GCP Compute Monitoring

Your EC2 could become your weakest link. Cloudanix can help!

What we do?

OS Login Enabled

Enable OS login to ensure that SSH keys used to connect to instances are mapped with IAM users.

Addresses: Security

Additional Reading:

IP Forwarding Disabled

IP forwarding should be disabled on all instances. This ensures that the instance sends and receives packets with matching destination or source IPs.

Addresses: Security

Additional Reading:

Multi AZ Instances

Managed instances are regional for availability purposes. Instances in a single zone creates a single point of failure for all systems in the VPC. It is recommended that all instances should be created as Regional to ensure proper failover.

Addresses: Reliability

Additional Reading:

VM Max Instances

Ensures the total number of VM instances does not exceed a set threshold. The number of running VM instances should be carefully audited, especially in unused regions, to ensure only approved applications are consuming compute resources. Many compromised Google accounts see large numbers of VM instances launched.

Addresses: Operational Maturity

Instance Level SSH Only

Instances should not be configured to allow project-wide SSH keys. To support the principle of least privilege and prevent potential privilege escalation, instances should not be given access to project-wide SSH keys.

Addresses: Security

Additional Reading:

VM Instances Least Privilege

Instances should not be configured to use the default service account with full access to all cloud APIs. The principle of least privilege should be used to prevent potential privilege escalation.

Addresses: Security

Additional Reading:

CSEK Encryption Enabled

Ensures Customer Supplied Encryption Key is enabled on disks. Google encrypts all disks at rest by default. By using CSEK only authorized team members with the keys can access the disk. Anyone else, including Google, cannot access the disk data.

Addresses: Security

Additional Reading:

Connect Serial Ports Disabled

Serial ports connection should not be enabled for VM instances. As serial console does not allow restricting IP Addresses, so then it allows any IP address to connect to instance and should therefore be disabled.

Addresses: Security

Additional Reading:

Cryptographic Keys

Rotate cryptographic keys on a regular schedule. Thus, key rotation should be enabled on all cryptographic keys. Google will handle the rotation of the encryption key itself, so previous data does not need to be re-encrypted before the rotation occurs.

Addresses: Security, Operational Maturity

Additional Reading: