This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:

    About Sysdig Secure for cloud on GCP

    Setup options, details, troubleshooting, and validation steps for the various cloud vendors under Installations - Cloud - GCP

    Available Features

    • Threat detection based on GCP Cloud Audit Logs integration
    • Compliance Security Posture Management (CSPM), including CIS GCP and CIS GKE Benchmark compliance assessments
    • GCP Cloud Container scanning
    • Image scanning on GCP

    Threat Detection Based on GCP Cloud Audit Logs

    Threat Detection leverages audit logs from GCP Cloud Audit logs plus Falco rules to detect threats as soon as they occur and bring governance, compliance, and risk auditing for your cloud accounts.

    A rich set of Falco rules, a GCP Best Practices default policy, and a GCP policy type for creating customized policies are included. These correspond to security standards and benchmarks such as: NIST 800-53, PCI DSS, SOC 2, MITRE ATT&CK®, and Google Cloud Security best practices.

    CSPM/Compliance with CIS GKE and CIS GCP Benchmarks

    A new cloud compliance standard has been added to the Sysdig compliance feature -  CIS GCP benchmarks. These assessments are based on an  open-source engine - Cloud Custodian - in Sysdig’s Cloud Security Posture Management (CSPM) engine.

    The assessments evaluate your Google Cloud services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment.

    GCP Cloud Container Scanning

    GCP Cloud Container Scanning uses a PubSub topic to automatically detect any container image pushed to registries on Google Container Registry or Google Artifact Registry, as well as images deployed to Google Cloud Run. An ephemeral Google Cloud Build pipeline is then created to scan that image so a vulnerability report is available in your Sysdig backend.

    1 -

    GCP Auditlog Falco rules

    Scroll Top APIKEYS 1rules CLOUDFUNCTIONS 3rules CLOUDKMS 2rules CLOUDRESOURCEMANAGER 1rules CLOUDRUN 2rules DNS 1rules GCE 1rules GKE 4rules IAM 5rules LOGGING 1rules MONITORING 2rules SQL 3rules STORAGE BUCKETS 7rules VM 5rules VPC 2rules VPC NETWORKS 2rules OTHER 2rules

    Total 44 rules.

    APIKEYS

    GCP Create API Keys for a Project

    Detect creation of API keys for a project.

    cloud gcp gcp_apikeys cis_controls_16 cis_gcp_1.12

    CLOUDFUNCTIONS

    GCP Create Cloud Function Not Using Latest Runtime

    Detect creation of a Cloud Function using and old or deprecated runtime.

    cloud gcp gcp_cloudfunctions soc2 soc2_CC7.1 mitre_T1190-exploit-public-facing-application
    GCP Create Cloud Function

    Detect creation of a Cloud function.

    cloud gcp gcp_cloudfunctions mitre_TA0003-persistence
    GCP Update Cloud Function

    Detect updates to a Cloud Function.

    cloud gcp gcp_cloudfunctions mitre_TA0003-persistence mitre_T1496-resource-hijacking

    CLOUDKMS

    GCP Create KMS Key Without Rotation

    Detect creation of a new KMS with rotation disabled.

    cloud gcp gcp_cloudkms soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2
    GCP Remove KMS Key Rotation

    Detect removal of KMS key rotation.

    cloud gcp gcp_cloudkms soc2 soc2_CC6.1 soc2_CC8.1 ISO_27001 ISO_27001_A.10.1.2 ISO_27001_A.18.1.5 GDPR GDPR_32.1 GDPR_32.2

    CLOUDRESOURCEMANAGER

    GCP Invitation Sent to Non-corporate Account

    Detect sending invitations to not allowed corporate account.

    cloud gcp gcp_cloudresourcemanager HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(d) HITRUST HITRUST_CSF_01.q cis_controls_16.2 cis_gcp_1.1 mitre_T1136-create-account

    CLOUDRUN

    CloudRun Create Service

    Detect creation of a CloudRun Service.

    cloud gcp gcp_cloudrun
    CloudRun Replace Service

    Detect the replacement of a CloudRun Service.

