changes to section 1

jupiterone/questions/questions.yaml

@@ -130,6 +130,59 @@ questions:
   - standard: CIS Google Cloud Foundations 1.1
     requirements:
       - '1.1'
+
+- id: integration-question-google-mfa-enabled-non-service-accounts
+  title: Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
+  description: >
+    Setup multi-factor authentication for Google Cloud Platform accounts.
+  queries:
+  - name: good
+    query: |
+      FIND google_user WITH mfaEnabled=true or isEnrolledIn2Sv=true
+  - name: bad
+    query: |
+      FIND google_user WITH mfaEnabled!=true AND isEnrolledIn2Sv!=true
+  tags:
+  - google-cloud
+  - service-account
+  - mfa
+  compliance:
+  - standard: CIS Google Cloud Foundations 1.1
+    requirements:
+      - '1.2'
+  - standard: CIS Google Cloud Platform Foundation Benchmark 1.3
+    requirements:
+      - '1.2'
+  - standard: CIS Google Cloud Platform Foundation Benchmark 2.0.0
+    requirements:
+      - '1.2'
+
+- id: integration-question-google-ske-enabled-for-admin-accounts
+  title: Ensure that Security Key Enforcement is Enabled for All Admin Accounts
+  description: >
+    Setup Security Key Enforcement for Google Cloud Platform admin accounts.
+  queries:
+  - name: good
+    query: |
+      FIND google_user WITH admin = true OR isAdmin = true OR isDelegatedAdmin = true AND isEnforcedIn2Sv = true
+  - name: bad
+    query: |
+      FIND google_user WITH admin = true OR isAdmin = true OR isDelegatedAdmin = true AND isEnforcedIn2Sv = true
+  tags:
+  - google-cloud
+  - admin-account
+  - security-key-enforcement
+  compliance:
+  - standard: CIS Google Cloud Foundations 1.1
+    requirements:
+      - '1.3'
+  - standard: CIS Google Cloud Platform Foundation Benchmark 1.3
+    requirements:
+      - '1.3'
+  - standard: CIS Google Cloud Platform Foundation Benchmark 2.0.0
+    requirements:
+      - '1.3'
+
 - id: integration-question-google-cloud-managed-service-account-keys
   title: Ensure that there are only GCP-managed service account keys for each service account
   description:
@@ -148,6 +201,7 @@ questions:
   - standard: CIS Google Cloud Foundations 1.1
     requirements:
       - '1.4'
+
 - id: integration-question-google-cloud-service-account-non-admin
   title: Ensure that Service Account has no Admin privileges
   description:
@@ -197,6 +251,7 @@ questions:
   - standard: CIS Google Cloud Foundations 1.1
     requirements:
       - '1.5'
+
 - id: integration-question-google-cloud-iam-not-assigned-user-token-roles-project-level
   title: Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
   description: >
@@ -238,6 +293,7 @@ questions:
   - standard: CIS Google Cloud Foundations 1.1
     requirements:
       - '1.6'
+
 - id: integration-question-google-cloud-user-managed-external-keys-service-account-rotation-period
   title: Ensure user-managed/external keys for service accounts are rotated every 90 days or less
   description: >
@@ -335,6 +391,58 @@ questions:
     requirements:
       - '1.10'
 
+- id: integration-question-google-dataproc-cmek
+  title: Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
+  description: >
+    When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).
+  queries:
+  - name: good
+    query: |
+      FIND google_dataproc_cluster WITH encrypted = true AND kmsKeyName ~= "cmek"
+  - name: bad
+    query: |
+      FIND google_dataproc_cluster WITH encrypted != true OR kmsKeyName !~= "cmek"
+  tags:
+  - google-cloud
+  - customer-managed-encryption-key
+  - encryption
+  compliance:
+  - standard: CIS Google Cloud Foundations 1.1
+    requirements:
+      - '1.17'
+  - standard: CIS Google Cloud Platform Foundation Benchmark 1.3
+    requirements:
+      - '1.17'
+  - standard: CIS Google Cloud Platform Foundation Benchmark 2.0.0
+    requirements:
+      - '1.17'
+
+- id: integration-question-google-secret-manager
+  title: Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
+  description: >
+    Google Cloud Functions allow you to host serverless code that is executed when an event is triggered, without the requiring the management a host operating system.
+  queries:
+  - name: good
+    query: |
+      find google_cloud_project /* google_cloud_project THAT HAS google_secret_manager_secret */
+  - name: bad
+    query: |
+      
+  tags:
+  - google-cloud
+  - secret-manager
+  - cloud-functions
+  compliance:
+  - standard: CIS Google Cloud Foundations 1.1
+    requirements:
+      - '1.18'
+  - standard: CIS Google Cloud Platform Foundation Benchmark 1.3
+    requirements:
+      - '1.18'
+  - standard: CIS Google Cloud Platform Foundation Benchmark 2.0.0
+    requirements:
+      - '1.18'
+
 - id: integration-question-google-cloud-iam-all-user-policies
   title: Which policies are bound to “allUsers” or “allAuthenticatedUsers”?
   description: >