GCP Compute Engine Best Practices

Best practice rules for GCP Compute Engine

Trend Micro Cloud One™ – Conformity monitors GCP Compute Engine with the following rules:

• Approved Virtual Machine Image in Use

  Ensure that all your virtual machine instances are launched from approved images only.

• Check for Desired Machine Type(s)

  Ensure that your virtual machine (VM) instances are of a given type (e.g. c2-standard-4).

• Check for Instance-Associated Service Accounts with Full API Access

  Ensure that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs.

• Check for Instances Associated with Default Service Accounts

  Ensure that your VM instances are not associated with the default GCP service account.

• Check for Publicly Shared Disk Images

  Ensure that your virtual machine disk images are not accessible to all GCP accounts.

• Check for Virtual Machine Instances with Public IP Addresses

  Ensure that Google Cloud VM instances are not using public IP addresses.

• Configure Maintenance Behavior for VM Instances

  Ensure that "On Host Maintenance" configuration setting is set to "Migrate" for all VM instances.

• Configure load balancers for Managed Instance Groups

  Ensure that Managed Instance Groups (MIGs) are associated with load balancers.

• Configure multiple zones for Managed Instance Groups

  Ensure that Managed Instance Groups are configured to run instances across multiple zones.

• Detect GCP Compute Engine Configuration Changes

  Compute Engine configuration changes have been detected within your Google Cloud Platform (GCP) account.

• Disable Auto-Delete for VM Instance Persistent Disks

  Ensure that the Auto-Delete feature is disabled for the disks attached to your VM instances.

• Disable IP Forwarding for Virtual Machine Instances

  Ensure that IP Forwarding is not enabled for your Google Cloud virtual machine (VM) instances.

• Disable Interactive Serial Console Support

  Ensure that interactive serial console support is not enabled for your Google Cloud instances.

• Disable Preemptibility for VM Instances

  Ensure that your production Google Cloud virtual machine instances are not preemptible.

• Enable "Block Project-Wide SSH Keys" Security Feature

  Ensure that project-wide SSH keys are not used to access your Google Cloud VM instances.

• Enable "Shielded VM" Security Feature

  Ensure that Shielded VM feature is enabled for your virtual machine (VM) instances.

• Enable Automatic Restart for VM Instances

  Ensure that automatic restart is enabled for your Google Cloud virtual machine (VM) instances.

• Enable Confidential Computing for Virtual Machine Instances

  Ensure that Confidential Computing is enabled for virtual machine (VM) instances.

• Enable Deletion Protection for VM Instances

  Ensure that deletion protection is enabled for your Google Cloud virtual machine (VM) instances.

• Enable Instance Group Autohealing

  Ensure that your Google Cloud instance groups are using autohealing to proactively replace failing instances.

• Enable OS Login for GCP Projects

  Ensure that the OS Login feature is enabled for your Google Cloud projects.

• Enable VM Disk Encryption with Customer-Supplied Encryption Keys

  Ensure that your virtual machine (VM) instance disks are encrypted with CSEKs.

• Enable Virtual Machine Disk Encryption with Customer-Managed Keys

  Ensure that your virtual machine (VM) instance disks are encrypted using Customer-Managed Keys (CMKs).

• Enforce HTTPS Connections for App Engine Applications

  Ensure that Google App Engine applications enforce HTTPS connections.

• Remove Old Persistent Disk Snapshots

  Remove old virtual machine disk snapshots in order to optimize Google Cloud monthly costs.

• Use OS Login with 2FA Authentication for VM Instances

  Ensure that OS Login is configured with Two-Factor Authentication (2FA) for production VM instances.