    cloud gcp gcp_cloudrun

    DNS

    GCP Create or Patch DNS Zone without DNSSEC

    Detect creation of a DNS zone with DNSSEC disabled or a modification of a DNS zone to disable DNSSEC.

    cloud gcp gcp_dns cis_controls_11.1 cis_gcp_3.3

    GCE

    GCP Describe Instance

    Detect description of the specified GCE instance.

    cloud gcp gcp_gce

    GKE

    GCP Delete DNS Zone

    Detect the deletion of a DNS zone.

    cloud gcp gcp_gke
    GCP Delete GKE Cluster

    Detect the deletion of a GKE cluster.

    cloud gcp gcp_gke
    GCP Delete GKE Node Pool

    Detect the deletion of a GKE node pool.

    cloud gcp gcp_gke
    GCP Delete Router

    Detect the deletion of a router.

    cloud gcp gcp_gke

    IAM

    GCP Create GCP-managed Service Account Key

    Detect creating an access key for a GCP-managed service account.

    cloud gcp gcp_iam soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2 HIPAA HIPAA_164.312(e) HITRUST HITRUST_CSF_06.d HITRUST_CSF_10.g cis_controls_16 mitre_T1550-use-alternate-authentication-material
    GCP Create User-managed Service Account Key

    Detect creating an access key for a user-managed service account.

    cloud gcp gcp_iam soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2 HIPAA HIPAA_164.312(e) HITRUST HITRUST_CSF_06.d HITRUST_CSF_10.g cis_controls_16 cis_gcp_1.4 mitre_T1550-use-alternate-authentication-material
    GCP Delete IAM Role

    Detect the deletion of an IAM role.

    cloud gcp gcp_iam
    GCP Operation by a Non-corporate Account

    Detect executing an operation by a non-corporate account.

    cloud gcp gcp_iam HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(d) HITRUST HITRUST_CSF_01.q cis_controls_16.2 cis_gcp_1.1
    GCP Super Admin Executing Command

    Detect super admin executing GPC command.

    cloud gcp gcp_iam soc2 soc2_CC6.2 soc2_CC6.6 FedRAMP FedRAMP_AC-2(12) ISO_27001 ISO_27001_A.6.1.2 ISO_27001_A.9.2.3 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(b) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_09.aa GDPR GDPR_25.1 GDPR_25.2 GDPR_25.3

    LOGGING

    GCP Update, Disable or Delete Sink

    Detect the updating, disabling or deletion of a sink.

    cloud gcp gcp_logging FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k cis_controls_6.2 cis_controls_6.4 cis_gcp_2.2

    MONITORING

    GCP Monitoring Alert Deleted

    Detect deletion of an alert.

    cloud gcp gcp_monitoring FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools mitre_T1562-impair-defenses mitre_T1562.008-disable-cloud-logs
    GCP Monitoring Alert Updated

    Detect updating of an alert.

    cloud gcp gcp_monitoring FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools

    SQL

    GCP Disable Automatic Backups for a Cloud SQL Instance

    Detect that automatic backups have been disabled for a Cloud SQL instance.

    cloud gcp gcp_sql cis_controls_10.1 cis_gcp_6.7
    GCP Disable the Requirement for All Incoming Connections to Use SSL for a Cloud SQL Instance

    Detect that the requirement for all incoming connections to use SSL for a Cloud SQL instance has been disabled.

    cloud gcp gcp_sql FedRAMP FedRAMP_CM-3(1) FedRAMP_SC-7(4) HIPAA HIPAA_164.310(b) HITRUST_CSF HITRUST_CSF_01.j HITRUST_CSF_01.n HITRUST_CSF_01.y HITRUST_CSF_05.i HITRUST_CSF_09.s HITRUST_CSF_10.k cis_controls_13 cis_controls_14.4 cis_controls_16.5 cis_gcp_6.4
    GCP Set a Public IP for a Cloud SQL Instance

    Detect that a public IP address has been set for a Cloud SQL instance.

    cloud gcp gcp_sql FedRAMP FedRAMP_SC-7(4) HITRUST_CSF HITRUST_CSF_01.n HITRUST_CSF_09.m cis_controls_13 cis_gcp_6.6

