Skip to content
This repository was archived by the owner on Jun 25, 2024. It is now read-only.

Commit 14a7993

Browse files
mikiodehartj1mikiodehartj1
authored
changes to section 3
1 parent 5a1a1a4 commit 14a7993

File tree

1 file changed

+49
-0
lines changed

1 file changed

+49
-0
lines changed

jupiterone/questions/questions.yaml

+49
Original file line numberDiff line numberDiff line change
@@ -573,6 +573,55 @@ questions:
573573
requirements:
574574
- '3.7'
575575

576+
- id: integration-question-google-vpc-flow-logs-for-every-VPC-subnet
577+
title: Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
578+
description: >
579+
Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.
580+
queries:
581+
- name: good
582+
query: |
583+
find google_compute_subnetwork WITH flowLogsEnabled = true
584+
- name: bad
585+
query: |
586+
find google_compute_subnetwork WITH flowLogsEnabled != true
587+
tags:
588+
- google-cloud
589+
- VPC-flowlogs
590+
- logging
591+
compliance:
592+
- standard: CIS Google Cloud Foundations 1.1
593+
requirements:
594+
- '3.8'
595+
- standard: CIS Google Cloud Platform Foundation Benchmark 1.3
596+
requirements:
597+
- '3.8'
598+
- standard: CIS Google Cloud Platform Foundation Benchmark 2.0.0
599+
requirements:
600+
- '3.8'
601+
602+
- id: integration-question-google-IAP-allow-google-IP-addresses
603+
title: Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
604+
description: >
605+
IAP authenticates the user requests to your apps via a Google single sign in. You can then manage these users with permissions to control access. It is recommended to use both IAP permissions and firewalls to restrict this access to your apps with sensitive information.
606+
queries:
607+
- name: good
608+
query: |
609+
find Service with displayName="Cloud Identity-Aware Proxy API" and enabled = true
610+
- name: bad
611+
query: |
612+
find Service with displayName="Cloud Identity-Aware Proxy API" and enabled != true
613+
tags:
614+
- google-cloud
615+
- google-IAP
616+
- Networking
617+
compliance:
618+
- standard: CIS Google Cloud Platform Foundation Benchmark 1.3
619+
requirements:
620+
- '3.10'
621+
- standard: CIS Google Cloud Platform Foundation Benchmark 2.0.0
622+
requirements:
623+
- '3.10'
624+
576625
- id: integration-question-google-cloud-firewall-deny-all
577626
title: Which Google Cloud networks do not have a default Deny All egress rule for firewalls?
578627
description: >

0 commit comments

Comments
 (0)