GCP Compute Monitoring

Your Compute resources could become your weakest link. Cloudanix can help!

What we do?

OS Login Should Be Enabled

Enable OS login to ensure that SSH keys used to connect to instances are mapped with IAM users.

IP Forwarding Should Be Disabled

IP forwarding should be disabled on all instances. This ensures that the instance sends and receives packets with matching destination or source IPs.

Instances Should Be Multi AZ

Managed instances are regional for availability purposes. Instances in a single zone creates a single point of failure for all systems in the VPC. It is recommended that all instances should be created as Regional to ensure proper failover.

Total VMs Should Not Exceed Threshold

Ensures the total number of VM instances does not exceed a set threshold. The number of running VM instances should be carefully audited, especially in unused regions, to ensure only approved applications are consuming compute resources. Many compromised Google accounts see large numbers of VM instances launched.

SSH Keys Should Be Instance Specific

Instances should not be configured to allow project-wide SSH keys. To support the principle of least privilege and prevent potential privilege escalation, instances should not be given access to project-wide SSH keys.

VM Instances Should Not Use Default Service Accounts With Full Access To Cloud APIs

Instances should not be configured to use the default service account with full access to all cloud APIs. The principle of least privilege should be used to prevent potential privilege escalation.

Customer Supplied Encryption Key Should Be Enabled For Disks

Ensures Customer Supplied Encryption Key is enabled on disks. Google encrypts all disks at rest by default. By using CSEK only authorized team members with the keys can access the disk. Anyone else, including Google, cannot access the disk data.

Serial Ports Connection Should Be Disabled

Serial ports connection should not be enabled for VM instances. As serial console does not allow restricting IP Addresses, so then it allows any IP address to connect to instance and should therefore be disabled.

Shielded VM Should Be Enabled For Compute Instances

Ensure Compute instances are launched with Shielded VM enabled.

Compute Instances Should Not Have Public IPs

Compute instances should not be configured to have external IP addresses.

VM Instances Should Not Use Default Service Account

It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.

Total Resources Should Be Under Per Account Limit

Determines if the number of resources is close to the per-account limit. Google limits accounts to certain numbers of resources. Exceeding those limits could prevent resources from launching.

Ensure That Compute Instances Have Confidential Computing Enabled

Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys. Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.