys. To have more control over the encryption process of your BigQuery dataset tables you can use Customer-Managed Keys (CMKs). | +| **GOOGLE Link** | https://cloud.google.com/bigquery/docs/dataset-access-controls | +| **Recommended Action** | Ensure that each BigQuery dataset table has desired encryption level. | + +## Detailed Remediation Steps +1. To change a table from default encryption to Cloud KMS protection https://cloud.google.com/bigquery/docs/customer-managed-encryption#change_to_kms + +To determine if a table is protected by Cloud KMS: +1. Sign in to Google Cloud Management Console. +2. Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar. +3. Navigate to Google Cloud BigQuery dashboard at https://console.cloud.google.com/bigquery. +4. In the Explorer pane, expand your project and select a dataset name, and click on the specific BigQuery table that you want to examine. +5. Select the Details tab to access the configuration details available for the selected table. +6. On the Details panel, within the Table info section, search for the Customer-managed key configuration attribute. If the Customer-managed key attribute is not listed in the table information section, the selected Google Cloud BigQuery dataset table is not encrypted using a Customer-Managed Key (CMK). \ No newline at end of file diff --git a/en/google/cloudfunctions/http-trigger-require-https.md b/en/google/cloudfunctions/http-trigger-require-https.md new file mode 100644 index 000000000..bf00f355d --- /dev/null +++ b/en/google/cloudfunctions/http-trigger-require-https.md @@ -0,0 +1,37 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Cloud Functions / HTTP Trigger require HTTPS + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | HTTP Trigger require HTTPS | +| **Cloud** | GOOGLE | +| **Category** | Cloud Functions | +| **Description** | Ensure that Cloud Functions are configured to require HTTPS for HTTP invocations. | +| **More Info** | You can make your google cloud functions call secure by making sure that they require HTTPS. | +| **GOOGLE Link** | https://cloud.google.com/functions/docs/writing/http | +| **Recommended Action** | Ensure that your Google Cloud functions always require HTTPS. | + +## Detailed Remediation Steps +In Cloud Functions (2nd gen), requests to a function URL always require HTTPS. In Cloud Functions (1st gen), you can choose whether HTTPS is required during deployment. +Steps to configure Cloud Functions to require HTTPS:
+a. Using gcloud: + (1st gen) set `--security-level` flag value to `secure-always` which means HTTPS is required and non-SSL HTTP requests are not supported. + Example: + ``` + gcloud functions deploy YOUR_FUNCTION_NAME \ +--trigger-http \ +[--allow-unauthenticated] \ +[--security-level=secure-always] \ +... + ``` +b. Using Console +For Cloud Functions (1st gen): + 1. Log into the Google Cloud Platform Console. + 2. Scroll down the left navigation panel and click on "Cloud Functions".

+ 3. On the "Cloud Functions" page, select the cloud function which needs to change to require https by clicking on the checkbox next to its name.

+ 4. In the Trigger type field, select HTTP.

+ 5. Select the Require HTTPS checkbox to make the function endpoint requires HTTPS.

