Is your feature request related to a problem? Please describe.
Add GCP > CIS v1.3 > 1.17 Ensure that Dataproc Cluster is encrypted using Customer- Managed Encryption Key

Description

When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).

Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS. These encryption keys are called customer-managed encryption keys (CMEK). When you protect data in Google Cloud services with CMEK, the CMEK key is within your control.

Remediation

Add essential contacts for the GCP Organization.

From Console

1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting https://console.cloud.google.com/dataproc/clusters.

2. Select the project from the projects dropdown list.

3. On the Dataproc Cluster page, click on the Create Cluster to create a new cluster with Customer managed encryption keys.

4. On Create a cluster page, perform below steps:

   • Inside Set up cluster section perform below steps:
     • In the Name textbox, provide a name for your cluster.
       • From Location select the location in which you want to deploy a cluster.
       • Configure other configurations as per your requirements.
   • Inside Configure Nodes and Customize cluster section configure the settings as per your requirements.
   • Inside Manage security section, perform below steps:
     • From Encryption, select Customer-managed key.
     • Select a customer-managed key from dropdown list.
     • Ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account("serviceAccount:service-<project_number>@compute-system.iam.gserviceaccount.com").
     • Click on Create to create a cluster.
   • Once the cluster is created migrate all your workloads from the older cluster to the new cluster and delete the old cluster by performing the below steps:
     • On the Clusters page, select the old cluster and click on Delete cluster.
     • On the Confirm deletion window, click on Confirm to delete the cluster.
     • Repeat step above for other Dataproc clusters available in the selected project.
   • Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.

When the steampipe config has an aggregated connection of GCP plugin, the controls between Control 2.4 and 2.11 of CIS v2.0.0 return ok if one of GCP projects has a proper configuration.

Is this a bug?
I expected that the controls check each project and show the result of each project separately. But I'm not sure about CIS v2.0.0 so that I cannot tell it a bug or not.

Describe the bug
A clear and concise description of what the bug is.

Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Describe the bug
Separation of duties is being incorrectly calculated by the SQL in CIS 1.09

The SQL statement selects 2 groups of users and then creates an alarm if the same user appears in both groups. However, the current query guarantees that anyone in group A (kms_admin_users) is also in group B (kms_encrypt_decrypt_users):

See:

Is your feature request related to a problem? Please describe.
https://github.com/GoogleCloudPlatform/policy-library/blob/master/docs/bundles/scorecard-v1.md

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
N/A

Describe the solution you'd like
Add queries to check section 1.9, 1.10 and 1.11

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
CIS section 5 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 5 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
https://forsetisecurity.org/

Describe the solution you'd like
Add benchmarks and controls for implementing Forseti Security

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
Add GCP > CIS v1.3 > 2.15 Ensure 'Access Approval' is 'Enabled'

Description:
GCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects. You can then select users within your organization who can approve these requests through giving them a security role in IAM. All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve. This adds an additional control and logging of who in your organization approved/denied these requests.

Audit:
From Console:

Determine if Access Transparency is Enabled as it is a Dependency

1. From the Google Cloud Home inside the project you wish to audit, click on the Navigation hamburger menu in the top left. Hoverover the IAM & Admin Menu. Select settings in the middle of the column that opens.
2. The status should be "Enabled' under the heading Access Transparency

Determine if Access Approval is Enabled:

1. From the Google Cloud Home, within the project you wish to check, click on the Navigation hamburger menu in the top left. Hover over the Security Menu. Select Access Approval in the middle of the column that opens.
2. The status will be displayed here. If you see a screen saying you need to enroll in Access Approval, it is not enabled.

From CLI:

Determine if Access Approval is Enabled

1. From within the project you wish to audit, run the following command.
   gcloud access-approval settings get
2. The status will be displayed in the output.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
CIS section 1 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 1 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
CIS section 6.4 to 6.7 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 6.4 to 6.7 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

See discussion in #117 (moving to issue so the information in the PR isn't lost)

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Reference

CIS 1.3.0 milestone details

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

• #73
• #74
• #75

Describe the bug
the query kms_key_rotated_within_90_day currently looks for the key rotation period configured on the KMS key. When the key is scheduled for deletion, the query does not skip but does perform the check as if the key is active.

Expected behavior
When the key is scheduled for deletion, the query should either skip the check or end with status - scheduled for destruction

Additional context
If the key is not scheduled for rotation <= 90 days, the query produces alarm even for the keys that are scheduled for destruction. Leaving the query as is, would generate noise for any keys that are not active and are not configure with <= 90 days rotation.

The state column in table gcp_kms_key_version might be helpful to validate the status of the key.

Is your feature request related to a problem? Please describe.
Add GCP > CIS v1.3 > 1.16 Ensure Essential Contacts is Configured for Organization

Description

It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.

