Best practice rules for GCP Compute Engine
Trend Micro Cloud One™ – Conformity monitors GCP Compute Engine with the following rules:
- Check for Instance-Associated Service Accounts with Full API Access
Ensure that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs.
- Check for Instances Associated with Default Service Accounts
Ensure that your VM instances are not associated with the default GCP service account.
- Check for Publicly Shared Disk Images
Ensure that your virtual machine disk images are not accessible to all GCP accounts.
- Check for Virtual Machine Instances with Public IP Addresses
Ensure that Google Cloud VM instances are not using public IP addresses.
- Configure Maintenance Behavior for VM Instances
Ensure that "On Host Maintenance" configuration setting is set to "Migrate" for all VM instances.
- Disable Auto-Delete for VM Instance Persistent Disks
Ensure that the Auto-Delete feature is disabled for the disks attached to your VM instances.
- Disable IP Forwarding for Virtual Machine Instances
Ensure that IP Forwarding is not enabled for your Google Cloud virtual machine (VM) instances.
- Disable Interactive Serial Console Support
Ensure that interactive serial console support is not enabled for your Google Cloud instances.
- Disable Preemptibility for VM Instances
Ensure that your production Google Cloud virtual machine instances are not preemptible.
- Enable "Block Project-Wide SSH Keys" Security Feature
Ensure that project-wide SSH keys are not used to access your Google Cloud VM instances.
- Enable "Shielded VM" Security Feature
Ensure that Shielded VM feature is enabled for your virtual machine (VM) instances.
- Enable Automatic Restart for VM Instances
Ensure that automatic restart is enabled for your Google Cloud virtual machine (VM) instances.
- Enable Deletion Protection for VM Instances
Ensure that deletion protection is enabled for your Google Cloud virtual machine (VM) instances.
- Enable OS Login for GCP Projects
Ensure that OS Login feature is enabled for your Google Cloud projects.
- Enable VM Disk Encryption with Customer-Supplied Encryption Keys
Ensure that your virtual machine (VM) instance disks are encrypted with CSEKs.
- Enable Virtual Machine Disk Encryption with Customer-Managed Keys
Ensure that your virtual machine (VM) instance disks are encrypted using Customer-Managed Keys (CMKs).
- Enforce HTTPS Connections for App Engine Applications
Ensure that Google App Engine applications enforce HTTPS connections.
- Use OS Login with 2FA Authentication for VM Instances
Ensure that OS Login is configured with Two-Factor Authentication (2FA) for production VM instances.