{"id":15221757,"url":"https://github.com/googlecloudplatform/inspec-gcp-cis-benchmark","last_synced_at":"2025-05-09T00:22:47.989Z","repository":{"id":37857236,"uuid":"229198996","full_name":"GoogleCloudPlatform/inspec-gcp-cis-benchmark","owner":"GoogleCloudPlatform","description":"GCP CIS 1.1.0 Benchmark InSpec Profile","archived":false,"fork":false,"pushed_at":"2024-08-03T18:33:38.000Z","size":234,"stargazers_count":130,"open_issues_count":13,"forks_count":56,"subscribers_count":28,"default_branch":"master","last_synced_at":"2025-04-19T22:18:30.532Z","etag":null,"topics":["auditing","cis-benchmark","cloud","compliance","gcp","inspec","security"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GoogleCloudPlatform.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-20T05:51:21.000Z","updated_at":"2025-01-23T12:46:24.000Z","dependencies_parsed_at":"2024-12-14T16:10:22.739Z","dependency_job_id":"8bba9c4a-2c91-47f8-9df5-74bd545aff4b","html_url":"https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark","commit_stats":null,"previous_names":[],"tags_count":26,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Finspec-gcp-cis-benchmark","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Finspec-gcp-cis-benchmark/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Finspec-gcp-cis-benchmark/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Finspec-gcp-cis-benchmark/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GoogleCloudPlatform","download_url":"https://codeload.github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253167390,"owners_count":21864638,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auditing","cis-benchmark","cloud","compliance","gcp","inspec","security"],"created_at":"2024-09-28T15:07:19.905Z","updated_at":"2025-05-09T00:22:47.963Z","avatar_url":"https://github.com/GoogleCloudPlatform.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GCP CIS 1.2.0 Benchmark Inspec Profile\n\nThis repository holds the [Google Cloud Platform (GCP)](https://cloud.google.com/) [Center for Internet Security (CIS)](https://www.cisecurity.org) [version 1.2 Benchmark](https://www.cisecurity.org/benchmark/google_cloud_computing_platform/) [Inspec](https://www.inspec.io/) Profile.\n\n## Required Disclaimer\n\nThis is not an officially supported Google product. This code is intended to help users assess their security posture on the Google Cloud against the CIS Benchmark. This code is not certified by CIS.\n\n## Coverage\n\nThe following GCP CIS v1.2.0 Benchmark Controls are not covered:\n\n- Identity and Access Management 1.2 - \"Ensure that multi-factor authentication is enabled for all non-service accounts\"\n- Identity and Access Management 1.3 - \"Ensure that Security Key Enforcement is enabled for all admin accounts\"\n- Identity and Access Management 1.12 - \"Ensure API keys are not created for a project\"\n- Identity and Access Management 1.13 - \"Ensure API keys are restricted to use by only specified Hosts and Apps\"\n- Identity and Access Management 1.14 - \"Ensure API keys are restricted to only APIs that application needs access\"\n- Identity and Access Management 1.15 - \"Ensure API keys are rotated every 90 days\"\n- Cloud SQL Database Services 6.3 - \"Ensure that MySql database instance does not allow anyone to connect with administrative privileges\"\n- Cloud SQL Database Services 6.4 - \"Ensure that MySQL Database Instance does not allows root login from any Host\"\n\n## Usage\n\n### Profile Inputs (see `inspec.yml` file)\n\nThis profile uses InSpec Inputs to make the tests more flexible. You are able to provide inputs at runtime either via the `cli` or via `YAML files` to help the profile work best in your deployment.\n\n**pro tip**: Do not change the inputs in the `inspec.yml` file directly, either:\n\n- update them via the cli - via the `--input` flag\n- pass them in via a YAML file as shown in the `Example` - via the `--input-file` flag\n\nFurther details can be found here: \u003chttps://docs.chef.io/inspec/inputs/\u003e\n\n### (Required) User Provided Inputs - via the CLI or Input Files\n\n- **gcp_project_id** - (Default: null, type: String) - The target GCP Project you are scanning.