+ For more info: https://cloud.google.com/functions/docs/calling/http#gcloud diff --git a/en/google/cloudfunctions/ingress-all-traffic-disabled.md b/en/google/cloudfunctions/ingress-all-traffic-disabled.md new file mode 100644 index 000000000..ce9e8993c --- /dev/null +++ b/en/google/cloudfunctions/ingress-all-traffic-disabled.md @@ -0,0 +1,17 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Cloud Functions / Ingress All Traffic Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Ingress All Traffic Disabled | +| **Cloud** | GOOGLE | +| **Category** | Cloud Functions | +| **Description** | Ensure that Cloud Functions are configured to allow only internal traffic or traffic from Cloud Load Balancer. | +| **More Info** | You can secure your google cloud functions by implementing network based access control. | +| **GOOGLE Link** | https://cloud.google.com/functions/docs/securing/authenticating | +| **Recommended Action** | Ensure that your Google Cloud functions do not allow external traffic from the internet. | + +## Detailed Remediation Steps \ No newline at end of file diff --git a/en/google/compute/application-consistent-snapshots.md b/en/google/compute/application-consistent-snapshots.md new file mode 100644 index 000000000..b574b5586 --- /dev/null +++ b/en/google/compute/application-consistent-snapshots.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Application Consistent Snapshots + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Application Consistent Snapshots | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that application consistent snapshots feature is enabled for snapshot schedules. | +| **More Info** | Application consistent snapshots are more reliable because they are created after making sure that current operations are temporarily ceased and any data in memory is flushed to disk. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/disks/snapshot-best-practices#prepare_for_consistency | +| **Recommended Action** | Ensure that all disk snapshot schedules are application consistent. | + +## Detailed Remediation Steps +### Preparing for consistent snapshots +If you create a snapshot of your persistent disk or Hyperdisk while your application is running, the snapshot might not capture pending writes that are in transit from memory to disk. Because of these inconsistencies, the snapshot might not reflect the exact state of your application at the time you captured the snapshot. In this scenario, the snapshot is considered crash consistent because it captures the state of the application as if the machine crashed at the time the snapshot was taken. + +Optionally, you can pause the application, so that all application transactions complete and the system can flush all pending writes from memory to disk before the snapshot is captured. In this scenario, the snapshot is considered application consistent. + +### Creating Application Consisten Snapshots +- Windows Server users: For persistent disks that are attached to Windows Server instances, use [VSS snapshots](https://cloud.google.com/compute/docs/instances/windows/creating-windows-persistent-disk-snapshot). +- Linux users: To achieve application consistency for snapshots of disks attached to Linux instances, create pre and post snapshot shell scripts to prepare your system for application consistency. Then create a snapshot with the `guest-flush` option enabled. This runs the pre and post scripts before and after the snapshot is captured. For instructions, see [Creating Linux application consistent snapshots](https://cloud.google.com/compute/docs/disks/creating-linux-application-consistent-pd-snapshots). diff --git a/en/google/compute/autoscale-minimum-cpu-utilization-target.md b/en/google/compute/autoscale-minimum-cpu-utilization-target.md new file mode 100644 index 000000000..9a0567ecc --- /dev/null +++ b/en/google/compute/autoscale-minimum-cpu-utilization-target.md @@ -0,0 +1,39 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Autoscale Minimum CPU Utilization Target + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Autoscale Minimum CPU Utilization Target | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that minimum CPU utilization target is greater or equal than set percentage. | +| **More Info** | The autoscaler treats the target CPU utilization level as a fraction of the average use of all vCPUs over time in the instance group. If the average utilization of your total vCPUs exceeds the target utilization, the autoscaler adds more VM instances. If the average utilization of your total vCPUs is less than the target utilization, the autoscaler removes instances. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/autoscaler/scaling-cpu | +| **Recommended Action** | Ensure all instance groups have Minimum CPU Utilization greater than or equal to target value. | + +## Detailed Remediation Steps +1. In the console, go to the Instance groups page. + + [Go to Instance groups](https://console.cloud.google.com/compute/instanceGroups) + +2. If you have an instance group, select it and click Edit. If you don't have an instance group, click Create instance group. + +3. If no autoscaling configuration exists, under Autoscaling, click Configure autoscaling. + +4. Under Autoscaling mode, select On: add and remove instances to the group to enable autoscaling. + +5. Specify the minimum and maximum numbers of instances that you want the autoscaler to create in this group. + +6. In the Autoscaling metrics section, if an existing CPU utilization metric does not yet exist, add one: + + a. Click Add metric. + b. Under Metric type, select CPU utilization. + c. Enter the Target CPU utilization that you want. This value is treated as a percentage. For example, for 75% CPU utilization, enter `75`. + d. Under Predictive autoscaling, select Off. To learn more about predictive autoscaling, and whether it is suitable for your workload, see [Scaling based on predictions](https://cloud.google.com/compute/docs/autoscaler/predictive-autoscaling). + e. Click Done. +7. You can use the Cool down period to tell the autoscaler how long it takes for your application to initialize. Specifying an accurate cool down period improves autoscaler decisions. For example, when scaling out, the autoscaler ignores data from VMs that are still initializing because those VMs might not yet represent normal usage of your application. The default cool down period is 60 seconds. + +8. Click Save. \ No newline at end of file diff --git a/en/google/compute/deprecated-images.md b/en/google/compute/deprecated-images.md new file mode 100644 index 000000000..6f3834cdb --- /dev/null +++ b/en/google/compute/deprecated-images.md @@ -0,0 +1,28 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Deprecated Images + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Deprecated Images | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that Compute instances are not created from deprecated images. | +| **More Info** | Deprecated Compute Disk Images should not be used to create VM instances. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/images/image-management-best-practices | +| **Recommended Action** | Ensure that no compute instances are created from deprecated images. | + +## Detailed Remediation Steps +1. To deprecate an existing image, log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose "Compute Engine" to select the "Images" option. +3. For the image you want to deprecate, click ⋮ ⋮ ⋮ Actions. +4. Select Deprecate. +5. For state, select either Deprecated or Obsolete. +6. Specify a replacement image. +7. Click Deprecate Image. + +## Optional +1. Delete the deprecated image by checking the box to the left of the image you want to delete. +2. Click Delete at the top of the page. Your image is now deleted. \ No newline at end of file diff --git a/en/google/compute/disk-automatic-backup-enabled.md b/en/google/compute/disk-automatic-backup-enabled.md new file mode 100644 index 000000000..8a3a536dd --- /dev/null +++ b/en/google/compute/disk-automatic-backup-enabled.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Disk Automatic Backup Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disk Automatic Backup Enabled | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that Google Compute disks have scheduled snapshots configured. | +| **More Info** | Having scheduled snapshots configured for your disks will periodically backup data from your persistent disks. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/disks/scheduled-snapshots | +| **Recommended Action** | Ensure that all compute disks have a snapshot schedule attached. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose the "Compute Engine" to select the "Disks" option. +3. Click the name of the disk to which you want to attach a snapshot schedule. This opens the disk details page. +4. At the top of the disk details page, click Edit. +5. Use the Snapshot schedule drop-down menu to add the schedule to the disk. Or create a new schedule. +6. If you created a new schedule, click Create. +7. Click Save to complete the task. + +**These configuration changes may incur additional costs** \ No newline at end of file diff --git a/en/google/compute/disk-in-use.md b/en/google/compute/disk-in-use.md new file mode 100644 index 000000000..a95ffd276 --- /dev/null +++ b/en/google/compute/disk-in-use.md @@ -0,0 +1,36 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Disk In Use + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disk In Use | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Writing and reading data from Cloud Storage buckets | +| **More Info** | Write and read files from Cloud Storage buckets by using the `gsutil` command-line tool or the Cloud Storage API. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/disks | +| **Recommended Action** | Read and write from storage buckets. | + +## Detailed Remediation Steps +By default, the `gsutil` command-line tool is installed on most VMs that use [public images](https://cloud.google.com/compute/docs/images/os-details). If your VM doesn't have the `gsutil` command-line tool, you can [install `gsutil` as part of the Google Cloud CLI](https://cloud.google.com/storage/docs/gsutil_install). + +1. [Connect to an instance](https://cloud.google.com/compute/docs/instances/connecting-to-instance). + + a. In the Google Cloud console, go to the VM instances page. + + [Go to VM instances](https://console.cloud.google.com/compute/instances) + + b. In the list of virtual machine instances, click SSH in the row of the instance that you want to connect to. + +2. If you have never used `gsutil` on this instance before, use the gcloud CLI to set up credentials. + + gcloud init + + Alternatively, if your instance is configured to use a [service account](https://cloud.google.com/compute/docs/access/service-accounts) with a Cloud Storage scope, you can skip this step. + +3. Use the `gsutil` tool to [create buckets, write data to buckets, and read data from those buckets](https://cloud.google.com/storage/docs/quickstart-gsutil#create). To write or read data from a specific bucket, you must have access to the bucket. You can read data from any bucket that is publicly accessible. + + Optionally, you can also [stream data](https://cloud.google.com/storage/docs/streaming-uploads) to Cloud Storage. \ No newline at end of file diff --git a/en/google/compute/disk-multiaz.md b/en/google/compute/disk-multiaz.md new file mode 100644 index 000000000..3999542cf --- /dev/null +++ b/en/google/compute/disk-multiaz.md @@ -0,0 +1,46 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Disk MultiAz + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disk MultiAz | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** |Ensure that Compute disks have regional disk replication feature enabled for high availability.| +| **More Info** | Enabling regional disk replication will allow you to force attach a regional persistent disk to another VM instance in a different zone in the same region in case of a zonal outage. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/disks/high-availability-regional-persistent-disk | +| **Recommended Action** | Ensure that all Google compute disks have replica zones configured. | + +## Detailed Remediation Steps +You must first create the regional Persistent Disk and then attach it to an existing instance. You can't create regional Persistent Disks as boot disks because they can't be force-attached during a failover. + +Create a regional Persistent Disk using the following steps: + +1. In the Google Cloud console, go to the Disks page. + + [Go to Disks](https://console.cloud.google.com/compute/disks) + +2. Select the required project. + +3. Click Create disk. + +4. Specify a Name for your disk. + +5. Select the Region and Zone. You must select the same region when you create your VM. + +6. Select the Enable regional disk replication box. + +7. Select the Replicate zone. Make a note of the zones that you select because you must attach the disk to your VM in one of those zones. + +8. Select the Disk source type. + +9. Select the Disk type. + +10. Click Create to finish creating your disk. + +11. After you create your regional Persistent Disk, [attach it to your instance](https://cloud.google.com/compute/docs/disks/add-persistent-disk#create_disk). + + When attaching a disk to a VM, if the disk is already attached to another VM, you can force-attach the disk to the VM by selecting the Force-attach disk box on the Attach existing disk page. For more information on use cases for force-attaching regional Persistent Disks, see [Regional Persistent Disk failover](https://cloud.google.com/compute/docs/disks/repd-failover). diff --git a/en/google/compute/disk-old-snapshots.md b/en/google/compute/disk-old-snapshots.md new file mode 100644 index 000000000..b8487e2cf --- /dev/null +++ b/en/google/compute/disk-old-snapshots.md @@ -0,0 +1,23 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Disk Old Snapshots + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disk Old Snapshots | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that Compute disk snapshots are deleted after defined time period. | +| **More Info** | To optimize storage costs, make sure that there are no old disk snapshots in your GCP project. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/disks/create-snapshots | +| **Recommended Action** | Ensure that there are no snapshots older than specified number of days. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. In the left navigation panel choose "Compute Engine" and then select the "Snapshots" option. +3. Select the snapshots that are older than the specified number of days. +4. At the top of the Snapshots page, click Delete. + +**These configuration changes may incur additional costs** \ No newline at end of file diff --git a/en/google/compute/enable-usage-export.md b/en/google/compute/enable-usage-export.md new file mode 100644 index 000000000..732e7c174 --- /dev/null +++ b/en/google/compute/enable-usage-export.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Enable Usage Export + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Enable Usage Export | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that setting is configured to export Compute instances usage to Cloud Storage bucket. | +| **More Info** | Compute Engine lets you export detailed reports that provide information about the lifetime and usage of your Compute Engine resources to a Google Cloud Storage bucket using the usage export feature. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/logging/usage-export | +| **Recommended Action** | Ensure that Enable Usage Export setting is configured for your GCP project. | + +## Detailed Remediation Steps +1. Sign in to the Google Cloud Console, and go to the [Compute Engine Settings](#https://console.cloud.google.com/compute/settings?_ga=2.223580315.1677574654.1681411030-795998208.1675186198) page. + +2. Check the Enable usage export box. + +3. Fill in the field asking for a Bucket name. Optionally, provide a Report prefix, if desired. If you leave the report prefix empty, the default prefix usage_gce is used. All usage reports delivered to the bucket are named with this prefix. + +4. Click Save. \ No newline at end of file diff --git a/en/google/compute/frequently-used-snapshots.md b/en/google/compute/frequently-used-snapshots.md new file mode 100644 index 000000000..2495a0dac --- /dev/null +++ b/en/google/compute/frequently-used-snapshots.md @@ -0,0 +1,27 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Frequently Used Snapshots + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Frequently Used Snapshots | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that frequently used disks are created from images instead of snapshots to save networking cost. | +| **More Info** | If you are repeatedly using a snapshot in the same zone to create a persistent disk, save networking costs by using the snapshot once and creating an image of that snapshot. Store this image and use it to create your disk and start a VM instance. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/disks/snapshot-best-practices#prepare_for_consistency | +| **Recommended Action** | Ensure that your disk snapshots have images created from them. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. In the left navigation panel choose "Compute Engine" and then select the "Create an Image" option. +3. Specify the Name of your image. +4. Specify the Source from which you want to create an image by selecting a snapshot. +5. In the Based on source disk location (default) drop-down list, specify the location to store the image. If you don't make a selection, Compute Engine stores the image in the multi-region closest to your image's source location. +6. Optional: specify the properties for your image. +7. Specify the encryption key. You can choose between a Google-managed key, a Cloud Key Management Service (Cloud KMS) key or a customer- supplied encryption (CSEK) key. If no encryption key is specified, images are encrypted using a Google-managed key. +8. Click Create to create the image. + +**These configuration changes may incur additional costs** \ No newline at end of file diff --git a/en/google/compute/instance-automatic-restart-enabled.md b/en/google/compute/instance-automatic-restart-enabled.md new file mode 100644 index 000000000..468ff3746 --- /dev/null +++ b/en/google/compute/instance-automatic-restart-enabled.md @@ -0,0 +1,23 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Instance Automatic Restart Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Instance Automatic Restart Enabled | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that Virtual Machine instances have automatic restart feature enabled. | +| **More Info** | Automatic Restart sets the virtual machine restart behavior when an instance is crashed or stopped by the system. If it is enabled, Google Cloud Compute Engine restarts the instance if it crashes or is stopped. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/setting-instance-scheduling-options#autorestart | +| **Recommended Action** | Ensure automatic restart is enabled for all virtual machine instances. | + +## Detailed Remediation Steps +1. In the Google Cloud console, go to the VM instances page. +2. Click the VM for which you want to change settings. The VM details page displays. +3. On the VM details page, complete the following steps: + a. Click the Edit button at the top of the page. + b. Under Availability policies, update the policy as needed. From the Availability policies section, you can set the On host maintenance and Automatic restart options. + c. Click Save. diff --git a/en/google/compute/instance-default-service-account.md b/en/google/compute/instance-default-service-account.md new file mode 100644 index 000000000..c6882fdc5 --- /dev/null +++ b/en/google/compute/instance-default-service-account.md @@ -0,0 +1,32 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Instance Default Service Account +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Instance Default Service Account | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensures that compute instances are not configured to use the default service account. | +| **More Info** | Default service account has the editor role permissions. Due to security reasons it should not be used for any instance. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/access/service-accounts | +| **Recommended Action** | Make sure that compute instances are not using default service account | + +## Detailed Remediation Steps +1. In the Google Cloud Console, go to the [VM instances](#https://console.cloud.google.com/compute/instances?_ga=2.18084025.1677574654.1681411030-795998208.1675186198) page. + +2. Click the VM instance name for which you want to change the service account. + +3. If the instance is not stopped, click Stop. Wait for the instance to be stopped. + +4. Next, click Edit. + +5. Scroll down to the Service Account section. + +6. From the drop-down list, select the service account to assign to the instance. + + - Choose a service account other than the default. The VM's access scope defaults to the cloud-platform scope. You can modify the scope by using the gcloud CLI or Compute Engine API. + - For more information about setting access scopes, see [Best practices](#https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices). + +7. Click Save to save your changes. \ No newline at end of file diff --git a/en/google/compute/instance-maintenance-behavior.md b/en/google/compute/instance-maintenance-behavior.md new file mode 100644 index 000000000..1450b3600 --- /dev/null +++ b/en/google/compute/instance-maintenance-behavior.md @@ -0,0 +1,28 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Instance Maintenance Behavior + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Instance Maintenance Behavior | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that \"On Host Maintenance\" configuration is set to Migrate for VM instances. | +| **More Info** | When Google Compute Engine performs regular maintenance of its infrastructure, it migrates your VM instances to other hardware if you have configured the availability policy for the instance to use live migration. This prevents your applications from experiencing disruptions during these events. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/setting-instance-scheduling-options | +| **Recommended Action** | Ensure that your Google Compute Engine VM instances are configured to use live migration. | + +## Detailed Remediation Steps +1. In the Google Cloud console, go to the VM instances page. + + [Go to VM instances](https://console.cloud.google.com/compute/instances) + +2. Click the VM for which you want to change settings. The VM details page displays. + +3. On the VM details page, complete the following steps: + + a. Click the Edit button at the top of the page. + b. Under Availability policies, update the policy as needed. From the Availability policies section, you can set the On host maintenance and Automatic restart options. + c. Click Save. \ No newline at end of file diff --git a/en/google/compute/instance-public-access-disabled.md b/en/google/compute/instance-public-access-disabled.md new file mode 100644 index 000000000..caa04f05e --- /dev/null +++ b/en/google/compute/instance-public-access-disabled.md @@ -0,0 +1,32 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Instance Public Access Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Instance Public Access Disabled | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensures ability to disable public access | +| **More Info** | Disabling public access allows one to ensure that information cannot be accessed by others. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address | +| **Recommended Action** | Reserve a static external IP Address. | + +## Detailed Remediation Steps +1. Go to the Reserve a static address page. + + [Go to Reserve a static address](https://console.cloud.google.com/networking/addresses/add) + +2. Choose a name for the new address. + +3. Specify whether it is an `IPv4` or `IPv6` address. Global `IPv6` addresses can only be used with global load balancers. + +4. Specify whether this IP address is regional or global. If you are reserving a static IP address for an instance or for a regional load balancer, choose Regional. If you are reserving a static IP address for a global load balancer, choose Global. + +5. If this is a regional IP address, select the region to create the address in. + +6. Optional: Select a resource to attach the IP. + +7. Click Reserve to reserve the IP. \ No newline at end of file diff --git a/en/google/compute/os-login-2fa-enabled.md b/en/google/compute/os-login-2fa-enabled.md new file mode 100644 index 000000000..3cb3ac972 --- /dev/null +++ b/en/google/compute/os-login-2fa-enabled.md @@ -0,0 +1,28 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / OS Login 2FA Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | OS Login 2FA Enabled | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that Virtual Machines instances have OS logic feature enabled and configured with Two-Factor Authentication. | +| **More Info** | Enable OS login Two-Factor Authentication (2FA) to add an additional security layer to your VM instances. The risk of your VM instances getting attcked is reduced significantly if 2FA is enabled. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication | +| **Recommended Action** | Set enable-oslogin-2fa to true in custom metadata for the instance. | + +## Detailed Remediation Steps + +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose the "Compute Engine" to select the "VM Instances" option. +3. On the "VM Instances" page, select the VM instance which needs to be verified. +4. Navigate to "Compute Engine", choose the "VM instances" and select the "VM instance" which needs `OS Login 2FA` enabled for the project. +5. On the "VM instance details" page, select the "Edit" button at the top. +6. On the "VM instance details - Edit page", scroll down the page and under "Metadata" select add item. +7. Add the key as `enable-oslogin-2fa` and set the value as "TRUE." +8. Click on the "Save" button to make the changes. +9. Navigate to "Metadata" under the "Compute Engine" to add project-wide metadata. +10. Click on the "Edit" button at the top and add an entry similar to the step 6 for the key and the value and click on the "Save" button to make the changes. \ No newline at end of file diff --git a/en/google/compute/shielded-vm-enabled.md b/en/google/compute/shielded-vm-enabled.md new file mode 100644 index 000000000..0b780021e --- /dev/null +++ b/en/google/compute/shielded-vm-enabled.md @@ -0,0 +1,37 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Shielded VM Enabled +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Shielded VM Enabled | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensures that instances are configured with the shielded VM enabled | +| **More Info** | Shielded VM option should be configured to defend against the security attacks on the instances. | +| **GOOGLE Link** | https://cloud.google.com/security/shielded-cloud/shielded-vm | +| **Recommended Action** | Enable the shielded VM for all the instances for security reasons. | + +## Detailed Remediation Steps +1. In the Google Cloud console, go to the VM instances page. + + [Go to VM instances](https://console.cloud.google.com/compute/instances) + +2. Click the instance name to open the VM instance details page. + +3. Click Stop. + +4. After the instance stops, click Edit. + +5. In the Shielded VM section, modify the Shielded VM options: + + - Toggle Turn on Secure Boot to enable Secure Boot Compute Engine does not enable [Secure Boot](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#secure-boot) by default because unsigned drivers and other low-level software might not be compatible. If possible, Google recommends enabling Secure Boot. + + - Toggle Turn on vTPM to disable the virtual trusted platform module (vTPM). By default, Compute Engine enables the [Virtual Trusted Platform Module (vTPM)](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm). + + - Toggle Turn on Integrity Monitoring to disable integrity monitoring. By default, Compute Engine enables [integrity monitoring](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#integrity-monitoring). + +6. Click Save. + +7. Click Start to start the instance. \ No newline at end of file diff --git a/en/google/compute/vm-disks-cmk-encryption.md b/en/google/compute/vm-disks-cmk-encryption.md new file mode 100644 index 000000000..e1daf5647 --- /dev/null +++ b/en/google/compute/vm-disks-cmk-encryption.md @@ -0,0 +1,28 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / VM Disks CMK Encryption + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Disks CMK Encryption | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Encrypt a new persistent disk with CSEK | +| **More Info** | By default, Compute Engine encrypts all data at rest. However, if you want to control and manage this encryption yourself, you can provide your own encryption keys. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/disks/customer-supplied-encryption | +| **Recommended Action** | Encrypt a new persistent disk by supplying a key during VM or disk creation. | + +## Detailed Remediation Steps +1. Go to the Images page. + + [Go to Images](https://console.cloud.google.com/compute/images) + +2. Click Create image. + +3. Under Source disk, choose the encrypted disk you want to create an image of. + +4. Under Encryption, select an encryption key management solution. + +5. If the key has been wrapped with the public RSA key, select Wrapped key. \ No newline at end of file diff --git a/en/google/compute/vm-instance-deletion-protection.md b/en/google/compute/vm-instance-deletion-protection.md new file mode 100644 index 000000000..b161da484 --- /dev/null +++ b/en/google/compute/vm-instance-deletion-protection.md @@ -0,0 +1,30 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / VM Instance Deletion Protection + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Instance Deletion Protection | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that Virtual Machine instances have deletion protection enabled. | +| **More Info** | VM instances should have deletion protection enabled in order to prevent them for being accidentally deleted. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/preventing-accidental-vm-deletion | +| **Recommended Action** | Modify VM instances to enable deletion protection | + +## Detailed Remediation Steps +1. Go to the VM instances page. + + [Go to VM instances](https://console.cloud.google.com/compute/instances) + +2. If prompted, select your project and click Continue. + +3. Click the name of the instance for which you want to enable deletion protection. The instance details page displays. + +4. From the instance details page, complete the following steps: + + a. Click the Edit button at the top of the page. + b. Under Deletion Protection, check the box to enable deletion protection. + c. Save your changes. \ No newline at end of file diff --git a/en/google/cryptographickeys/key-protection-level.md b/en/google/cryptographickeys/key-protection-level.md new file mode 100644 index 000000000..a542fdcf3 --- /dev/null +++ b/en/google/cryptographickeys/key-protection-level.md @@ -0,0 +1,40 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Cryptographic Keys / Key Protection Level + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Key Protection Level | +| **Cloud** | GOOGLE | +| **Category** | Cryptographic Keys | +| **Description** | Ensure that cryptographic keys have protection level equal to or above desired protection level. | +| **More Info** | Cloud KMS cryptographic keys should be created with protection level set by your organization's compliance and security rules. | +| **GOOGLE Link** | https://cloud.google.com/kms/docs/reference/rest/v1/ProtectionLevel | +| **Recommended Action** | Create cryptographic keys according to desired protection level. | + +## Detailed Remediation Steps +1. In the Google Cloud console, go to the [Key Management](#https://console.cloud.google.com/security/kms) page. + +2. Click the name of the key ring for which you will create a key. + +3. Click Create key. + +4. For Key name, enter a name for your key. + +5. For Protection level, select Software or HSM. + +6. For Key material, select Generated key. + +7. For Purpose, select either Symmetric encrypt/decrypt or Asymmetric decrypt. + + a. If selecting Symmetric encrypt/decrypt: + + i. Accept the default values for Rotation period and Starting on. + + b. If selecting Asymmetric decrypt: + + i. For Algorithm, select 3072 bit RSA - OAEP Padding - SHA256 Digest. You can change this value on future key versions. + +8. Click Create. \ No newline at end of file diff --git a/en/google/dataflow/dataflow-hanged-jobs.md b/en/google/dataflow/dataflow-hanged-jobs.md new file mode 100644 index 000000000..809daea13 --- /dev/null +++ b/en/google/dataflow/dataflow-hanged-jobs.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Dataflow / Dataflow Hanged Jobs +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Dataflow Hanged Jobs | +| **Cloud** | GOOGLE | +| **Category** | Datflow | +| **Description** | Ensure that Cloud Dataflow jobs are not in same state for more than defined amount of time. | +| **More Info** | Cloud Dataflow jobs transit between different states and normally reach terminal state. If they stay in same state for abnormal amount of time, job administrator should stop such jobs to save unnecessary cost. | +| **GOOGLE Link** | https://cloud.google.com/sdk/gcloud/reference/dataflow/jobs/cancel | +| **Recommended Action** | Cancel/stop Dataflow jobs which are in same state for more than set amount of time. | + +## Detailed Remediation Steps +1. The 'gcloud dataflow jobs cancel' commandlet cancels all jobs that match the command line arguments. + +2. To cancel jobs, log into the Google Cloud Console and open a cloud shell instance. See [Using Cloud Shell](#https://cloud.google.com/shell/docs/using-cloud-shell) for more details on access. + +3. Run the command in the following manner, replacing the variables with values corresponding to your organization: + ``` + gcloud dataflow jobs cancel JOB_ID [JOB_ID …] [--force] [--region=REGION_ID] [GCLOUD_WIDE_FLAG …] + ``` + +4. This variant is also available: + ``` + gcloud beta dataflow jobs cancel + ``` diff --git a/en/google/dataflow/dataflow-jobs-encryption.md b/en/google/dataflow/dataflow-jobs-encryption.md new file mode 100644 index 000000000..7bd97336f --- /dev/null +++ b/en/google/dataflow/dataflow-jobs-encryption.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Dataflow / Dataflow Jobs Encryption + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Dataflow Jobs Encryption | +| **Cloud** | GOOGLE | +| **Category** | Datflow | +| **Description** | Ensure that Google Dataflow jobs are encrypted with desired encryption level. | +| **More Info** | Google encrypts all jobs in Dataflow by default. Protecting source and sinks data for Dataflow batch pipeline with CMEK gives user more granular access to encryption and decryption process.| +| **GOOGLE Link** | https://cloud.google.com/dataflow/docs/guides/customer-managed-encryption-keys | +| **Recommended Action** | Use desired encryption level to encrypt Dataflow jobs. | + +## Detailed Remediation Steps +1. Open the Dataflow monitoring UI.\ + [Go to the Dataflow Web UI](https://console.cloud.google.com/dataflow) +2. Select Create job from template. +3. In the Encryption section, select Customer-managed key. + +Note: The drop-down menu Select a customer-managed key only shows keys with the regional scope global or the region you selected in the Regional endpoint drop-down menu. In order to minimize Cloud KMS operation latency and improve system availability, we recommend choosing regional keys. + +The first time you attempt to run a job with a particular Cloud KMS key, your Compute Engine service account and/or Dataflow service account might not have been granted the permissions to encrypt and decrypt using that key. In this case, a warning message appears to prompt you to grant the permission to your service account. diff --git a/en/google/iam/member-admin.md b/en/google/iam/member-admin.md new file mode 100644 index 000000000..7860be9d5 --- /dev/null +++ b/en/google/iam/member-admin.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Member Admin + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Member Admin | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensure that IAM members do not use primitive roles such as owner, editor or viewer. | +| **More Info** | For best security practices, use only predefined IAM roles and do not use primitive roles to prevent any unauthorized access to your resources. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no IAM member has a primitive role. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-account-token-creator.md b/en/google/iam/service-account-token-creator.md new file mode 100644 index 000000000..2804c5f1c --- /dev/null +++ b/en/google/iam/service-account-token-creator.md @@ -0,0 +1,30 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Account Token Creator + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Account Token Creator | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that no users have the Service Account Token Creator role. | +| **More Info** | For best security practices, IAM users should not have Service Account Token Creator role. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no IAM user have Service Account Token Creator Role at GCP project level.| + +## Detailed Remediation Steps +1. In the Google Cloud console, go to the IAM page. + + - [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project,folder,organizationId) + +2. Select a project by clicking on the project's name. + +3. Find the row containing the principal whose access you want to revoke. + +4. Click Edit principal in that row. + + - Note: You cannot edit inherited roles when managing access to a resource. To edit inherited roles, go to the resource where the role was granted. + +5. Click the Delete delete button for the role that you want to revoke, and then click Save. diff --git a/en/google/kubernetes/cluster-encryption-enabled.md b/en/google/kubernetes/cluster-encryption-enabled.md new file mode 100644 index 000000000..5c1a88da6 --- /dev/null +++ b/en/google/kubernetes/cluster-encryption-enabled.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Cluster Encryption Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Cluster Encryption Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensure that GKE clusters have KMS encryption enabled to encrypt application-layer secrets. | +| **More Info** | Application-layer secrets encryption adds additional security layer to sensitive data such as Kubernetes secrets stored in etcd. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets | +| **Recommended Action** | Ensure that all GKE clusters have the desired application-layer secrets encryption level. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose the "Kubernetes Engine" then select the "Clusters".
+3. On the "Kubernetes clusters" page , click on the "Name" of the cluster you want to modify.
+4. Under Security, in the Application-layer secrets encryption field, click Edit Application-layer secrets encryption.
+5. Select the Enable Application-layer secrets encryption checkbox and choose the KMS key. To Create a Cloud KMS key refer to https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets#creating-key.
+6. Click Save Changes.
+7. Repeat steps number 3 - 6 to enable application-layer secrets encryption for other "Clusters" in the account.
\ No newline at end of file diff --git a/en/google/kubernetes/integrity-monitoring-enabled.md b/en/google/kubernetes/integrity-monitoring-enabled.md new file mode 100644 index 000000000..b3b69ba40 --- /dev/null +++ b/en/google/kubernetes/integrity-monitoring-enabled.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Integrity Monitoring Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Integrity Monitoring Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes shielded cluster node have integrity monitoring enabled | +| **More Info** | Integrity Monitoring feature automatically monitors the integrity of your cluster nodes. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes#integrity_monitoring | +| **Recommended Action** | Enable Integrity Monitoring feature for your cluster nodes | + +## Detailed Remediation Steps +1. Log in to the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose the "Kubernetes Engine" option under "Compute" and select the "Clusters." +3. On the "Kubernetes clusters" page, click the name of the cluster you want to modify. +4. Click + Add Node Pool. +5. From the navigation menu, click Security. +6. Under Shielded options, select the Enable integrity monitoring checkbox. +7. Click Create +8. Repeat steps 3 - 7 for all other applicable clusters. \ No newline at end of file diff --git a/en/google/kubernetes/kubernetes-alpha-disabled.md b/en/google/kubernetes/kubernetes-alpha-disabled.md new file mode 100644 index 000000000..ebdfd5840 --- /dev/null +++ b/en/google/kubernetes/kubernetes-alpha-disabled.md @@ -0,0 +1,17 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Kubernetes Alpha Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Kubernetes Alpha Disabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensure the GKE Cluster alpha cluster feature is disabled. | +| **More Info** | It is recommended to not use Alpha clusters as they expire after thirty days and do not receive security updates. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/concepts/alpha-clusters | +| **Recommended Action** | 1. Create a new cluster with the alpha feature disabled. 2. Migrate all required cluster data from the cluster with alpha to this newly created cluster. 3.Delete the engine cluster with alpha enabled. | + +## Detailed Remediation Steps diff --git a/en/google/kubernetes/node-encryption-enabled.md b/en/google/kubernetes/node-encryption-enabled.md new file mode 100644 index 000000000..11180b3c8 --- /dev/null +++ b/en/google/kubernetes/node-encryption-enabled.md @@ -0,0 +1,17 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Node Encryption Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Node Encryption Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensure that GKE cluster nodes are encrypted using desired encryption protection level. | +| **More Info** | Using Customer Managed Keys (CMKs) gives you better control over the encryption/decryption process of your cluster nodes. | +| **GOOGLE Link** | https://cloud.google.com/security/encryption/default-encryption | +| **Recommended Action** | Ensure that all node pools in GKE clusters have the desired encryption level. | + +## Detailed Remediation Steps diff --git a/en/google/kubernetes/secure-boot-enabled.md b/en/google/kubernetes/secure-boot-enabled.md new file mode 100644 index 000000000..05026c2ad --- /dev/null +++ b/en/google/kubernetes/secure-boot-enabled.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Secure Boot Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Secure Boot Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes cluster nodes have secure boot feature enabled. | +| **More Info** | Secure Boot feature protects your cluster nodes from malware and makes sure the system runs only authentic software. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes#secure_boot | +| **Recommended Action** | Ensure that Secure Boot feature is enabled for all node pools in your GKE clusters. | + +## Detailed Remediation Steps +1. Log in to the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose the "Kubernetes Engine" option under "Compute" and select the "Clusters." +3. On the "Kubernetes clusters" page, click the name of the cluster you want to modify. +4. Click + Add Node Pool. +5. From the navigation menu, click Security. +6. Under Shielded options, select the Enable secure boot checkbox. + - Note that Secure boot is a node pool setting that's disabled by default on GKE because third-party unsigned kernel modules cannot be loaded when secure boot is enabled. If you don't use third-party unsigned kernel modules, you can enable secure boot. +7. Click Create +8. Repeat steps 3 - 7 for all other applicable clusters. \ No newline at end of file diff --git a/en/google/kubernetes/shielded-nodes.md b/en/google/kubernetes/shielded-nodes.md new file mode 100644 index 000000000..bf4816a58 --- /dev/null +++ b/en/google/kubernetes/shielded-nodes.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Shielded Nodes + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Shielded Nodes | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensure that shielded nodes setting is enabled for all Kubernetes clusters. | +| **More Info** | Shielded GKE nodes give strong cryptographic identity. This prevents attackers from being able to impersonate a node in your GKE cluster even if the attacker can extract the node credentials. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes | +| **Recommended Action** | Ensure that shielded nodes setting is enabled in your GKE cluster. | + +## Detailed Remediation Steps +1. Log in to the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose the "Kubernetes Engine" option under "Compute" and select the "Clusters." +3. Click the name of the cluster you want to modify. +4. Under Security, in the Shielded GKE Nodes field, click edit Edit Shielded GKE Nodes. +5. Select the Enable Shielded GKE Nodes checkbox. +6. Click Save Changes +7. Repeat steps 3 - 6 for all other applicable clusters. \ No newline at end of file diff --git a/en/google/pubsub/dead-lettering-enabled.md b/en/google/pubsub/dead-lettering-enabled.md new file mode 100644 index 000000000..638b47c13 --- /dev/null +++ b/en/google/pubsub/dead-lettering-enabled.md @@ -0,0 +1,30 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Pub/Sub / Dead Lettering Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Dead Lettering Enabled | +| **Cloud** | GOOGLE | +| **Category** | Pub/Sub | +| **Description** | Ensure that each Google Pub/Sub subscription is configured to use dead-letter topic. | +| **More Info** | Enabling dead lettering will handle message failures by forwarding undelivered messages to a dead-letter topic that stores the message for later access. | +| **GOOGLE Link** | https://cloud.google.com/pubsub/docs/dead-letter-topics | +| **Recommended Action** | Ensure that dead letter topics are configured for all your Google Cloud Pub/Sub subscriptions. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose "Pub/Sub" to select the "Subscriptions" option. +3. Next to the subscription to update, selet to open the "More Options" context menu. +4. In the context menu, select Edit. +5. In the Dead lettering section, select Enable dead lettering. +6. Choose or create a topic from the drop-down menu. + - If the chosen topic does not have a subscription, the system prompts you to create one. +7. In the Maximum delivery attempts field, specify an integer between 5 and 100. +8. Click Update. + - The details panel shows a list of possible action items. If any of the items show an error icon error, click the action item to resolve the issue. +9. Repeat steps 3 - 8 for any additional subscriptions requiring dead lettering to be enabled. + +**These configuration changes may incur additional costs** \ No newline at end of file diff --git a/en/google/pubsub/topic-encryption-enabled.md b/en/google/pubsub/topic-encryption-enabled.md new file mode 100644 index 000000000..f3f43dad0 --- /dev/null +++ b/en/google/pubsub/topic-encryption-enabled.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Pub/Sub / Topic Encryption Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Topic Encryption Enabled | +| **Cloud** | GOOGLE | +| **Category** | Pub/Sub | +| **Description** | nsure that Google Pub/Sub topics are encrypted with desired encryption level. | +| **More Info** |Google encrypts all messages in topics by default. By using CSEK, only the users with the key can access the disk. Anyone else, including Google, cannot access the disk data. | +| **GOOGLE Link** | https://cloud.google.com/pubsub/docs/encryption | +| **Recommended Action** | Ensure that Cloud Pub/Sub topics are encrypted using CSEK keys. | + +## Detailed Remediation Steps +You can configure CMEK using the Google Cloud console or the gcloud command-line tool. For prerequisites, you must have: +1. Created a key ring and a regional or global key in Cloud KMS. Keys and key rings cannot be deleted. +2. Enabled the Cloud KMS API. +You can use the Google Cloud console topic creation dialog to add your encryption keys:
+To verify that Pub/Sub topic are not encrypted using a Customer-Managed Key (CMK) follow these steps: +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose "Pub/Sub". +3. Select Topics to access the Pub/Sub topics created for the selected GCP project. +4. Click on the identifier (ID) of the topic that you want to examine. +5. In the Topic details section, check the Encryption key configuration attribute value. If the Encryption key attribute value is set to Google-managed key, the messages published to the selected Google Cloud Pub/Sub topic are not encrypted using a Customer-Managed Key (CMK). +6. Repeat step no. 4 and 5 for each Pub/Sub topic created within the selected project. +7. 7Repeat steps no. 2 – 6 for each project deployed within your Google Cloud account. \ No newline at end of file diff --git a/en/google/resourcemanager/compute-allowed-external-ips.md b/en/google/resourcemanager/compute-allowed-external-ips.md new file mode 100644 index 000000000..8d454aeff --- /dev/null +++ b/en/google/resourcemanager/compute-allowed-external-ips.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Compute Allowed External IPs + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Compute Allowed External IPs | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if \"Define Allowed External IPs for VM Instances\" constraint policy is enabled at the GCP organization level. | +| **More Info** | To reduce exposure to the internet, make sure that not all VM instances are allowed to use external IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that \"Define Allowed External IPs for VM Instances\" constraint is enforced to allow you to define the VM instances that are allowed to use external IP addresses. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.