Many Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.

Remediation

Add essential contacts for the GCP Organization.

From Console

To add the essential contacts

1. Go to Essential Contacts by visiting https://console.cloud.google.com/iam-admin/essential-contacts
2. Make sure the organization appears in the resource selector at the top of the page. The resource selector tells you what project, folder, or organization you are currently managing contacts for.
3. Click +Add contact
4. In the Email and Confirm Email fields, enter the email address of the contact.
5. From the Notification categories drop-down menu, select the notification categories that you want the contact to receive communications for.
6. Click Save

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
For queries like logging_metric_alert_audit_configuration_changes, we use ${local.common_dimensions_project_sql} for additional dimensions. This local uses the name column from gcp_project, but in the older version of the mod, we'd use project_id which is more useful.

Steampipe version (steampipe -v)
v0.19.4

Plugin version (steampipe plugin list)
v0.35.0

To reproduce
Run the query logging_metric_alert_audit_configuration_changes

Expected behavior
The project ID should be included in the additional dimensions, not the project name.

Additional context
None

Is your feature request related to a problem? Please describe.
CIS section 6.2 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 6.2 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
Queries for cis_v200_1_13 and cis_v200_1_14 are possible, the table gcp_apikeys_key has all the data that is needed.
Describe the solution you'd like
The table gcp_apikeys_key has the data to check for cis_v200_1_13 where the data from restrictions --> serverKeyRestrictions can be used.
Watch point: though the Hosts and Apps are upto the user/organization to decide, the query can be formalized - if there are no serverKeyRestrictions - the check should fail.

The table gcp_apikeys_key has the data to check for cis_v200_1_14 where the data from restrictions --> apiTargets can be used.
Watch point: though the APIs are upto the user/organization to decide, the query can be formalized - if there are no apiTargets - the check should fail.

Describe alternatives you've considered
Just to begin with, if the restrictions are null(a single query), both cis_v200_1_13 and cis_v200_1_14 should fail.

query "iam_api_key_unrestriced" {
  sql = <<-EOQ
    select
      'https://iam.googleapis.com/v1/projects/' || project || '/apikeys/' || name as resource,  display_name,
      case
        when restrictions is null then 'alarm'
        else 'ok'
      end as status,
      display_name || ' ' || uid || ' has either host, apps or API restriction.'
      as reason
      ${local.common_dimensions_global_sql}
    from
      gcp_apikeys_key;
  EOQ
}

Additional context

Describe the bug
The current version of the mod returns a warning due to using the deprecated option version instead of min_version for the gcp plugin.

This issue can be trivially resolved by updating

  require {
    plugin "gcp" {
      version = "0.26.0"
    }
  }

to

  require {
    plugin "gcp" {
      min_version = "0.26.0"
    }
  }

**Steampipe version (`steampipe -v`)**
Example: v0.3.0

**Plugin version (`steampipe plugin list`)**
Example: v0.5.0

**To reproduce**
Steps to reproduce the behavior (please include relevant code and/or commands).

**Expected behavior**
A clear and concise description of what you expected to happen.

**Additional context**
Add any other context about the problem here.

Hi there!

Keys are insecure because they can be viewed publicly

Every API key is insecure because of that reason. Is there another reason why project wide API keys should not be created?
In my best knowledge: As Service Account should maintain single role (best case scenario), it would be best for the API keys to allow connection to the single resource, and not being used project wide for all resources, hence should be properly restricted and this has been covered with control 1.13. Putting that aside, you can create API key per project only. Official documentation ( https://cloud.google.com/docs/authentication/api-keys ) states that this is the way to create an API key. Is there another way that I'm not seeing?

For the SQL query to accurately reflect this control, it would need to set an 'alarm' status only when a user has been assigned roles that allow them both to manage the keys and use the keys for encryption/decryption operations, as this combination would enable them to potentially misuse the keys without oversight.

The query would need to be adjusted to check for the combination of roles for each user and set the status to 'alarm' if a user has any administrative role combined with any operational role. Here's a simplified logic for that:
... when 'roles/cloudkms.admin' in ( select assigned_role from kms_roles_users where user_name = r.user_name ) and ( 'roles/cloudkms.cryptoKeyEncrypterDecrypter' in ( select assigned_role from kms_roles_users where user_name = r.user_name ) or 'roles/cloudkms.cryptoKeyEncrypter' in ( select assigned_role from kms_roles_users where user_name = r.user_name ) or 'roles/cloudkms.cryptoKeyDecrypter' in ( select assigned_role from kms_roles_users where user_name = r.user_name ) ) then 'alarm' ...