\n\n### (Optional) User Provided Inputs\n\n- **sa_key_older_than_seconds** - (Default: 7776000, type: int, CIS IAM 1.15) - The maximum allowed age of GCP User-managed Service Account Keys (90 days in seconds).\n- **kms_rotation_period_seconds** - (Default: 7776000, type: int, CIS IAM 1.10) - The maximum allowed age of KMS keys (90 days in seconds).\n\n### Cloud Shell Walkthrough\n\nUse this Cloud Shell Walkthrough for a hands-on example.\n\n[![Open this project in Cloud Shell](http://gstatic.com/cloudssh/images/open-btn.png)](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark\u0026page=editor\u0026tutorial=walkthrough.md)\n\n### CLI Example\n\n#### Ruby Gem\n\n```\n#install inspec\n$ gem install inspec-bin -v 4.26.15 --no-document --quiet\n```\n\n```\n# make sure you're authenticated to GCP\n$ gcloud auth list\n\n# acquire credentials to use with Application Default Credentials\n$ gcloud auth application-default login\n\n```\n\n```\n# scan a project with this profile, replace {{project-id}} with your project ID\n$ inspec exec https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark.git -t gcp:// --input gcp_project_id={{project-id}}  --reporter cli json:{{project-id}}_scan.json\n...snip...\nProfile Summary: 48 successful controls, 5 control failures, 7 controls skipped\nTest Summary: 166 successful, 7 failures, 7 skipped\n```\n\n#### Docker\n```\n# pull inspec image\n$ docker pull chef/inspec:4.26.15\n```\n\n```\n# make sure you're authenticated to GCP\n$ gcloud auth list\n\n# acquire credentials to use with Application Default Credentials\n$ gcloud auth application-default login\n\n```\n\n```\n# create function for convenience\n$ function inspec-docker { docker run -it -e GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS=true --rm -v ~/.config:/root/.config -v $(pwd):/share chef/inspec:4.26.15 \"$@\"; }\n\n# scan a project with this profile, replace {{project-id}} with your project ID\n$ inspec-docker exec https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark.git -t gcp:// --input gcp_project_id={{project-id}}  --reporter cli json:{{project-id}}_scan.json\n...snip...\nProfile Summary: 48 successful controls, 5 control failures, 7 controls skipped\nTest Summary: 166 successful, 7 failures, 7 skipped\n```\n\n### Required APIs\n\nConsider these GCP projects, which may all be the same or different:\n\n- the project of the Service Account that's used to authenticate the scan\n- the project from which the benchmark is called\n- the project to be scanned\n\nThe following GCP APIs should be enabled in **all** of these projects:\n\n- cloudkms.googleapis.com\n- cloudresourcemanager.googleapis.com\n- compute.googleapis.com\n- dns.googleapis.com\n- iam.googleapis.com\n- logging.googleapis.com\n- monitoring.googleapis.com\n- sqladmin.googleapis.com\n- storage-api.googleapis.com\n\n### Required Permissions\n\nThe following permissions are required to run the CIS benchmark profile:\n\nOn organization level:\n\n- resourcemanager.organizations.get\n- resourcemanager.projects.get\n- resourcemanager.projects.getIamPolicy\n- resourcemanager.folders.get\n\nOn project level:\n\n- cloudkms.cryptoKeys.get\n- cloudkms.cryptoKeys.getIamPolicy\n- cloudkms.cryptoKeys.list\n- cloudkms.keyRings.list\n- cloudsql.instances.get\n- cloudsql.instances.list\n- compute.firewalls.get\n- compute.firewalls.list\n- compute.instances.get\n- compute.instances.list\n- compute.networks.get\n- compute.networks.list\n- compute.projects.get\n- compute.regions.list\n- compute.sslPolicies.get\n- compute.sslPolicies.list\n- compute.subnetworks.get\n- compute.subnetworks.list\n- compute.targetHttpsProxies.get\n- compute.targetHttpsProxies.list\n- compute.zones.list\n- dns.managedZones.get\n- dns.managedZones.list\n- iam.serviceAccountKeys.list\n- iam.serviceAccounts.list\n- logging.logMetrics.list\n- logging.sinks.get\n- logging.sinks.list\n- monitoring.alertPolicies.list\n- resourcemanager.projects.get\n- resourcemanager.projects.getIamPolicy\n- storage.buckets.get\n- storage.buckets.getIamPolicy\n- storage.buckets.list\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Finspec-gcp-cis-benchmark","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgooglecloudplatform%2Finspec-gcp-cis-benchmark","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Finspec-gcp-cis-benchmark/lists"}