+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.

+3. Navigate to Cloud Identity and Access Management (IAM) [dashboard](#https://console.cloud.google.com/iam-admin/iam). +4. In the navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.

+5. Click inside Filter box, select *Name* and *Define allowed external IPs for VM instances* to return the \"Define Allowed External IPs for VM Instances\" policy.

+6. Click on the GCP organization policy returned at step 5. +7. On the Policy details page, check the **Allowed** configuration attribute value. If the **Allowed** attribute value is set to **All**, then all the virtual machine instances created within the selected Google Cloud Platform (GCP) organization are allowed to use external IP addresses. +8. Click on Manage Policy to define constraint policy.

+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then under policy enforcement: Select Replace. Finally, Click on \"Add Role\".


+10. In Add Role expanded Section, for Policy Value: Select "\Deny All\". Then Click on "\Add Condition\"


+11. In Edit Condition Screen, Add the required conditions to allow only VM instances taht needs to use external IP addresses

+12. Click Save. \ No newline at end of file diff --git a/en/google/resourcemanager/detailed-audit-logging-mode.md b/en/google/resourcemanager/detailed-audit-logging-mode.md new file mode 100644 index 000000000..632c62b24 --- /dev/null +++ b/en/google/resourcemanager/detailed-audit-logging-mode.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Detailed Audit Logging Mode + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Detailed Audit Logging Mode | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if "Detailed Audit Logging Mode" policy is configured at the GCP organization level. | +| **More Info** | Detailed Audit Logging Mode is highly encouraged in coordination with Bucket Lock when seeking compliances such as SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c). | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that "Detailed Audit Logging Mode" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.


+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.


+3. Navigate to [Identity and Access Management IAM](https://console.cloud.google.com/iam-admin/iam). +4. In the left navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.


+5. Click inside Filter box, filter by **Name**.
+6. Type in **Detailed Audit Logging Mode** to return the \"Detailed Audit Logging Mode\" policy.


+7. Click on the policy name.


+8. On the Policy details page, check the **Status** attribute value. If the **Status** attribute value is set to **Not enforced**, then click on \"Manage Policy\" to edit the policy.


+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\".


+10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced".

\ No newline at end of file diff --git a/en/google/resourcemanager/disable-automatic-iam-grants.md b/en/google/resourcemanager/disable-automatic-iam-grants.md new file mode 100644 index 000000000..0b0d41ddf --- /dev/null +++ b/en/google/resourcemanager/disable-automatic-iam-grants.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Disable Automatic IAM Grants + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disable Automatic IAM Grants | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced at the organization level. | +| **More Info** | By default, service accounts get the editor role when created. To improve access security, disable the automatic IAM role grant. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that \"Disable Automatic IAM Grants for Default Service Accounts\" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.

+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.

+3. Navigate to Cloud Identity and Access Management (IAM) [dashboard](#https://console.cloud.google.com/iam-admin/iam). +4. In the navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.

+5. Click inside Filter box, select **Name**.

+6. Type in **Disable Automatic IAM Grants** to return the \"Disable Automatic IAM Grants\" policy.

+7. Click on the GCP organization policy returned at step 6.

+8. On the Policy details page, check the **Status** configuration attribute value. If the **Status** attribute value is set to **Not enforced**, then click on Manage Policy to edit the policy.


+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\".


+10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced".

\ No newline at end of file diff --git a/en/google/resourcemanager/disable-default-encryption-creation.md b/en/google/resourcemanager/disable-default-encryption-creation.md new file mode 100644 index 000000000..347878867 --- /dev/null +++ b/en/google/resourcemanager/disable-default-encryption-creation.md @@ -0,0 +1,31 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Disable Default Encryption Creation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disable Default Encryption Creation | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if "Restrict Default Google-Managed Encryption for Cloud SQL Instances" is enforced on the GCP organization level. | +| **More Info** | Google-managed encryption keys for Cloud SQL database instances to enforce the use of Customer-Managed Keys (CMKs) in order to have complete control over database encryption/decryption process. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that "Restrict Default Google-Managed Encryption for Cloud SQL Instances" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +**Note**
+\"Restrict default Google-managed encryption on Cloud SQL instances\" policy is being deprecated by Google Cloud, therefore the policy may not appear in your account.
+1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.


+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.


+3. Navigate to [Identity and Access Management IAM](https://console.cloud.google.com/iam-admin/iam). +4. In the left navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.


+5. Click inside Filter box, filter by **Name**.
+6. Type in **Restrict Default Google-Managed Encryption for Cloud SQL Instances** to return the \"Restrict Default Google-Managed Encryption for Cloud SQL Instances\" policy. +7. Click on the policy name. +8. On the Policy details page, check the **Status** attribute value. If the **Status** attribute value is set to **Not enforced**, then click on \"Manage Policy\" to edit the policy. +9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\". +10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced". \ No newline at end of file diff --git a/en/google/resourcemanager/disable-guest-attributes.md b/en/google/resourcemanager/disable-guest-attributes.md new file mode 100644 index 000000000..4ac75d940 --- /dev/null +++ b/en/google/resourcemanager/disable-guest-attributes.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Disable Guest Attributes + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disable Guest Attributes | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if "Disable Guest Attributes of Compute Engine Metadata" constraint policy is enabled at the GCP organization level. | +| **More Info** | Guest attributes are used for VM instance configuration. For security reasons, ensure that users cannot configure guest attributes for your VM instances. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that \"Disable Guest Attributes of Compute Engine Metadata\" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.

+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.

+3. Navigate to Cloud Identity and Access Management (IAM) [dashboard](#https://console.cloud.google.com/iam-admin/iam). +4. In the navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.

+5. Click inside Filter box, select **Name**.

+6. Type in **Disable Guest Attributes of Compute Engine Metadata** to return the \"Disable Guest Attributes of Compute Engine Metadata\" policy.

+7. Click on the policy returned at step 6.

+8. On the Policy details page, check the **Status** configuration attribute value. If the **Status** attribute value is set to **Not enforced**, then click on Manage Policy to edit the policy.

+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\".


+10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced".

\ No newline at end of file diff --git a/en/google/resourcemanager/disable-serial-port-access.md b/en/google/resourcemanager/disable-serial-port-access.md new file mode 100644 index 000000000..488a68a7b --- /dev/null +++ b/en/google/resourcemanager/disable-serial-port-access.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Disable Serial Port Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disable Serial Port Access | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if "Disable VM serial port access" policy is enforced at the GCP organization level. | +| **More Info** | For security purposes, ensure that serial port access to your VM instances is disabled. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** |Ensure that \"Disable VM serial port access\" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.

+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.

+3. Navigate to Cloud [Identity and Access Management IAM](https://console.cloud.google.com/iam-admin/iam). +4. In the left navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.


+5. Click inside Filter box, filter by **Name**.


+6. Type in **Disable VM serial port access** to return the \"Disable VM serial port access\" policy.


+7. Click on the policy name.


+8. On the Policy details page, check the **Status** attribute value. If the **Status** attribute value is set to **Not enforced**, then click on Manage Policy to edit the policy.

+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\".


+10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced".

\ No newline at end of file diff --git a/en/google/resourcemanager/disable-service-account-creation.md b/en/google/resourcemanager/disable-service-account-creation.md new file mode 100644 index 000000000..6ddb769a1 --- /dev/null +++ b/en/google/resourcemanager/disable-service-account-creation.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Disable Service Account Creation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disable Service Account Creation | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if "Disable Service Account Creation" policy is enforced at the GCP organization level. | +| **More Info** | Enforcing the "Disable Service Account Creation" policy allows you to centrally manage your service accounts and reduces the chances of compromised service accounts being used to access your GCP resources. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** |Ensure that "Disable Service Account Creation" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.


+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.


+3. Navigate to Cloud [Identity and Access Management IAM](https://console.cloud.google.com/iam-admin/iam). +4. In the left navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.


+5. Click inside Filter box, filter by **Name**.


+6. Type in **Disable Service Account Creation** to return the \"Disable Service Account Creation\" policy.
+7. Click on the policy name.


+8. On the Policy details page, check the **Status** attribute value. If the **Status** attribute value is set to **Not enforced**, then click on \"Manage Policy\" to edit the policy.


+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\".


+10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced".