Is your feature request related to a problem? Please describe.
CIS section 4 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 4 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
CIS section 2 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 2 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

2.12 Ensure that Cloud DNS logging is enabled for all VPC networks (Automated)

Audit:

From Command Line:

1. List all VPCs networks in a project:

gcloud compute networks list --format="table[box,title='All VPC
Networks'](name:label='VPC Network Name')"

2. List all DNS policies, logging enablement, and associated VPC networks:

gcloud dns policies list --flatten="networks[]" --
format="table[box,title='All DNS Policies By VPC Network'](name:label='Policy
Name',enableLogging:label='LoggingEnabled':align=center,networks.networkUrl.basename():label='VPC Network
Name')"

Each VPC Network should be associated with a DNS policy with logging enabled.

Currently the control 2.7 states

resource.type="gce_firewall_rule"
AND protoPayload.methodName="v1.compute.firewalls.patch" OR protoPayload.methodName="v1.compute.firewalls.insert"

however, in reality the correct filter is:

resource.type="gce_firewall_rule"
AND protoPayload.methodName="beta.compute.firewalls.patch" OR protoPayload.methodName="beta.compute.firewalls.insert"

Is your feature request related to a problem? Please describe.
CIS section 6.3 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 6.3 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
When using this dashboard against an aggregator returning a set of GCP projects, only the last project will return a correctly configured log sink although every other one is configured the same (using terraform)

I will post a MR to update the query so that it successfully works for all projects with a correctly configured sink.

Steampipe version (steampipe -v)
steampipe 0.20.9

Plugin version (steampipe plugin list)
gcp: 0.41.0

To reproduce
Use this dashboard against an aggregator or put multiple gcp project in the search-path

Expected behavior
For every project in the search-path (or aggregator), all projects with correctly configured log sinks should return as OK

Controls between 2.6 and 2.9 of CIS v2.0.0 report alert on the GCP projects even after they are configured as the Remediation section say.

• https://hub.steampipe.io/mods/turbot/gcp_compliance/controls/control.cis_v200_2_6
• https://hub.steampipe.io/mods/turbot/gcp_compliance/controls/control.cis_v200_2_7
• https://hub.steampipe.io/mods/turbot/gcp_compliance/controls/control.cis_v200_2_8
• https://hub.steampipe.io/mods/turbot/gcp_compliance/controls/control.cis_v200_2_9

The reason is that Logging Query Language written in their documentation has ( and ) but the queries used by their Control don't care them.

I think that this is a bug of Queries and the documentations look correct.

Is your feature request related to a problem? Please describe.
CIS section 7 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 7 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

• Remove ## Rationale section
• Cleanup trailing whitespaces

Describe the bug
Starting in CIS v1.3.0, they added the IP 35.235.240.0/20 and port 443 to the list of allowed IPs/ports, but our control for 3.10 still uses the IPs and port from what CIS v1.2.0 said.

Steampipe version (steampipe -v)
v0.19.5

Plugin version (steampipe plugin list)
v0.35.0

To reproduce
View CIS v1.3.0 and v2.0.0 documents

Expected behavior
We should follow recommendations from CIS

Additional context
Add any other context about the problem here.

Describe the bug
While running the CIS 1.3 benchmark, gcp_compliance.control.cis_v120_1_1 and updating the policy with fixes still producing the incorrect results.

Steampipe version (steampipe -v)
steampipe version 0.17.1 │

Plugin version (steampipe plugin list)

hub.steampipe.io/plugins/turbot/gcp@latest - 0.30.0 - gcp

To reproduce

• Run steampipe check gcp_compliance.control.cis_v120_1_1 to check Ensure that corporate login credentials are used
• fix the it on GCP with gcloud alpha resource-manager org-policies allow --organization '89989898989' iam.allowedPolicyMemberDomains '8988989789798dsds'
• Rerun the check.
• results still raise alert to fix this compliance fail.

Expected behavior
Well, it should display the correct results.

Additional context
Slack Thread

The GCP plugin only recently added the gcp_project table, so now that it's available, any query that used the gcp_iam_policy table as a placeholder should now use gcp_project instead.

Is your feature request related to a problem? Please describe.
CIS section 3 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 3 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Common & tag dimensions will allow the end user with options to render compliance output based on tags key, connection name, project-id & region.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
CIS section 2 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 2 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
The file should be renamed iam_service_account_user_managed_external_key_rotation_period.sql -> iam_service_account_user_key_age_90.sql, as it's more descriptive, and there's a space missing between the user name and key name.

Steampipe version (steampipe -v)
v0.5.0

Plugin version (steampipe plugin list)
gcp v0.12.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Is your feature request related to a problem? Please describe.
CIS section 6 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 6 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
Control: Verify all GKE clusters are Private Clusters is about checking the clusters are private or not. However, in the query, if the cluster is private, it will show as an alarm.