    STORAGE BUCKETS

    GCP Create Bucket

    Detect creation of a bucket.

    cloud gcp gcp_storage_buckets mitre_T1074-data-staged
    GCP Delete Bucket

    Detect deletion of a bucket.

    cloud gcp gcp_storage_buckets
    GCP List Buckets

    Detect listing of all storage buckets.

    cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
    GCP List Bucket Objects

    Detect listing of all objects in a bucket.

    cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
    GCP Put Bucket ACL

    Detect setting the permissions on an existing bucket using access control lists.

    cloud gcp gcp_storage_buckets FedRAMP FedRAMP_AC-6(1) FedRAMP_AC-6(2) FedRAMP_AC-6(3) ISO_27001 ISO_27001_A.9.1.2 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_01.q HITRUST_CSF_06.j mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host mitre_T1530-data-from-cloud-storage-object
    GCP Set Bucket IAM Policy

    Detect setting the permissions on an existing bucket using IAM policies.

    cloud gcp gcp_storage_buckets FedRAMP FedRAMP_AC-6(1) FedRAMP_AC-6(2) FedRAMP_AC-6(3) ISO_27001 ISO_27001_A.9.1.2 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_01.q HITRUST_CSF_06.j mitre_T1530-data-from-cloud-storage-object
    GCP Update Bucket

    Detect the update of a bucket.

    cloud gcp gcp_storage_buckets

    VM

    GCP Enable Connecting to Serial Ports for a VM Instance

    Detect enabling of connection to serial ports for a VM instance.

    cloud gcp gcp_vm FedRAMP FedRAMP_CM-3(1) HITRUST_CSF HITRUST_CSF_10.k cis_controls_9.2 cis_gcp_4.5
    GCP Creation of a VM Instance with IP Forwarding Enabled

    Detect creating a VM instance with IP forwarding enabled.

    cloud gcp gcp_vm cis_controls_11.1 cis_controls_11.2 cis_gcp_4.6
    GCP Suspected Disable of OS Login in a VM Instance

    Detect modification of the enable-oslogin metadata in an instance.

    cloud gcp gcp_vm cis_controls_16 cis_gcp_4.4
    GCP Enable Project-wide SSH keys for a VM Instance

    Detect enabling of project-wide SSH keys for a VM instance.

    cloud gcp gcp_vm HIPAA HIPAA_164.310(b) HITRUST_CSF HITRUST_CSF_01.j HITRUST_CSF_01.n HITRUST_CSF_01.y HITRUST_CSF_05.i HITRUST_CSF_09.s cis_controls_16 cis_gcp_4.3
    GCP Shield Disabled for a VM Instance

    Detect disabling of the Shielded VM parameter(s) of a VM instance.

    cloud gcp gcp_vm cis_controls_13 cis_gcp_4.8

    VPC

    GCP Delete VPC Network

    Detect the deletion of a VPC network.

    cloud gcp gcp_vpc
    GCP Delete VPC Subnetwork

    Detect the deletion of a VPC subnetwork.

    cloud gcp gcp_vpc

    VPC NETWORKS

    GCP Create a Default VPC Network

    Detect creation of a default network in a project.

    cloud gcp gcp_vpc_networks FedRAMP FedRAMP_CM-3(1) FedRAMP_SC-7(4) HITRUST_CSF HITRUST_CSF_01.n HITRUST_CSF_10.k cis_controls_11.1 cis_gcp_3.1
    GCP Disable Subnet Flow Logs

    Detect disabling the flow logs of a subnet.

    cloud gcp gcp_vpc_networks soc2 soc2_CC6.6 FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST_CSF HITRUST_CSF_09.aa HITRUST_CSF_10.k cis_controls_6.2 cis_controls_12.8 cis_gcp_3.8

    OTHER

    GCP Delete Resources from the PCI Blueprint Environment

    Detect the deletion of resources from the blueprint environment.

    cloud gcp
    GCP Command Executed on Unused Region

    Detect GCP command execution on unused regions.

    cloud gcp FedRAMP FedRAMP_AC-2(12) HIPAA HIPAA_164.308(a) HIPAA_164.312(a) mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regions