\ No newline at end of file diff --git a/en/google/resourcemanager/disable-service-account-key-creation.md b/en/google/resourcemanager/disable-service-account-key-creation.md new file mode 100644 index 000000000..24ac81ddb --- /dev/null +++ b/en/google/resourcemanager/disable-service-account-key-creation.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Disable Service Account Key Creation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disable Service Account Key Creation | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if "Disable Service Account Key Creation" policy is enforced at the GCP organization level. | +| **More Info** | User-managed keys can impose a security risk if they are not handled correctly. To minimize the risk, enable user-managed keys in only specific locations. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** |Ensure that "Disable Service Account Key Creation" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.


+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.


+3. Navigate to Cloud [Identity and Access Management IAM](https://console.cloud.google.com/iam-admin/iam). +4. In the left navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.


+5. Click inside Filter box, filter by **Name**.
+6. Type in **Disable Service Account Key Creation** to return the \"Disable Service Account Key Creation\" policy.


+7. Click on the policy name.


+8. On the Policy details page, check the **Status** attribute value. If the **Status** attribute value is set to **Not enforced**, then click on \"Manage Policy\" to edit the policy.


+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\".


+10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced".

\ No newline at end of file diff --git a/en/google/resourcemanager/disable-service-account-key-upload.md b/en/google/resourcemanager/disable-service-account-key-upload.md new file mode 100644 index 000000000..ae644e8a2 --- /dev/null +++ b/en/google/resourcemanager/disable-service-account-key-upload.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Disable Service Account Key Upload + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disable Service Account Key Upload | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if "Disable Service Account Key Upload" policy is enforced at the GCP organization level. | +| **More Info** | User-managed keys can impose a security risk if they are not handled correctly. To minimize the risk, enable user-managed keys in only specific locations. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** |Ensure that "Disable Service Account Key Upload" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.


+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.


+3. Navigate to Cloud [Identity and Access Management IAM](https://console.cloud.google.com/iam-admin/iam). +4. In the left navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.


+5. Click inside Filter box, filter by **Name**.
+6. Type in **Disable Service Account Key Upload** to return the \"Disable Service Account Key Upload\" policy.


+7. Click on the policy name.


+8. On the Policy details page, check the **Status** attribute value. If the **Status** attribute value is set to **Not enforced**, then click on \"Manage Policy\" to edit the policy.


+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\".


+10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced".

\ No newline at end of file diff --git a/en/google/resourcemanager/disable-vm-ip-forwarding.md b/en/google/resourcemanager/disable-vm-ip-forwarding.md new file mode 100644 index 000000000..bba5adccc --- /dev/null +++ b/en/google/resourcemanager/disable-vm-ip-forwarding.md @@ -0,0 +1,34 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Disable VM IP Forwarding + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disable VM IP Forwarding | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if \"Restrict VM IP Forwarding\" constraint policy is enforced at the GCP organization level. | +| **More Info** | Enforcing the \"Restrict VM IP Forwarding\" constraint allows you to define the VM instances that can ensble IP forwarding. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that \"Restrict VM IP Forwarding\" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to the Google Cloud console, go to the [Identity and Access Management (IAM)](#https://console.cloud.google.com/iam-admin/iam.) page. + +2. Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine. + +3. In the navigation panel, select **Organization Policies** to view the list of the cloud organization policies available. + +4. In the Filter by constraint section, select `Name` and filter by: `Restrict VM IP Forwarding`. + +5. Select the `Restrict VM IP Forwarding` organizational policy. + +6. In the `Policy details` page, see the `Allowed` configuration attribute value. If the value is set to `All`, select the Manage Policy button in the upper right to modify the policy. + +6. In the `Applies to` section, change the selection to Customize. + +7. Under `Policy enforcement` select Merge with parent. + +8. Under the Rules section, select `Add rule` and provide a custom policy value to define allowed where cloud resources can be created. Once completed, select Done and Save. \ No newline at end of file diff --git a/en/google/resourcemanager/disable-workload-identity-cluster-creation.md b/en/google/resourcemanager/disable-workload-identity-cluster-creation.md new file mode 100644 index 000000000..9d5cb0047 --- /dev/null +++ b/en/google/resourcemanager/disable-workload-identity-cluster-creation.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Disable Workload Identity Cluster Creation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Disable Workload Identity Cluster Creation | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if "Disable Workload Identity Cluster Creation" policy is enforced at the GCP organization level. | +| **More Info** | To have a better control over service account access, make sure that GKE clusters have Workload Identity feature disabled at the time of creation. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that "Disable Workload Identity Cluster Creation" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.


+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.


+3. Navigate to Cloud [Identity and Access Management IAM](https://console.cloud.google.com/iam-admin/iam). +4. In the left navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.


+5. Click inside Filter box, filter by **Name**.
+6. Type in **Disable Service Account Key Upload** to return the \"Disable Service Account Key Upload\" policy.


+7. Click on the policy name.


+8. On the Policy details page, check the **Status** attribute value. If the **Status** attribute value is set to **Not enforced**, then click on \"Manage Policy\" to edit the policy.


+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\".


+10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced".

\ No newline at end of file diff --git a/en/google/resourcemanager/enforce-require-os-login.md b/en/google/resourcemanager/enforce-require-os-login.md new file mode 100644 index 000000000..ee53ce29c --- /dev/null +++ b/en/google/resourcemanager/enforce-require-os-login.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Enforce Require OS Login + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Enforce Require OS Login | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** |Determine if "Require OS Login" policy is enforced at the GCP organization level. | +| **More Info** | Enabling OS Login at project level will ensure that the SSH keys being used to access your VM instances are mapped with Cloud IAM users. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that "Require OS Login" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.


+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.


+3. Navigate to [Identity and Access Management IAM](https://console.cloud.google.com/iam-admin/iam). +4. In the left navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.


+5. Click inside Filter box, filter by **Name**.
+6. Type in **Require OS Login** to return the \"Require OS Login\" policy.


+7. Click on the policy name.


+8. On the Policy details page, check the **Status** attribute value. If the **Status** attribute value is set to **Not enforced**, then click on \"Manage Policy\" to edit the policy.


+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\".


+10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced".

\ No newline at end of file diff --git a/en/google/resourcemanager/enforce-restrict-authorized-networks.md b/en/google/resourcemanager/enforce-restrict-authorized-networks.md new file mode 100644 index 000000000..27928ff58 --- /dev/null +++ b/en/google/resourcemanager/enforce-restrict-authorized-networks.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Enforce Restrict Authorized Networks + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Enforce Restrict Authorized Networks | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if "Restrict Authorized Networks on Cloud SQL instances" policy is enforced at the GCP organization level. | +| **More Info** | Enforcing "Restrict Authorized Networks on Cloud SQL instances" organization policy, restricts adding authorized networks for unproxied database access to Cloud SQL instances. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that "Restrict Authorized Networks on Cloud SQL instances" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.


+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.


+3. Navigate to [Identity and Access Management IAM](https://console.cloud.google.com/iam-admin/iam). +4. In the left navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.


+5. Click inside Filter box, filter by **Name**.
+6. Type in **Restrict Authorized Networks on Cloud SQL instances** to return the \"Restrict Authorized Networks on Cloud SQL instances\" policy.


+7. Click on the policy name.


+8. On the Policy details page, check the **Status** attribute value. If the **Status** attribute value is set to **Not enforced**, then click on \"Manage Policy\" to edit the policy.


+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\".


+10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced".

\ No newline at end of file diff --git a/en/google/resourcemanager/enforce-uniform-bucket-level-access.md b/en/google/resourcemanager/enforce-uniform-bucket-level-access.md new file mode 100644 index 000000000..65ae35453 --- /dev/null +++ b/en/google/resourcemanager/enforce-uniform-bucket-level-access.md @@ -0,0 +1,29 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Enforce Uniform Bucket-Level Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Enforce Uniform Bucket-Level Access | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if "Enforce uniform bucket-level access" policy is enabled at the GCP organization level. | +| **More Info** | Enforcing Uniform Bucket Level Access ensures that access is granted exclusively through Cloud IAM service which is more efficient and secure. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that "Enforce uniform bucket-level access" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to Google Cloud Management Console with the organizational unit credentials, then Click the deployment selector in the upper navigation bar.


+2. Select ALL to view a summary of all current deployments, and then pick the Google Cloud organisation you want to look at.


+3. Navigate to [Identity and Access Management IAM](https://console.cloud.google.com/iam-admin/iam). +4. In the left navigation panel, select Organization Policies to view the list of the constraint policies available for your GCP organization.


+5. Click inside Filter box, filter by **Name**.
+6. Type in **Enforce uniform bucket-level access** to return the \"Enforce uniform bucket-level access\" policy.


+7. Click on the policy name.


+8. On the Policy details page, check the **Status** attribute value. If the **Status** attribute value is set to **Not enforced**, then click on \"Manage Policy\" to edit the policy.


+9. In Edit Policy screen, under \"Applies to\" section, select \"Customize\". Then Click on \"Add Role\".


+10. In Add Role expanded Section, under enforcemnt: Select "On".


+11. Click Save.

+12. When return to Policy details screen, status will now show "Enforced".

\ No newline at end of file diff --git a/en/google/resourcemanager/location-based-service-restriction.md b/en/google/resourcemanager/location-based-service-restriction.md new file mode 100644 index 000000000..f34cfd52b --- /dev/null +++ b/en/google/resourcemanager/location-based-service-restriction.md @@ -0,0 +1,34 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Location-Based Service Restriction + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Location-Based Service Restriction | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if \"Resource Location Restriction\" is enforced on the GCP organization level. | +| **More Info** | Enforcing the \"Resource Location Restriction\" constraint allows you to define the locations where your cloud resources can be created. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that \"Resource Location Restriction\" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to the Google Cloud console, go to the [Identity and Access Management (IAM)](#https://console.cloud.google.com/iam-admin/iam.) page. + +2. Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine. + +3. In the navigation panel, select **Organization Policies** to view the list of the cloud organization policies available. + +4. In the Filter by constraint section, select `Name` and filter by: `Google Cloud Platform - Resource Location Restriction`. + +5. Select the `Google Cloud Platform - Resource Location Restriction` organizational policy. + +6. In the `Policy details` page, see the `Allowed` configuration attribute value. If the value is set to `All`, select the Manage Policy button in the upper right to modify the policy. + +6. In the `Applies to` section, change the selection to Customize. + +7. In the `Policy enforcement` section, select Merge with parent. + +8. Under the Rules section, select `Add rule` and provide a custom policy value to define allowed where cloud resources can be created. Once completed, select Done and Save. \ No newline at end of file diff --git a/en/google/resourcemanager/restrict-load-balancer-creation.md b/en/google/resourcemanager/restrict-load-balancer-creation.md new file mode 100644 index 000000000..a1b66b3c7 --- /dev/null +++ b/en/google/resourcemanager/restrict-load-balancer-creation.md @@ -0,0 +1,34 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Restrict Load Balancer Creation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Restrict Load Balancer Creation | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if \"Restrict Load Balancer Creation for Types\" is enforced on the GCP organization level. | +| **More Info** | Enforcing the \"Restrict Load Balancer Creation for Types\" constraint allows you to control which type of load balancers can be created within your organization. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that \"Restrict Load Balancer Creation for Types\" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to the Google Cloud console, go to the [Identity and Access Management (IAM)](#https://console.cloud.google.com/iam-admin/iam.) page. + +2. Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine. + +3. In the navigation panel, select **Organization Policies** to view the list of the cloud organization policies available. + +4. In the Filter by constraint section, select `Name` and filter by: `Restrict Load Balancer Creation Based on Load Balancer Types`. + +5. Select the `Restrict Load Balancer Creation Based on Load Balancer Types` organizational policy. + +6. In the `Policy details` page, see the `Allowed` configuration attribute value. If the value is set to `All`, select the Manage Policy button in the upper right to modify the policy. + +6. In the `Applies to` section, change the selection to Customize. + +7. Under `Policy enforcement` select Merge with parent. + +8. Under the Rules section, select `Add rule` and provide a custom policy value to define allowed where cloud resources can be created. Once completed, select Done and Save. \ No newline at end of file diff --git a/en/google/resourcemanager/restrict-shared-vpc-subnetworks.md b/en/google/resourcemanager/restrict-shared-vpc-subnetworks.md new file mode 100644 index 000000000..12d3e5732 --- /dev/null +++ b/en/google/resourcemanager/restrict-shared-vpc-subnetworks.md @@ -0,0 +1,34 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Restrict Shared VPC Subnetworks + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Restrict Shared VPC Subnetworks | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if \"Restrict Shared VPC Subnetworks\" is enforced on the GCP organization level. | +| **More Info** | Enforcing the \"Restrict Shared VPC Subnetworks\" constraint allows you to define which VPC Shared Subnetworks your resources can use within your GCP organization. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that \"Restrict Shared VPC Subnetworks\" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to the Google Cloud console, go to the [Identity and Access Management (IAM)](#https://console.cloud.google.com/iam-admin/iam.) page. + +2. Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine. + +3. In the navigation panel, select **Organization Policies** to view the list of the cloud organization policies available. + +4. In the Filter by constraint section, select `Name` and filter by: `Restrict Shared VPC Subnetworks`. + +5. Select the `Restrict Shared VPC Subnetworks` organizational policy. + +6. In the `Policy details` page, see the `Allowed` configuration attribute value. If the value is set to `All`, select the Manage Policy button in the upper right to modify the policy. + +6. In the `Applies to` section, change the selection to Customize. + +7. Under `Policy enforcement` select Merge with parent. + +8. Under the Rules section, select `Add rule` and provide a custom policy value to define allowed where cloud resources can be created. Once completed, select Done and Save. \ No newline at end of file diff --git a/en/google/resourcemanager/restrict-vpc-peering.md b/en/google/resourcemanager/restrict-vpc-peering.md new file mode 100644 index 000000000..ae787eeb1 --- /dev/null +++ b/en/google/resourcemanager/restrict-vpc-peering.md @@ -0,0 +1,34 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Restrict VPC Peering + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Restrict VPC Peering | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if \"Restrict VPC Peering\" is enforced on the GCP organization level. | +| **More Info** | Enforcing the \"Restrict VPC Peering\" constraint allows you to define which VPC Networks are allowed to be peered with other networks. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that \"Restrict VPC Peering\" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to the Google Cloud console, go to the [Identity and Access Management (IAM)](#https://console.cloud.google.com/iam-admin/iam.) page. + +2. Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine. + +3. In the navigation panel, select **Organization Policies** to view the list of the cloud organization policies available. + +4. In the Filter by constraint section, select `Name` and filter by: `Restrict VPC Peering`. + +5. Select the `Restrict VPC Peering` organizational policy. + +6. In the `Policy details` page, see the `Allowed` configuration attribute value. If the value is set to `All`, select the Manage Policy button in the upper right to modify the policy. + +6. In the `Applies to` section, change the selection to Customize. + +7. Under `Policy enforcement` select Merge with parent. + +8. Under the Rules section, select `Add rule` and provide a custom policy value to define allowed where cloud resources can be created. Once completed, select Done and Save. \ No newline at end of file diff --git a/en/google/resourcemanager/restrict-vpn-peer-ips.md b/en/google/resourcemanager/restrict-vpn-peer-ips.md new file mode 100644 index 000000000..03202a1a9 --- /dev/null +++ b/en/google/resourcemanager/restrict-vpn-peer-ips.md @@ -0,0 +1,34 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Restrict VPN Peer IPs + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Restrict VPN Peer IPs | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if \"Restrict VPN Peer IPs\" is enforced on the GCP organization level. | +| **More Info** | Enforcing the \"Restrict VPN Peer IPs\" constraint allows you to control the IP addresses which can be configured as VPN Peers. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that \"Restrict VPN Peer IPs\" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to the Google Cloud console, go to the [Identity and Access Management (IAM)](#https://console.cloud.google.com/iam-admin/iam.) page. + +2. Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine. + +3. In the navigation panel, select **Organization Policies** to view the list of the cloud organization policies available. + +4. In the Filter by constraint section, select `Name` and filter by: `Restrict VPN Peer IPs`. + +5. Select the `Restrict VPN Peer IPs` organizational policy. + +6. In the `Policy details` page, see the `Allowed` configuration attribute value. If the value is set to `All`, select the Manage Policy button in the upper right to modify the policy. + +6. In the `Applies to` section, change the selection to Customize. + +7. Under `Policy enforcement` select Merge with parent. + +8. Under the Rules section, select `Add rule` and provide a custom policy value to define allowed where cloud resources can be created. Once completed, select Done and Save. \ No newline at end of file diff --git a/en/google/resourcemanager/skip-default-network-creation.md b/en/google/resourcemanager/skip-default-network-creation.md new file mode 100644 index 000000000..94216e05b --- /dev/null +++ b/en/google/resourcemanager/skip-default-network-creation.md @@ -0,0 +1,35 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Skip Default Network Creation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Skip Default Network Creation | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if \"Skip Default Network Creation\" constraint policy is enforces at the GCP organization level. | +| **More Info** | Enforcing the \"Skip Default Network Creation\" disables the creation of default VPC network on project creation which is recommended if you want to keep some parts of your network private. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that \"Skip Default Network Creation\" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Sign in to the Google Cloud console, go to the [Identity and Access Management (IAM)](#https://console.cloud.google.com/iam-admin/iam.) page. + +2. Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine. + +3. In the navigation panel, select **Organization Policies** to view the list of the cloud organization policies available. + +4. In the Filter by constraint section, select `Name` and filter by: `Skip Default Network Creation`. + +5. Select the `Skip Default Network Creation` organizational policy. + +6. In the `Policy details` page, see the `Status` configuration attribute value. If the value is set to `Not enforced`, select the Manage Policy button in the upper right to modify the policy. + +6. In the `Applies to` section, change the selection to Customize. + +7. Under the Rules section, select `Add rule` and turn on Enforcement. + - Optional: Add a condition for enforcement. + +8. Select Done and click Save to commit your changes. \ No newline at end of file diff --git a/en/google/resourcemanager/trusted-image-projects.md b/en/google/resourcemanager/trusted-image-projects.md new file mode 100644 index 000000000..5888ea42b --- /dev/null +++ b/en/google/resourcemanager/trusted-image-projects.md @@ -0,0 +1,54 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Resource Manager / Trusted Image Projects + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Trusted Image Projects | +| **Cloud** | GOOGLE | +| **Category** | Resource Manager | +| **Description** | Determine if \"Define Trusted Image Projects\" constraint policy is enforces at the GCP organization level. | +| **More Info** | Enforcing the \"Define Trusted Image Projects\" allows you to restrict disk image access and ensure that your project members can only create boot disks from trusted images. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints | +| **Recommended Action** | Ensure that \"Define Trusted Image Projects\" constraint is enforced at the organization level. | + +## Detailed Remediation Steps +1. Go to the Organization policies page. + + [Go to Organization policies](#https://console.cloud.google.com/iam-admin/orgpolicies/) + +2. From the policies list, click Define trusted image projects. The Policy details page displays. + +3. On the Policy details page, click Manage Policy. The Edit policy page displays. + +4. On the Edit policy page, select Customize. + +5. For Policy enforcement, select an enforcement option. For information about inheritance and the resource hierarchy, see Understanding Hierarchy Evaluation. + +6. Click Add rule. + +7. In the Policy values list, you can select whether this organization policy should allow access to all image projects, deny access to all image projects, or you can specify a custom set of projects to allow or deny access to. + + - To set the policy rule, complete one of the following options: + + - To allow users to create boot disks from all public images, select Allow All. + + - To restrict users from creating boot disk from all public images, select Deny All. + + - To specify a select set of public images that users can create boot disks from, select Custom. A Policy type and Custom values field displays. + + a. In the Policy type list, select Allow or Deny. + + b. In the Custom values field, enter the name of the image project using the projects/IMAGE_PROJECT format. + + - Replace IMAGE_PROJECT with the image project you want to set the constraint on. + + - You can add multiple image projects. For each image project that you want to add, click Add and enter the image project name. + +8. To save the rule, click Done. + +9. To save and apply the organization policy, click Save. + +For more information, see [Setting up trusted image policies](#https://cloud.google.com/compute/docs/images/restricting-image-access) \ No newline at end of file diff --git a/en/google/sql/mysql-local-infile-disabled.md b/en/google/sql/mysql-local-infile-disabled.md new file mode 100644 index 000000000..9783cf953 --- /dev/null +++ b/en/google/sql/mysql-local-infile-disabled.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / MySQL Local Infile Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | MySQL Local Infile Disabled | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL instances for MySQL type does not have local infile flag enabled. | +| **More Info** | SQL instances for MySQL type database provides local_infile flag, which can be used to load data from client or server systems. It controls the load data statements for database. Anyone using this server can access any file on the client system. For security reasons it should be disabled. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/flags | +| **Recommended Action** | Ensure that local infile flag is disabled for all MySQL instances. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified by clicking on the checkbox next to its name. +4. Scroll down to the Flags section. +5. To set a flag that has not been set on the instance before, click Add item, choose the `local_infile` flag from the drop-down menu, and set its value to `off`. +6. Click Save to save your changes. +7. Confirm your changes under Flags on the Overview page. \ No newline at end of file diff --git a/en/google/sql/mysql-slow-query-log-enabled.md b/en/google/sql/mysql-slow-query-log-enabled.md new file mode 100644 index 000000000..1ab658b84 --- /dev/null +++ b/en/google/sql/mysql-slow-query-log-enabled.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / MySQL Slow Query Log Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | MySQL Slow Query Log Enabled | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures that MySQL instances have slow query log flag enabled. | +| **More Info** | MySQL instance flag that helps find inefficient or time-consuming SQL queries for MySQL databases. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/flags | +| **Recommended Action** | Ensure that slow query log flag is enabled for all MySQL instances. | + +## Detailed Remediation Steps +1. 1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified by clicking on the checkbox next to its name. +4. Scroll down to the Flags section. +5. To set a flag that has not been set on the instance before, click Add item, choose the `slow_query_log` flag from the drop-down menu, and set its value to `on`. +6. Click Save to save your changes. +7. Confirm your changes under Flags on the Overview page. \ No newline at end of file diff --git a/en/google/sql/postgresql-log-checkpoints-enabled.md b/en/google/sql/postgresql-log-checkpoints-enabled.md new file mode 100644 index 000000000..fd8d5e4c6 --- /dev/null +++ b/en/google/sql/postgresql-log-checkpoints-enabled.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / PostgreSQL Log Checkpoints Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | PostgreSQL Log Checkpoints Enabled | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensure that log_checkpoints flag is enabled for PostgreSQL instances. | +| **More Info** | When log_checkpoints flag is enabled, instance checkpoints and restart points are logged in the server log. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/postgres/flags#setting_a_database_flag | +| **Recommended Action** | Ensure that all PostgreSQL database instances have log_checkpoints flag and it value is set to on. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified by clicking on the checkbox next to its name. +4. Scroll down to the Flags section. +5. To set a flag that has not been set on the instance before, click Add item, choose the `log_checkpoints` flag from the drop-down menu, and set its value to `on`. +6. Click Save to save your changes. +7. Confirm your changes under Flags on the Overview page. \ No newline at end of file diff --git a/en/google/sql/postgresql-log-connections-flag-enabled.md b/en/google/sql/postgresql-log-connections-flag-enabled.md new file mode 100644 index 000000000..00565e8c3 --- /dev/null +++ b/en/google/sql/postgresql-log-connections-flag-enabled.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / PostgreSQL Log Connections Flag Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | PostgreSQL Log Connections Flag Enabled | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL instances for PostgreSQL type have log connections flag enabled. | +| **More Info** | SQL instance for PostgreSQL databases provides log_connections flag. It is used to log every attempt to connect to the db server. It is not enabled by default. Enabling it will make sure to log all connection tries | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/postgres/flags | +| **Recommended Action** | Ensure that log connections flag is enabled for all PostgreSQL instances. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified by clicking on the checkbox next to its name. +4. Scroll down to the Flags section. +5. To set a flag that has not been set on the instance before, click Add item, choose the `log_connections` flag from the drop-down menu, and set its value to `on`. +6. Click Save to save your changes. +7. Confirm your changes under Flags on the Overview page. \ No newline at end of file diff --git a/en/google/sql/postgresql-log-disconnections-flag-enabled.md b/en/google/sql/postgresql-log-disconnections-flag-enabled.md new file mode 100644 index 000000000..7e99857c3 --- /dev/null +++ b/en/google/sql/postgresql-log-disconnections-flag-enabled.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / PostgreSQL Log Disconnections Flag Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | PostgreSQL Log Disconnections Flag Enabled | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL instances for PostgreSQL type have log disconnections flag enabled. | +| **More Info** | SQL instance for PostgreSQL databases provides log_disconnections flag. It is used to log every attempt to connect to the DB server. It is not enabled by default. Enabling it will make sure to log anyone who disconnects from the instance. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/postgres/flags | +| **Recommended Action** | Ensure that log disconnections flag is enabled for all PostgreSQL instances. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified whether it has flags added or not by opening the instance and clicking Edit. +4. Scroll down to the Flags section. +5. To set a flag that has not been set on the instance before, click Add item, choose the `log_disconnections` flag from the drop-down menu, and set its value to On. +6. Click Save to save your changes. +7. Confirm your changes under Flags on the Overview page. \ No newline at end of file diff --git a/en/google/sql/postgresql-log-lock-waits-flag-enabled.md b/en/google/sql/postgresql-log-lock-waits-flag-enabled.md new file mode 100644 index 000000000..e5a09aa57 --- /dev/null +++ b/en/google/sql/postgresql-log-lock-waits-flag-enabled.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / PostgreSQL Log Lock Waits Flag Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | PostgreSQL Log Lock Waits Flag Enabled | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL instances for PostgreSQL type have log_lock_waits flag enabled. | +| **More Info** | SQL instance for PostgreSQL database provides log_lock_waits flag. It is not enabled by default. Enabling it will make sure that log messages are generated whenever a session waits longer than deadlock_timeout to acquire a lock. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/postgres/flags#config | +| **Recommended Action** | Ensure that log_lock_waits flag is enabled for all PostgreSQL instances. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified by clicking on the checkbox next to its name. +4. Scroll down to the Flags section. +5. To set a flag that has not been set on the instance before, click Add item, choose the `log_lock_waits` flag from the drop-down menu, and set its value to `on`. +6. Click Save to save your changes. +7. Confirm your changes under Flags on the Overview page. \ No newline at end of file diff --git a/en/google/sql/postgresql-log-min-duration-statement.md b/en/google/sql/postgresql-log-min-duration-statement.md new file mode 100644 index 000000000..35b22b4d1 --- /dev/null +++ b/en/google/sql/postgresql-log-min-duration-statement.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / PostgreSQL Log Min Duration Statement + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | PostgreSQL Log Min Duration Statement | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL instances for PostgreSQL type have log min duration statement flag disabled. | +| **More Info** | SQL instance for PostgreSQL databases provides log_min_duration_statement flag. It is used to log the duration of every completed statement. This should always be disabled as there can be sensitive information as well that should not be recorded in the logs. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/postgres/flags | +| **Recommended Action** | Ensure that log_min_duration_statement flag is disabled for all PostgreSQL instances. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified by clicking on the checkbox next to its name. +4. Scroll down to the Flags section. +5. To set a flag that has not been set on the instance before, click Add item, choose the `log_min_duration_statement` flag from the drop-down menu, and set its value to `-1`. +6. Click Save to save your changes. +7. Confirm your changes under Flags on the Overview page. \ No newline at end of file diff --git a/en/google/sql/postgresql-log-min-error-statement.md b/en/google/sql/postgresql-log-min-error-statement.md new file mode 100644 index 000000000..794c236f2 --- /dev/null +++ b/en/google/sql/postgresql-log-min-error-statement.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / PostgreSQL Log Min Error Statement + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | PostgreSQL Log Min Error Statement | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL instances for PostgreSQL type have log min error statement flag set to Error. | +| **More Info** | SQL instance for PostgreSQL databases provides log_min_error_statement flag. It is used to mention/tag that the error messages. Setting it to Error value will help to find the error messages appropriately. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/postgres/flags | +| **Recommended Action** | Ensure that log_min_error_statement flag is set to Error for all PostgreSQL instances. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified by clicking on the checkbox next to its name. +4. Scroll down to the Flags section. +5. To set a flag that has not been set on the instance before, click Add item, choose the `log_min_error_statement` flag from the drop-down menu, and set its value to `error`. +6. Click Save to save your changes. +7. Confirm your changes under Flags on the Overview page.. \ No newline at end of file diff --git a/en/google/sql/postgresql-log-temp-files.md b/en/google/sql/postgresql-log-temp-files.md new file mode 100644 index 000000000..4a748e8e6 --- /dev/null +++ b/en/google/sql/postgresql-log-temp-files.md @@ -0,0 +1,23 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / PostgreSQL Log Temp Files + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | PostgreSQL Log Temp Files | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL instances for PostgreSQL type have log temp files flag enabled. | +| **More Info** | SQL instance for PostgreSQL databases provides log_temp_files flag. It is used to log the temporary files name and size. It is not enabled by default. Enabling it will make sure to log names and sizes of all the temporary files that were created during any operation(sort, hashes, query_results etc). | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/postgres/flags | +| **Recommended Action** | Ensure that log_temp_files flag is enabled for all PostgreSQL instances. | + +## Detailed Remediation Steps +1. In the Google Cloud console, create a new Google Cloud console project, or open an existing project by selecting the project name. +2. Open the instance and click Edit. +3. Scroll down to the Flags section. +4. To set a flag that has not been set on the instance before, click Add item, choose the "log_temp_files" flag from the drop-down menu, and set its value. +5. Click Save to save your changes. +6. Confirm your changes under Flags on the Overview page. \ No newline at end of file diff --git a/en/google/sql/postgresql-max-connections.md b/en/google/sql/postgresql-max-connections.md new file mode 100644 index 000000000..93f618262 --- /dev/null +++ b/en/google/sql/postgresql-max-connections.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / PostgreSQL Max Connections + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | PostgreSQL Max Connections | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensure that max_connections is configured with optimal value for PostgreSQL instances. | +| **More Info** | An optimal value should be set for max_connections (maximum number of client connections) to meet the database workload requirements. If this no value is set for max_connections flag, instance assumes default value which is calculated per instance memory size. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/postgres/flags#setting_a_database_flag | +| **Recommended Action** | Ensure that all PostgreSQL database instances have max_connections flag and it value is set. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified by clicking on the checkbox next to its name. +4. Scroll down to the Flags section. +5. To set a flag that has not been set on the instance before, click Add item, choose the `max_connections` flag from the drop-down menu, and set its value. +6. Click Save to save your changes. +7. Confirm your changes under Flags on the Overview page. diff --git a/en/google/sql/sql-cmk-encryption.md b/en/google/sql/sql-cmk-encryption.md new file mode 100644 index 000000000..962fa19b2 --- /dev/null +++ b/en/google/sql/sql-cmk-encryption.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / SQL CMK Encryption + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | SQL CMK Encryption | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensure that Cloud SQL instances are encrypted using Customer Managed Keys (CMKs). | +| **More Info** | By default, your Google Cloud SQL instances are encrypted using Google-managed keys. To have a better control over the encryption process of your Cloud SQL instances you can use Customer-Managed Keys (CMKs). | +| **GOOGLE Link** | "https://cloud.google.com/sql/docs/sqlserver/cmek" | +| **Recommended Action** | Ensure that all Google Cloud SQL instances have desired encryption level.| + +## Detailed Remediation Steps +1. In the Google Cloud console, go to the Cloud SQL Instances page. + + [Go to Cloud SQL Instances](https://console.cloud.google.com/sql) + +2. In the Instances list, scroll to the right until you see the Encryption column. In this column, you see Google-managed and Customer-managed. +3. Click an instance name to open its Overview page. The customer-managed encryption key is listed in the Configuration pane. + - Note that Customer Managed Encryption Keys can only be configured during instance creation. diff --git a/en/google/sql/sql-contained-database-authentication.md b/en/google/sql/sql-contained-database-authentication.md new file mode 100644 index 000000000..c6aa5e6d3 --- /dev/null +++ b/en/google/sql/sql-contained-database-authentication.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / SQL Contained Database Authentication + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | SQL Contained Database Authentication | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL instances of SQL Server type have Contained Database Authentication flag disabled. | +| **More Info** | Enabling Contained Database Authentication flag allows users to connect to the database without authenticating a login at the Database Engine level along with other security threats. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/sqlserver/flags | +| **Recommended Action** | Ensure that Contained Database Authentication flag is disabled for all SQL Server instances. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified by clicking on the checkbox next to its name. +4. Scroll down to the Flags section. +5. To set a flag that has not been set on the instance before, click Add item, choose the `Contained Database Authentication` flag from the drop-down menu, and set its value to `off`. +6. Click Save to save your changes. +7. Confirm your changes under Flags on the Overview page. \ No newline at end of file diff --git a/en/google/sql/sql-cross-db-ownership-chaining.md b/en/google/sql/sql-cross-db-ownership-chaining.md new file mode 100644 index 000000000..834876108 --- /dev/null +++ b/en/google/sql/sql-cross-db-ownership-chaining.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / SQL Cross DB Ownership Chaining + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | SQL Cross DB Ownership Chaining | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL database instances of SQL Server type have cross db ownership chaining flag disabled. | +| **More Info** | SQL databases of SQL Server provide cross DB ownership chaining flag. It is used to configure cross-database ownership chaining for all databases. It is enabled by default and should be disabled for security unless all required. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/sqlserver/flags | +| **Recommended Action** | Ensure that cross DB ownership chaining flag is disabled for all SQLServer instances. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified by clicking on the checkbox next to its name. +4. Scroll down to the Flags section. +5. Select the `cross db ownership chaining` flag and set its value to `off`. +6. Click Save to save your changes. +7. Confirm your changes under Flags on the Overview page. \ No newline at end of file diff --git a/en/google/sql/sql-no-public-ips.md b/en/google/sql/sql-no-public-ips.md new file mode 100644 index 000000000..f8fac4c5e --- /dev/null +++ b/en/google/sql/sql-no-public-ips.md @@ -0,0 +1,27 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / SQL No Public IPs + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | SQL No Public IPs | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensure that SQL instances are using private IPs instead of public IPs. | +| **More Info** | Cloud SQL databases should always use private IP addresses which provide improved network security and lower latency. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/configure-private-ip | +| **Recommended Action** | Make sure that SQL databases IP addresses setting does not have IP address of PRIMARY type | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and click on "SQL". +3. On the "SQL" page, select the SQL Instance which needs to be verified by clicking on the checkbox next to its name. +4. Select Connections from the SQL navigation menu. +5. Select the Private IP checkbox. +6. Select the VPC network you want to use. +7. If you see Private service connection required, click Set up connection. +8. Allocate an IP range section and click Continue. +9. Click Create connection. +10. Verify that you see the Private service connection for network VPC_NETWORK_NAME has been successfully created status. Click Save. \ No newline at end of file diff --git a/en/google/sql/ssl-certificate-rotation.md b/en/google/sql/ssl-certificate-rotation.md new file mode 100644 index 000000000..aeb3667f6 --- /dev/null +++ b/en/google/sql/ssl-certificate-rotation.md @@ -0,0 +1,34 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / SSL Certificate Rotation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | SSL Certificate Rotation | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensure that server certificates configured for Cloud SQL are rotated before they expire. | +| **More Info** | Server certificates configured for Cloud SQL DB instances should be rotated before they expire to ensure that incoming connections for database instance remain secure. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/postgres/configure-ssl-instance?authuser=1#server-certs | +| **Recommended Action** | Edit Cloud SQL DB instances and rotate server certificates under Connections->MANAGE CERTIFICATES | + +## Detailed Remediation Steps +1. In the Google Cloud console, go to the [Cloud SQL Instances](https://console.cloud.google.com/sql?authuser=1&_ga=2.184743081.1679736441.1679922535-795998208.1675186198) page. +2. Go to Cloud SQL Instances +3. To open the Overview page of an instance, click the instance name. +4. Click Connections from the SQL navigation menu. +5. Select the Security tab. +6. Scroll down to the Manage server certificates section. You can see the expiration date of your server certificate in the table. +7. Select Rotate certificate. The rotate option will be grayed-out if there are no eligible certificates. +8. Click Download Certificates. + The server certificate information, encoded as a PEM file, is downloaded to your local environment: + + Update all of your PostgreSQL clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem file. +9. After you have updated your clients, continue to complete the rotation. +10. Return to the Security tab. +11. Click to expand Manage certificates. +12. Select Rotate certificate. +13. Confirm that your clients are connecting properly. + If any clients are not connecting using the newly rotated certificate, you can select Rollback certificate to rollback to the previous configuration. \ No newline at end of file diff --git a/en/google/storage/bucket-encryption.md b/en/google/storage/bucket-encryption.md new file mode 100644 index 000000000..8068941ff --- /dev/null +++ b/en/google/storage/bucket-encryption.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Storage / Bucket Uniform Level Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Bucket Uniform Level Access | +| **Cloud** | GOOGLE | +| **Category** | Storage | +| **Description** | Ensure that Cloud Storage buckets have encryption enabled using desired protection level. | +| **More Info** | By default, all storage buckets are encrypted using Google-managed keys. To have better control over how your storage bucktes are encrypted, you can use Customer-Managed Keys (CMKs). | +| **GOOGLE Link** | https://cloud.google.com/storage/docs/encryption/customer-managed-keys | +| **Recommended Action** | Ensure that all storage buckets have desired encryption level. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose "Cloud Storage" to select the "Buckets" option. +3. On the "Buckets" page, select the bucket by clicking on the bucket's name. +4. In the bucket details page, click on the Configuration tab. +5. Click on the Pencil icon associated with the Encryption type entry. +6. Set or remove the default Cloud KMS key for the bucket. + a. If the bucket isn't currently using a Cloud KMS key, select the Customer-managed key radio button, then select one of the available keys in the associated drop-down menu. + b. If the bucket currently uses a Cloud KMS key, change the Cloud KMS key in the drop-down menu by selecting the Google-managed key radio button. +7. Click Save. diff --git a/en/google/storage/bucket-lifecycle-configured.md b/en/google/storage/bucket-lifecycle-configured.md new file mode 100644 index 000000000..4d2fe70de --- /dev/null +++ b/en/google/storage/bucket-lifecycle-configured.md @@ -0,0 +1,25 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Storage / Bucket Lifecycle Configured + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Bucket Lifecycle Configured | +| **Cloud** | GOOGLE | +| **Category** | Storage | +| **Description** | Ensure that Cloud Storage buckets are using lifecycle management rules to transition objects between storage classes. | +| **More Info** | Lifecycle management rules allow you to delete buckets at the end of their lifecycle and help optimize your data for storage costs. | +| **GOOGLE Link** | https://cloud.google.com/storage/docs/managing-lifecycles | +| **Recommended Action** | Modify storage buckets and configure lifecycle rules. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose "Cloud Storage" to select the "Buckets" option. +3. On the "Buckets" page, select the bucket which needs to be enabled, and click on the bucket's name. +4. Click on the Lifecycle tab to open the lifecycle rules page. From here you can add, edit or delete existing rules. +6. To add a new rule, click Add a Rule. +7. In the page that appears, specify a configuration byselecting the action to take when an object meets the conditions and click Continue. +8. Select the conditions under which an action is taken. Click Continue. +9. Review the changes to be made and then click Create. \ No newline at end of file diff --git a/en/google/storage/bucket-uniform-level-access.md b/en/google/storage/bucket-uniform-level-access.md new file mode 100644 index 000000000..7d1d154fd --- /dev/null +++ b/en/google/storage/bucket-uniform-level-access.md @@ -0,0 +1,24 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Storage / Bucket Uniform Level Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Bucket Uniform Level Access | +| **Cloud** | GOOGLE | +| **Category** | Storage | +| **Description** | Ensures that uniform level access is enabled on storage buckets. | +| **More Info** | Uniform level access for buckets can be used for managing access in a simple way. It enables us to use other security features like IAM conditions. | +| **GOOGLE Link** | https://cloud.google.com/storage/docs/uniform-bucket-level-access#should-you-use | +| **Recommended Action** | Make sure that storage buckets have uniform level access enabled | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose "Cloud Storage" to select the "Buckets" option. +3. On the "Buckets" page, select the bucket which needs Uniform Level Access to be enabled, and click on the bucket's name. +4. Select the Permissions tab near the top of the page. +5. In the text box named Access Control, click the Switch to link. Note that the text box disappears 90 days after you enable uniform bucket-level access. +6. In the pop-up menu that appears, select Uniform or Fine-grained. +7. Click Save. \ No newline at end of file diff --git a/en/google/storage/storage-bucket-retention-policy.md b/en/google/storage/storage-bucket-retention-policy.md new file mode 100644 index 000000000..4871f0732 --- /dev/null +++ b/en/google/storage/storage-bucket-retention-policy.md @@ -0,0 +1,28 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Storage / Storage Bucket Retention Policy + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Storage Bucket Retention Policy | +| **Cloud** | GOOGLE | +| **Category** | Storage | +| **Description** | Ensures bucket retention policy is set and locked to prevent deleting or updating of bucket objects or retention policy. | +| **More Info** | Configuring retention policy for bucket prevents accidental deletion as well as modification of bucket objects. This retention policy should also be locked to prevent policy deletion. | +| **GOOGLE Link** | https://cloud.google.com/storage/docs/bucket-lock?_ga=2.221806616.-1645770163.1613190642 | +| **Recommended Action** | Modify bucket to configure retention policy and lock retention policy. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose "Cloud Storage" to select the "Buckets" option. +3. On the "Buckets" page, select the bucket which needs to be enabled, and click on the bucket's name. +4. Select the Protection tab near the top of the page. +5. In the Retention policy section, set your retention policy: + - If no retention policy currently applies to the bucket, click the + Set Retention Policy link. Choose a unit of time and a length of time for your retention period. + - If a retention policy currently applies to a bucket, it appears in the section. Click Edit to modify the retention time. +6. To set a lock on the retention policy, click the Lock button. +7. Upon clicking the Lock button, a Lock retention policy dialog box will appear. Read the Permanent notice. +8. In the Bucket name text box, type in the name of your bucket. +9. Click Lock policy. \ No newline at end of file diff --git a/en/google/vpcnetwork/open-cassandra.md b/en/google/vpcnetwork/open-cassandra.md new file mode 100644 index 000000000..ac9828ece --- /dev/null +++ b/en/google/vpcnetwork/open-cassandra.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open Cassandra + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Cassandra | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determines if TCP port 7001 for Cassandra is open to the public. | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as MSSQL should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 7001 to known IP addresses. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network." +3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified. +4. On the selected "Firewall rules", if TCP port 7001 for "Cassandra" is open to the public then the selected "Firewall rule" is not as per the best standards. +5. Repeat steps number 2 - 4 to verify another "Firewall rule" in the network. +6. Navigate to "VPC network" and choose the "Firewall rules" option under the "Networking" and select the "Firewall rule" which needs to be restricted to known IP addresses. +7. On the "Firewall rules" page, click on the "Edit" button at the top and under the "Source IP ranges" enter the IP addresses as per the requirements. +8. Click on the "Save" button at the bottom to make the changes. +9. Repeat steps number 6 - 8 to restrict TCP port 7001 to known IP addresses. \ No newline at end of file diff --git a/en/google/vpcnetwork/open-custom-ports.md b/en/google/vpcnetwork/open-custom-ports.md new file mode 100644 index 000000000..3f9c36f00 --- /dev/null +++ b/en/google/vpcnetwork/open-custom-ports.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open Custom Ports + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Custom Ports | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Ensure that defined custom ports are not open to public. | +| **More Info** | To prevent attackers from identifying and exploiting the services running on your instances, make sure the VPC Network custom ports are not open to public. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/firewalls | +| **Recommended Action** | Ensure that your VPC Network firewall rules do not allow inbound traffic for a range of ports. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network." +3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified. +4. On the selected "Firewall rules", if custom ports are open to the public then the selected "Firewall rule" is not as per the best standards. +5. Repeat steps number 2 - 4 to verify another "Firewall rule" in the network. +6. Navigate to "VPC network" and choose the "Firewall rules" option under the "Networking" and select the "Firewall rule" which needs to be restricted to known IP addresses. +7. On the "Firewall rules" page, click on the "Edit" button at the top and enter the "Source IP ranges" and select the "Specified protocols and ports" as per the requirements. +8. Click on the "Save" button at the bottom to make the changes. +9. Repeat steps number 6 - 8 to restrict ports to known IP addresses. diff --git a/en/google/vpcnetwork/open-mongodb.md b/en/google/vpcnetwork/open-mongodb.md new file mode 100644 index 000000000..779efa8e8 --- /dev/null +++ b/en/google/vpcnetwork/open-mongodb.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open MongoDB + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open MongoDB | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determines if TCP port 27017 for MongoDB is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Mongo should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP ports 27017 to known IP addresses. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network." +3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified. +4. On the selected "Firewall rules", if TCP port 27017 for "MongoDB" is open to the public then the selected "Firewall rule" is not as per the best standards. +5. Repeat steps number 2 - 4 to verify another "Firewall rule" in the network. +6. Navigate to "VPC network" and choose the "Firewall rules" option under the "Networking" and select the "Firewall rule" which needs to be restricted to known IP addresses. +7. On the "Firewall rules" page, click on the "Edit" button at the top and under the "Source IP ranges" enter the IP addresses as per the requirements. +8. Click on the "Save" button at the bottom to make the changes. +9. Repeat steps number 6 - 8 to restrict TCP ports 27017 to known IP addresses. \ No newline at end of file diff --git a/en/google/vpcnetwork/open-mssql.md b/en/google/vpcnetwork/open-mssql.md new file mode 100644 index 000000000..27075f7af --- /dev/null +++ b/en/google/vpcnetwork/open-mssql.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open MSSQL + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open MSSQL | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determines if TCP port 1433 for MSSQL is open to the public. | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as MSSQL should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 1433 to known IP addresses. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network." +3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified. +4. On the selected "Firewall rules", if TCP port 1433 for "MSSQL" is open to the public then the selected "Firewall rule" is not as per the best standards. +5. Repeat steps number 2 - 4 to verify another "Firewall rule" in the network. +6. Navigate to "VPC network" and choose the "Firewall rules" option under the "Networking" and select the "Firewall rule" which needs to be restricted to known IP addresses. +7. On the "Firewall rules" page, click on the "Edit" button at the top and under the "Source IP ranges" enter the IP addresses as per the requirements. +8. Click on the "Save" button at the bottom to make the changes. +9. Repeat steps number 6 - 8 to restrict TCP port 1433 to known IP addresses. \ No newline at end of file diff --git a/en/google/vpcnetwork/open-redis.md b/en/google/vpcnetwork/open-redis.md new file mode 100644 index 000000000..f5296b458 --- /dev/null +++ b/en/google/vpcnetwork/open-redis.md @@ -0,0 +1,26 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open Redis + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Redis | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determines if TCP port 6379 for Redis is open to the public. | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as MSSQL should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 6379 to known IP addresses. | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network." +3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified. +4. On the selected "Firewall rules", if TCP port 6379 for "Redis" is open to the public then the selected "Firewall rule" is not as per the best standards. +5. Repeat steps number 2 - 4 to verify another "Firewall rule" in the network. +6. Navigate to "VPC network" and choose the "Firewall rules" option under the "Networking" and select the "Firewall rule" which needs to be restricted to known IP addresses. +7. On the "Firewall rules" page, click on the "Edit" button at the top and under the "Source IP ranges" enter the IP addresses as per the requirements. +8. Click on the "Save" button at the bottom to make the changes. +9. Repeat steps number 6 - 8 to restrict TCP port 6379 to known IP addresses. \ No newline at end of file diff --git a/en/google/vpcnetwork/vpc-dns-logging-enabled.md b/en/google/vpcnetwork/vpc-dns-logging-enabled.md new file mode 100644 index 000000000..8b60e8536 --- /dev/null +++ b/en/google/vpcnetwork/vpc-dns-logging-enabled.md @@ -0,0 +1,36 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / VPC DNS Logging Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VPC DNS Logging Enabled | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Ensure that All VPC Network has DNS logging enabled. | +| **More Info** | Cloud DNS logging records the queries coming from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC to Stackdriver. | +| **GOOGLE Link** | https://cloud.google.com/dns/docs/monitoring | +| **Recommended Action** | Create Cloud DNS Server Policy with logging enabled for VPC Networks | + +## Detailed Remediation Steps +1. Log into the Google Cloud Platform Console. +2. Click Activate Cloud Shell at the top of the Google Cloud console. + - A Cloud Shell session opens inside a new frame at the bottom of the Google Cloud console and displays a command-line prompt. It can take a few seconds for the session to be initialized. +3. To enable logging for a network that does not have a DNS policy, run the dns policies create command with the following parameters. Replace the `POLICY_NAME`, `NETWORK`, and `DESCRIPTION` variables. +``` +gcloud dns policies create POLICY_NAME \ + --networks=NETWORK \ + --enable-logging \ + --description=DESCRIPTION +``` +4. To enable logging for a network that has an existing DNS policy, run the dns policies update command witht he following parameters Replace the `POLICY_NAME`, and `NETWORK` variables. +``` +gcloud dns policies update POLICY_NAME \ + --networks=NETWORK \ + --enable-logging +``` +5. Repeat steps 3 or 4 for all applicable VPC networks. + +**These configuration changes may incur additional costs** \ No newline at end of file diff --git a/resources/aws/codebuild/project-artifacts-encrypted/step2.png b/resources/aws/codebuild/project-artifacts-encrypted/step2.png new file mode 100644 index 000000000..b90ed3433 Binary files /dev/null and b/resources/aws/codebuild/project-artifacts-encrypted/step2.png differ diff --git a/resources/aws/codebuild/project-artifacts-encrypted/step3.png b/resources/aws/codebuild/project-artifacts-encrypted/step3.png new file mode 100644 index 000000000..4b1651c3b Binary files /dev/null and b/resources/aws/codebuild/project-artifacts-encrypted/step3.png differ diff --git a/resources/aws/codebuild/project-artifacts-encrypted/step4_1.png b/resources/aws/codebuild/project-artifacts-encrypted/step4_1.png new file mode 100644 index 000000000..4e425d442 Binary files /dev/null and b/resources/aws/codebuild/project-artifacts-encrypted/step4_1.png differ diff --git a/resources/aws/codebuild/project-artifacts-encrypted/step4_2.png b/resources/aws/codebuild/project-artifacts-encrypted/step4_2.png new file mode 100644 index 000000000..04530e014 Binary files /dev/null and b/resources/aws/codebuild/project-artifacts-encrypted/step4_2.png differ diff --git a/resources/aws/codebuild/project-artifacts-encrypted/step6.png b/resources/aws/codebuild/project-artifacts-encrypted/step6.png new file mode 100644 index 000000000..f49613aa1 Binary files /dev/null and b/resources/aws/codebuild/project-artifacts-encrypted/step6.png differ diff --git a/resources/aws/codebuild/project-artifacts-encrypted/step7_2.png b/resources/aws/codebuild/project-artifacts-encrypted/step7_2.png new file mode 100644 index 000000000..e565319ca Binary files /dev/null and b/resources/aws/codebuild/project-artifacts-encrypted/step7_2.png differ diff --git a/resources/aws/codebuild/project-artifacts-encrypted/step7_3.png b/resources/aws/codebuild/project-artifacts-encrypted/step7_3.png new file mode 100644 index 000000000..cad9db88e Binary files /dev/null and b/resources/aws/codebuild/project-artifacts-encrypted/step7_3.png differ diff --git a/resources/aws/codebuild/project-artifacts-encrypted/step8_2.png b/resources/aws/codebuild/project-artifacts-encrypted/step8_2.png new file mode 100644 index 000000000..a17d3fceb Binary files /dev/null and b/resources/aws/codebuild/project-artifacts-encrypted/step8_2.png differ diff --git a/resources/aws/ec2/open-netbios/.DS_Store b/resources/aws/ec2/open-netbios/.DS_Store deleted file mode 100644 index cb13e5070..000000000 Binary files a/resources/aws/ec2/open-netbios/.DS_Store and /dev/null differ diff --git a/resources/aws/glacier/s3-glacier-vault-public-access/step2.png b/resources/aws/glacier/s3-glacier-vault-public-access/step2.png new file mode 100644 index 000000000..ba13c82a0 Binary files /dev/null and b/resources/aws/glacier/s3-glacier-vault-public-access/step2.png differ diff --git a/resources/aws/glacier/s3-glacier-vault-public-access/step3.png b/resources/aws/glacier/s3-glacier-vault-public-access/step3.png new file mode 100644 index 000000000..f83300a61 Binary files /dev/null and b/resources/aws/glacier/s3-glacier-vault-public-access/step3.png differ diff --git a/resources/aws/glacier/s3-glacier-vault-public-access/step4.png b/resources/aws/glacier/s3-glacier-vault-public-access/step4.png new file mode 100644 index 000000000..e933870e9 Binary files /dev/null and b/resources/aws/glacier/s3-glacier-vault-public-access/step4.png differ diff --git a/resources/aws/glacier/s3-glacier-vault-public-access/step5.png b/resources/aws/glacier/s3-glacier-vault-public-access/step5.png new file mode 100644 index 000000000..9a2ef07c4 Binary files /dev/null and b/resources/aws/glacier/s3-glacier-vault-public-access/step5.png differ diff --git a/resources/aws/glacier/s3-glacier-vault-public-access/step6.png b/resources/aws/glacier/s3-glacier-vault-public-access/step6.png new file mode 100644 index 000000000..aa06d3f87 Binary files /dev/null and b/resources/aws/glacier/s3-glacier-vault-public-access/step6.png differ diff --git a/resources/aws/iam/password-expiration/step5.png b/resources/aws/iam/password-expiration/step5.png index da0232442..099dc60f6 100644 Binary files a/resources/aws/iam/password-expiration/step5.png and b/resources/aws/iam/password-expiration/step5.png differ diff --git a/resources/aws/iam/root-account-in-use/.DS_Store b/resources/aws/iam/root-account-in-use/.DS_Store deleted file mode 100644 index cf877c694..000000000 Binary files a/resources/aws/iam/root-account-in-use/.DS_Store and /dev/null differ diff --git a/resources/aws/kms/.DS_Store b/resources/aws/kms/.DS_Store deleted file mode 100644 index a0f236c5e..000000000 Binary files a/resources/aws/kms/.DS_Store and /dev/null differ diff --git a/resources/aws/rds/.DS_Store b/resources/aws/rds/.DS_Store deleted file mode 100644 index 3dea6b737..000000000 Binary files a/resources/aws/rds/.DS_Store and /dev/null differ diff --git a/resources/azure/.DS_Store b/resources/azure/.DS_Store deleted file mode 100644 index 402011abf..000000000 Binary files a/resources/azure/.DS_Store and /dev/null differ diff --git a/resources/azure/networksecuritygroups/.DS_Store b/resources/azure/networksecuritygroups/.DS_Store deleted file mode 100644 index fbb406f6f..000000000 Binary files a/resources/azure/networksecuritygroups/.DS_Store and /dev/null differ diff --git a/resources/azure/securitycenter/.DS_Store b/resources/azure/securitycenter/.DS_Store deleted file mode 100644 index 4aec69965..000000000 Binary files a/resources/azure/securitycenter/.DS_Store and /dev/null differ diff --git a/resources/azure/securitycenter/security-contacts-enabled/.DS_Store b/resources/azure/securitycenter/security-contacts-enabled/.DS_Store deleted file mode 100644 index a59766d32..000000000 Binary files a/resources/azure/securitycenter/security-contacts-enabled/.DS_Store and /dev/null differ diff --git a/resources/google/cloudfunctions/http-trigger-require-https/step2.png b/resources/google/cloudfunctions/http-trigger-require-https/step2.png new file mode 100644 index 000000000..9408a025d Binary files /dev/null and b/resources/google/cloudfunctions/http-trigger-require-https/step2.png differ diff --git a/resources/google/cloudfunctions/http-trigger-require-https/step3.png b/resources/google/cloudfunctions/http-trigger-require-https/step3.png new file mode 100644 index 000000000..8883b453c Binary files /dev/null and b/resources/google/cloudfunctions/http-trigger-require-https/step3.png differ diff --git a/resources/google/cloudfunctions/http-trigger-require-https/step4.png b/resources/google/cloudfunctions/http-trigger-require-https/step4.png new file mode 100644 index 000000000..3b5b1a809 Binary files /dev/null and b/resources/google/cloudfunctions/http-trigger-require-https/step4.png differ diff --git a/resources/google/cloudfunctions/http-trigger-require-https/step5.png b/resources/google/cloudfunctions/http-trigger-require-https/step5.png new file mode 100644 index 000000000..2112b7c7e Binary files /dev/null and b/resources/google/cloudfunctions/http-trigger-require-https/step5.png differ diff --git a/resources/google/cloudfunctions/http-trigger-require-https/step6.png b/resources/google/cloudfunctions/http-trigger-require-https/step6.png new file mode 100644 index 000000000..65a29ac10 Binary files /dev/null and b/resources/google/cloudfunctions/http-trigger-require-https/step6.png differ diff --git a/resources/google/kubernetes/cluster-encryption-enabled/step2.png b/resources/google/kubernetes/cluster-encryption-enabled/step2.png new file mode 100644 index 000000000..f11ce2a99 Binary files /dev/null and b/resources/google/kubernetes/cluster-encryption-enabled/step2.png differ diff --git a/resources/google/kubernetes/cluster-encryption-enabled/step3.png b/resources/google/kubernetes/cluster-encryption-enabled/step3.png new file mode 100644 index 000000000..b36599b00 Binary files /dev/null and b/resources/google/kubernetes/cluster-encryption-enabled/step3.png differ diff --git a/resources/google/kubernetes/cluster-encryption-enabled/step4.png b/resources/google/kubernetes/cluster-encryption-enabled/step4.png new file mode 100644 index 000000000..ca650c22a Binary files /dev/null and b/resources/google/kubernetes/cluster-encryption-enabled/step4.png differ diff --git a/resources/google/kubernetes/cluster-encryption-enabled/step5.png b/resources/google/kubernetes/cluster-encryption-enabled/step5.png new file mode 100644 index 000000000..1c352c0c0 Binary files /dev/null and b/resources/google/kubernetes/cluster-encryption-enabled/step5.png differ diff --git a/resources/google/pubsub/topic-labels-added/topic-encryption-enabled/step1.png b/resources/google/pubsub/topic-labels-added/topic-encryption-enabled/step1.png new file mode 100644 index 000000000..11f8dfa21 Binary files /dev/null and b/resources/google/pubsub/topic-labels-added/topic-encryption-enabled/step1.png differ diff --git a/resources/google/resourcemanager/compute-allowed-external-ips/step1.png b/resources/google/resourcemanager/compute-allowed-external-ips/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/compute-allowed-external-ips/step1.png differ diff --git a/resources/google/resourcemanager/compute-allowed-external-ips/step10.png b/resources/google/resourcemanager/compute-allowed-external-ips/step10.png new file mode 100644 index 000000000..d669110d5 Binary files /dev/null and b/resources/google/resourcemanager/compute-allowed-external-ips/step10.png differ diff --git a/resources/google/resourcemanager/compute-allowed-external-ips/step11.png b/resources/google/resourcemanager/compute-allowed-external-ips/step11.png new file mode 100644 index 000000000..d13e567e3 Binary files /dev/null and b/resources/google/resourcemanager/compute-allowed-external-ips/step11.png differ diff --git a/resources/google/resourcemanager/compute-allowed-external-ips/step2.png b/resources/google/resourcemanager/compute-allowed-external-ips/step2.png new file mode 100644 index 000000000..fa2998b26 Binary files /dev/null and b/resources/google/resourcemanager/compute-allowed-external-ips/step2.png differ diff --git a/resources/google/resourcemanager/compute-allowed-external-ips/step4.png b/resources/google/resourcemanager/compute-allowed-external-ips/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/compute-allowed-external-ips/step4.png differ diff --git a/resources/google/resourcemanager/compute-allowed-external-ips/step5.png b/resources/google/resourcemanager/compute-allowed-external-ips/step5.png new file mode 100644 index 000000000..2ed8990be Binary files /dev/null and b/resources/google/resourcemanager/compute-allowed-external-ips/step5.png differ diff --git a/resources/google/resourcemanager/compute-allowed-external-ips/step8.png b/resources/google/resourcemanager/compute-allowed-external-ips/step8.png new file mode 100644 index 000000000..4df8f120f Binary files /dev/null and b/resources/google/resourcemanager/compute-allowed-external-ips/step8.png differ diff --git a/resources/google/resourcemanager/compute-allowed-external-ips/step9.png b/resources/google/resourcemanager/compute-allowed-external-ips/step9.png new file mode 100644 index 000000000..13f9237ea Binary files /dev/null and b/resources/google/resourcemanager/compute-allowed-external-ips/step9.png differ diff --git a/resources/google/resourcemanager/detailed-audit-logging-mode/step1.png b/resources/google/resourcemanager/detailed-audit-logging-mode/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/detailed-audit-logging-mode/step1.png differ diff --git a/resources/google/resourcemanager/detailed-audit-logging-mode/step10.png b/resources/google/resourcemanager/detailed-audit-logging-mode/step10.png new file mode 100644 index 000000000..a59dedbc5 Binary files /dev/null and b/resources/google/resourcemanager/detailed-audit-logging-mode/step10.png differ diff --git a/resources/google/resourcemanager/detailed-audit-logging-mode/step11.png b/resources/google/resourcemanager/detailed-audit-logging-mode/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/detailed-audit-logging-mode/step11.png differ diff --git a/resources/google/resourcemanager/detailed-audit-logging-mode/step12.png b/resources/google/resourcemanager/detailed-audit-logging-mode/step12.png new file mode 100644 index 000000000..510f164b3 Binary files /dev/null and b/resources/google/resourcemanager/detailed-audit-logging-mode/step12.png differ diff --git a/resources/google/resourcemanager/detailed-audit-logging-mode/step2.png b/resources/google/resourcemanager/detailed-audit-logging-mode/step2.png new file mode 100644 index 000000000..955c45035 Binary files /dev/null and b/resources/google/resourcemanager/detailed-audit-logging-mode/step2.png differ diff --git a/resources/google/resourcemanager/detailed-audit-logging-mode/step4.png b/resources/google/resourcemanager/detailed-audit-logging-mode/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/detailed-audit-logging-mode/step4.png differ diff --git a/resources/google/resourcemanager/detailed-audit-logging-mode/step6.png b/resources/google/resourcemanager/detailed-audit-logging-mode/step6.png new file mode 100644 index 000000000..f0315ec73 Binary files /dev/null and b/resources/google/resourcemanager/detailed-audit-logging-mode/step6.png differ diff --git a/resources/google/resourcemanager/detailed-audit-logging-mode/step7.png b/resources/google/resourcemanager/detailed-audit-logging-mode/step7.png new file mode 100644 index 000000000..e4740142e Binary files /dev/null and b/resources/google/resourcemanager/detailed-audit-logging-mode/step7.png differ diff --git a/resources/google/resourcemanager/detailed-audit-logging-mode/step8.png b/resources/google/resourcemanager/detailed-audit-logging-mode/step8.png new file mode 100644 index 000000000..9e8528199 Binary files /dev/null and b/resources/google/resourcemanager/detailed-audit-logging-mode/step8.png differ diff --git a/resources/google/resourcemanager/detailed-audit-logging-mode/step9.png b/resources/google/resourcemanager/detailed-audit-logging-mode/step9.png new file mode 100644 index 000000000..b355a59dc Binary files /dev/null and b/resources/google/resourcemanager/detailed-audit-logging-mode/step9.png differ diff --git a/resources/google/resourcemanager/disable-automatic-iam-grants/step1.png b/resources/google/resourcemanager/disable-automatic-iam-grants/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/disable-automatic-iam-grants/step1.png differ diff --git a/resources/google/resourcemanager/disable-automatic-iam-grants/step10.png b/resources/google/resourcemanager/disable-automatic-iam-grants/step10.png new file mode 100644 index 000000000..2982ddd30 Binary files /dev/null and b/resources/google/resourcemanager/disable-automatic-iam-grants/step10.png differ diff --git a/resources/google/resourcemanager/disable-automatic-iam-grants/step11.png b/resources/google/resourcemanager/disable-automatic-iam-grants/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/disable-automatic-iam-grants/step11.png differ diff --git a/resources/google/resourcemanager/disable-automatic-iam-grants/step12.png b/resources/google/resourcemanager/disable-automatic-iam-grants/step12.png new file mode 100644 index 000000000..ef3856714 Binary files /dev/null and b/resources/google/resourcemanager/disable-automatic-iam-grants/step12.png differ diff --git a/resources/google/resourcemanager/disable-automatic-iam-grants/step2.png b/resources/google/resourcemanager/disable-automatic-iam-grants/step2.png new file mode 100644 index 000000000..fa2998b26 Binary files /dev/null and b/resources/google/resourcemanager/disable-automatic-iam-grants/step2.png differ diff --git a/resources/google/resourcemanager/disable-automatic-iam-grants/step4.png b/resources/google/resourcemanager/disable-automatic-iam-grants/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/disable-automatic-iam-grants/step4.png differ diff --git a/resources/google/resourcemanager/disable-automatic-iam-grants/step5.png b/resources/google/resourcemanager/disable-automatic-iam-grants/step5.png new file mode 100644 index 000000000..e9b5bf949 Binary files /dev/null and b/resources/google/resourcemanager/disable-automatic-iam-grants/step5.png differ diff --git a/resources/google/resourcemanager/disable-automatic-iam-grants/step6.png b/resources/google/resourcemanager/disable-automatic-iam-grants/step6.png new file mode 100644 index 000000000..7ecb5a44a Binary files /dev/null and b/resources/google/resourcemanager/disable-automatic-iam-grants/step6.png differ diff --git a/resources/google/resourcemanager/disable-automatic-iam-grants/step7.png b/resources/google/resourcemanager/disable-automatic-iam-grants/step7.png new file mode 100644 index 000000000..2a6a1f018 Binary files /dev/null and b/resources/google/resourcemanager/disable-automatic-iam-grants/step7.png differ diff --git a/resources/google/resourcemanager/disable-automatic-iam-grants/step8.png b/resources/google/resourcemanager/disable-automatic-iam-grants/step8.png new file mode 100644 index 000000000..cfed089de Binary files /dev/null and b/resources/google/resourcemanager/disable-automatic-iam-grants/step8.png differ diff --git a/resources/google/resourcemanager/disable-automatic-iam-grants/step9.png b/resources/google/resourcemanager/disable-automatic-iam-grants/step9.png new file mode 100644 index 000000000..628db75c6 Binary files /dev/null and b/resources/google/resourcemanager/disable-automatic-iam-grants/step9.png differ diff --git a/resources/google/resourcemanager/disable-default-encryption-creation/step1.png b/resources/google/resourcemanager/disable-default-encryption-creation/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/disable-default-encryption-creation/step1.png differ diff --git a/resources/google/resourcemanager/disable-default-encryption-creation/step10.png b/resources/google/resourcemanager/disable-default-encryption-creation/step10.png new file mode 100644 index 000000000..e997bca1e Binary files /dev/null and b/resources/google/resourcemanager/disable-default-encryption-creation/step10.png differ diff --git a/resources/google/resourcemanager/disable-default-encryption-creation/step11.png b/resources/google/resourcemanager/disable-default-encryption-creation/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/disable-default-encryption-creation/step11.png differ diff --git a/resources/google/resourcemanager/disable-default-encryption-creation/step2.png b/resources/google/resourcemanager/disable-default-encryption-creation/step2.png new file mode 100644 index 000000000..955c45035 Binary files /dev/null and b/resources/google/resourcemanager/disable-default-encryption-creation/step2.png differ diff --git a/resources/google/resourcemanager/disable-default-encryption-creation/step4.png b/resources/google/resourcemanager/disable-default-encryption-creation/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/disable-default-encryption-creation/step4.png differ diff --git a/resources/google/resourcemanager/disable-guest-attributes/step1.png b/resources/google/resourcemanager/disable-guest-attributes/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/disable-guest-attributes/step1.png differ diff --git a/resources/google/resourcemanager/disable-guest-attributes/step10.png b/resources/google/resourcemanager/disable-guest-attributes/step10.png new file mode 100644 index 000000000..2982ddd30 Binary files /dev/null and b/resources/google/resourcemanager/disable-guest-attributes/step10.png differ diff --git a/resources/google/resourcemanager/disable-guest-attributes/step11.png b/resources/google/resourcemanager/disable-guest-attributes/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/disable-guest-attributes/step11.png differ diff --git a/resources/google/resourcemanager/disable-guest-attributes/step12.png b/resources/google/resourcemanager/disable-guest-attributes/step12.png new file mode 100644 index 000000000..a4a0c114b Binary files /dev/null and b/resources/google/resourcemanager/disable-guest-attributes/step12.png differ diff --git a/resources/google/resourcemanager/disable-guest-attributes/step2.png b/resources/google/resourcemanager/disable-guest-attributes/step2.png new file mode 100644 index 000000000..fa2998b26 Binary files /dev/null and b/resources/google/resourcemanager/disable-guest-attributes/step2.png differ diff --git a/resources/google/resourcemanager/disable-guest-attributes/step4.png b/resources/google/resourcemanager/disable-guest-attributes/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/disable-guest-attributes/step4.png differ diff --git a/resources/google/resourcemanager/disable-guest-attributes/step5.png b/resources/google/resourcemanager/disable-guest-attributes/step5.png new file mode 100644 index 000000000..e9b5bf949 Binary files /dev/null and b/resources/google/resourcemanager/disable-guest-attributes/step5.png differ diff --git a/resources/google/resourcemanager/disable-guest-attributes/step6.png b/resources/google/resourcemanager/disable-guest-attributes/step6.png new file mode 100644 index 000000000..76fd93241 Binary files /dev/null and b/resources/google/resourcemanager/disable-guest-attributes/step6.png differ diff --git a/resources/google/resourcemanager/disable-guest-attributes/step7.png b/resources/google/resourcemanager/disable-guest-attributes/step7.png new file mode 100644 index 000000000..1d5c7fdc9 Binary files /dev/null and b/resources/google/resourcemanager/disable-guest-attributes/step7.png differ diff --git a/resources/google/resourcemanager/disable-guest-attributes/step8.png b/resources/google/resourcemanager/disable-guest-attributes/step8.png new file mode 100644 index 000000000..4e56dcacf Binary files /dev/null and b/resources/google/resourcemanager/disable-guest-attributes/step8.png differ diff --git a/resources/google/resourcemanager/disable-guest-attributes/step9.png b/resources/google/resourcemanager/disable-guest-attributes/step9.png new file mode 100644 index 000000000..3a4830a22 Binary files /dev/null and b/resources/google/resourcemanager/disable-guest-attributes/step9.png differ diff --git a/resources/google/resourcemanager/disable-serial-port-access/step1.png b/resources/google/resourcemanager/disable-serial-port-access/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/disable-serial-port-access/step1.png differ diff --git a/resources/google/resourcemanager/disable-serial-port-access/step10.png b/resources/google/resourcemanager/disable-serial-port-access/step10.png new file mode 100644 index 000000000..2982ddd30 Binary files /dev/null and b/resources/google/resourcemanager/disable-serial-port-access/step10.png differ diff --git a/resources/google/resourcemanager/disable-serial-port-access/step11.png b/resources/google/resourcemanager/disable-serial-port-access/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/disable-serial-port-access/step11.png differ diff --git a/resources/google/resourcemanager/disable-serial-port-access/step12.png b/resources/google/resourcemanager/disable-serial-port-access/step12.png new file mode 100644 index 000000000..25f9b87c0 Binary files /dev/null and b/resources/google/resourcemanager/disable-serial-port-access/step12.png differ diff --git a/resources/google/resourcemanager/disable-serial-port-access/step2.png b/resources/google/resourcemanager/disable-serial-port-access/step2.png new file mode 100644 index 000000000..fa2998b26 Binary files /dev/null and b/resources/google/resourcemanager/disable-serial-port-access/step2.png differ diff --git a/resources/google/resourcemanager/disable-serial-port-access/step4.png b/resources/google/resourcemanager/disable-serial-port-access/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/disable-serial-port-access/step4.png differ diff --git a/resources/google/resourcemanager/disable-serial-port-access/step5.png b/resources/google/resourcemanager/disable-serial-port-access/step5.png new file mode 100644 index 000000000..e9b5bf949 Binary files /dev/null and b/resources/google/resourcemanager/disable-serial-port-access/step5.png differ diff --git a/resources/google/resourcemanager/disable-serial-port-access/step6.png b/resources/google/resourcemanager/disable-serial-port-access/step6.png new file mode 100644 index 000000000..c8eae033e Binary files /dev/null and b/resources/google/resourcemanager/disable-serial-port-access/step6.png differ diff --git a/resources/google/resourcemanager/disable-serial-port-access/step7.png b/resources/google/resourcemanager/disable-serial-port-access/step7.png new file mode 100644 index 000000000..4133fd8bc Binary files /dev/null and b/resources/google/resourcemanager/disable-serial-port-access/step7.png differ diff --git a/resources/google/resourcemanager/disable-serial-port-access/step8.png b/resources/google/resourcemanager/disable-serial-port-access/step8.png new file mode 100644 index 000000000..e564e89d5 Binary files /dev/null and b/resources/google/resourcemanager/disable-serial-port-access/step8.png differ diff --git a/resources/google/resourcemanager/disable-serial-port-access/step9.png b/resources/google/resourcemanager/disable-serial-port-access/step9.png new file mode 100644 index 000000000..5950af807 Binary files /dev/null and b/resources/google/resourcemanager/disable-serial-port-access/step9.png differ diff --git a/resources/google/resourcemanager/disable-service-account-creation/step1.png b/resources/google/resourcemanager/disable-service-account-creation/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-creation/step1.png differ diff --git a/resources/google/resourcemanager/disable-service-account-creation/step10.png b/resources/google/resourcemanager/disable-service-account-creation/step10.png new file mode 100644 index 000000000..2982ddd30 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-creation/step10.png differ diff --git a/resources/google/resourcemanager/disable-service-account-creation/step11.png b/resources/google/resourcemanager/disable-service-account-creation/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-creation/step11.png differ diff --git a/resources/google/resourcemanager/disable-service-account-creation/step12.png b/resources/google/resourcemanager/disable-service-account-creation/step12.png new file mode 100644 index 000000000..9fde262ca Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-creation/step12.png differ diff --git a/resources/google/resourcemanager/disable-service-account-creation/step2.png b/resources/google/resourcemanager/disable-service-account-creation/step2.png new file mode 100644 index 000000000..fa2998b26 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-creation/step2.png differ diff --git a/resources/google/resourcemanager/disable-service-account-creation/step4.png b/resources/google/resourcemanager/disable-service-account-creation/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-creation/step4.png differ diff --git a/resources/google/resourcemanager/disable-service-account-creation/step5.png b/resources/google/resourcemanager/disable-service-account-creation/step5.png new file mode 100644 index 000000000..e9b5bf949 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-creation/step5.png differ diff --git a/resources/google/resourcemanager/disable-service-account-creation/step7.png b/resources/google/resourcemanager/disable-service-account-creation/step7.png new file mode 100644 index 000000000..ba13d40da Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-creation/step7.png differ diff --git a/resources/google/resourcemanager/disable-service-account-creation/step8.png b/resources/google/resourcemanager/disable-service-account-creation/step8.png new file mode 100644 index 000000000..8d12ea5cb Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-creation/step8.png differ diff --git a/resources/google/resourcemanager/disable-service-account-creation/step9.png b/resources/google/resourcemanager/disable-service-account-creation/step9.png new file mode 100644 index 000000000..d95442495 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-creation/step9.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-creation/step1.png b/resources/google/resourcemanager/disable-service-account-key-creation/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-creation/step1.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-creation/step10.png b/resources/google/resourcemanager/disable-service-account-key-creation/step10.png new file mode 100644 index 000000000..2982ddd30 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-creation/step10.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-creation/step11.png b/resources/google/resourcemanager/disable-service-account-key-creation/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-creation/step11.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-creation/step12.png b/resources/google/resourcemanager/disable-service-account-key-creation/step12.png new file mode 100644 index 000000000..e4c6d06f0 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-creation/step12.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-creation/step2.png b/resources/google/resourcemanager/disable-service-account-key-creation/step2.png new file mode 100644 index 000000000..955c45035 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-creation/step2.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-creation/step4.png b/resources/google/resourcemanager/disable-service-account-key-creation/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-creation/step4.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-creation/step6.png b/resources/google/resourcemanager/disable-service-account-key-creation/step6.png new file mode 100644 index 000000000..bd0e45bbb Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-creation/step6.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-creation/step7.png b/resources/google/resourcemanager/disable-service-account-key-creation/step7.png new file mode 100644 index 000000000..b23a0a35a Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-creation/step7.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-creation/step8.png b/resources/google/resourcemanager/disable-service-account-key-creation/step8.png new file mode 100644 index 000000000..6e7d34924 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-creation/step8.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-creation/step9.png b/resources/google/resourcemanager/disable-service-account-key-creation/step9.png new file mode 100644 index 000000000..e60a17eb2 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-creation/step9.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-upload/step1.png b/resources/google/resourcemanager/disable-service-account-key-upload/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-upload/step1.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-upload/step10.png b/resources/google/resourcemanager/disable-service-account-key-upload/step10.png new file mode 100644 index 000000000..2982ddd30 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-upload/step10.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-upload/step11.png b/resources/google/resourcemanager/disable-service-account-key-upload/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-upload/step11.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-upload/step12.png b/resources/google/resourcemanager/disable-service-account-key-upload/step12.png new file mode 100644 index 000000000..883acd046 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-upload/step12.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-upload/step2.png b/resources/google/resourcemanager/disable-service-account-key-upload/step2.png new file mode 100644 index 000000000..955c45035 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-upload/step2.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-upload/step4.png b/resources/google/resourcemanager/disable-service-account-key-upload/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-upload/step4.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-upload/step6.png b/resources/google/resourcemanager/disable-service-account-key-upload/step6.png new file mode 100644 index 000000000..8e9c54c60 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-upload/step6.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-upload/step7.png b/resources/google/resourcemanager/disable-service-account-key-upload/step7.png new file mode 100644 index 000000000..130551ad8 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-upload/step7.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-upload/step8.png b/resources/google/resourcemanager/disable-service-account-key-upload/step8.png new file mode 100644 index 000000000..6408346f7 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-upload/step8.png differ diff --git a/resources/google/resourcemanager/disable-service-account-key-upload/step9.png b/resources/google/resourcemanager/disable-service-account-key-upload/step9.png new file mode 100644 index 000000000..5316b8cb1 Binary files /dev/null and b/resources/google/resourcemanager/disable-service-account-key-upload/step9.png differ diff --git a/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step1.png b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step1.png differ diff --git a/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step10.png b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step10.png new file mode 100644 index 000000000..2982ddd30 Binary files /dev/null and b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step10.png differ diff --git a/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step11.png b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step11.png differ diff --git a/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step12.png b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step12.png new file mode 100644 index 000000000..350e589ed Binary files /dev/null and b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step12.png differ diff --git a/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step2.png b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step2.png new file mode 100644 index 000000000..955c45035 Binary files /dev/null and b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step2.png differ diff --git a/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step4.png b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step4.png differ diff --git a/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step6.png b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step6.png new file mode 100644 index 000000000..e1053a1a2 Binary files /dev/null and b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step6.png differ diff --git a/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step7.png b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step7.png new file mode 100644 index 000000000..3a46eb535 Binary files /dev/null and b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step7.png differ diff --git a/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step8.png b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step8.png new file mode 100644 index 000000000..4c00363e9 Binary files /dev/null and b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step8.png differ diff --git a/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step9.png b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step9.png new file mode 100644 index 000000000..a4b4c5db3 Binary files /dev/null and b/resources/google/resourcemanager/disable-workload-identity-cluster-creation/step9.png differ diff --git a/resources/google/resourcemanager/enforce-require-os-login/step1.png b/resources/google/resourcemanager/enforce-require-os-login/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/enforce-require-os-login/step1.png differ diff --git a/resources/google/resourcemanager/enforce-require-os-login/step10.png b/resources/google/resourcemanager/enforce-require-os-login/step10.png new file mode 100644 index 000000000..8158eb184 Binary files /dev/null and b/resources/google/resourcemanager/enforce-require-os-login/step10.png differ diff --git a/resources/google/resourcemanager/enforce-require-os-login/step11.png b/resources/google/resourcemanager/enforce-require-os-login/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/enforce-require-os-login/step11.png differ diff --git a/resources/google/resourcemanager/enforce-require-os-login/step12.png b/resources/google/resourcemanager/enforce-require-os-login/step12.png new file mode 100644 index 000000000..08e67ce3b Binary files /dev/null and b/resources/google/resourcemanager/enforce-require-os-login/step12.png differ diff --git a/resources/google/resourcemanager/enforce-require-os-login/step2.png b/resources/google/resourcemanager/enforce-require-os-login/step2.png new file mode 100644 index 000000000..955c45035 Binary files /dev/null and b/resources/google/resourcemanager/enforce-require-os-login/step2.png differ diff --git a/resources/google/resourcemanager/enforce-require-os-login/step4.png b/resources/google/resourcemanager/enforce-require-os-login/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/enforce-require-os-login/step4.png differ diff --git a/resources/google/resourcemanager/enforce-require-os-login/step6.png b/resources/google/resourcemanager/enforce-require-os-login/step6.png new file mode 100644 index 000000000..85db96582 Binary files /dev/null and b/resources/google/resourcemanager/enforce-require-os-login/step6.png differ diff --git a/resources/google/resourcemanager/enforce-require-os-login/step7.png b/resources/google/resourcemanager/enforce-require-os-login/step7.png new file mode 100644 index 000000000..29dcbe0a9 Binary files /dev/null and b/resources/google/resourcemanager/enforce-require-os-login/step7.png differ diff --git a/resources/google/resourcemanager/enforce-require-os-login/step8.png b/resources/google/resourcemanager/enforce-require-os-login/step8.png new file mode 100644 index 000000000..4f75cb945 Binary files /dev/null and b/resources/google/resourcemanager/enforce-require-os-login/step8.png differ diff --git a/resources/google/resourcemanager/enforce-require-os-login/step9.png b/resources/google/resourcemanager/enforce-require-os-login/step9.png new file mode 100644 index 000000000..3fc647738 Binary files /dev/null and b/resources/google/resourcemanager/enforce-require-os-login/step9.png differ diff --git a/resources/google/resourcemanager/enforce-restrict-authorized-networks/step1.png b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step1.png differ diff --git a/resources/google/resourcemanager/enforce-restrict-authorized-networks/step10.png b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step10.png new file mode 100644 index 000000000..e997bca1e Binary files /dev/null and b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step10.png differ diff --git a/resources/google/resourcemanager/enforce-restrict-authorized-networks/step11.png b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step11.png differ diff --git a/resources/google/resourcemanager/enforce-restrict-authorized-networks/step12.png b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step12.png new file mode 100644 index 000000000..9158ec164 Binary files /dev/null and b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step12.png differ diff --git a/resources/google/resourcemanager/enforce-restrict-authorized-networks/step2.png b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step2.png new file mode 100644 index 000000000..955c45035 Binary files /dev/null and b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step2.png differ diff --git a/resources/google/resourcemanager/enforce-restrict-authorized-networks/step4.png b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step4.png differ diff --git a/resources/google/resourcemanager/enforce-restrict-authorized-networks/step6.png b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step6.png new file mode 100644 index 000000000..2277e7747 Binary files /dev/null and b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step6.png differ diff --git a/resources/google/resourcemanager/enforce-restrict-authorized-networks/step7.png b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step7.png new file mode 100644 index 000000000..2277e7747 Binary files /dev/null and b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step7.png differ diff --git a/resources/google/resourcemanager/enforce-restrict-authorized-networks/step8.png b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step8.png new file mode 100644 index 000000000..73d5617dd Binary files /dev/null and b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step8.png differ diff --git a/resources/google/resourcemanager/enforce-restrict-authorized-networks/step9.png b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step9.png new file mode 100644 index 000000000..6d1431336 Binary files /dev/null and b/resources/google/resourcemanager/enforce-restrict-authorized-networks/step9.png differ diff --git a/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step1.png b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step1.png new file mode 100644 index 000000000..ba05ca1ec Binary files /dev/null and b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step1.png differ diff --git a/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step10.png b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step10.png new file mode 100644 index 000000000..e997bca1e Binary files /dev/null and b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step10.png differ diff --git a/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step11.png b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step11.png new file mode 100644 index 000000000..a6abe10ac Binary files /dev/null and b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step11.png differ diff --git a/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step12.png b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step12.png new file mode 100644 index 000000000..21a883950 Binary files /dev/null and b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step12.png differ diff --git a/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step2.png b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step2.png new file mode 100644 index 000000000..955c45035 Binary files /dev/null and b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step2.png differ diff --git a/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step4.png b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step4.png new file mode 100644 index 000000000..c7239f46d Binary files /dev/null and b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step4.png differ diff --git a/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step6.png b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step6.png new file mode 100644 index 000000000..6e5439c4b Binary files /dev/null and b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step6.png differ diff --git a/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step7.png b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step7.png new file mode 100644 index 000000000..80e5fb4cb Binary files /dev/null and b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step7.png differ diff --git a/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step8.png b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step8.png new file mode 100644 index 000000000..3a5b99bfd Binary files /dev/null and b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step8.png differ diff --git a/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step9.png b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step9.png new file mode 100644 index 000000000..202cc8ad1 Binary files /dev/null and b/resources/google/resourcemanager/enforce-uniform-bucket-level-access/step9.png differ