Google Cloud 漏洞列表

Ensure that the Cloud CDN origin associated with your Google Cloud load balancer points to a backend bucket instead of a backend service in order to provide enhanced performance, cost savings, simplified management, and the ability to customize caching rules.

Ensure that your Google Compute Engine instances are configured to use Shielded VM security feature for protection against rootkits and bootkits. Google Compute Engine service can enable 3 advanced security components for Shielded VM instances: - Virtual Trusted Platform Module (vTPM) - validates the guest virtual machine pre-boot and boot integrity, and provides key generation and protection - Integrity Monitoring - lets you monitor and verify the runtime boot integrity using Google Cloud Operations reports - Secure boot - protects your VM instances against boot-level and kernel-level malware and rootkits

Ensure that DNSSEC security feature is enabled for all your Google Cloud DNS managed zones in order to protect your domains against spoofing and cache poisoning attacks. By default, DNSSEC is not enabled for Google Cloud public DNS managed zones.

Ensure that automatic runtime security updates are enabled for your Google Cloud functions in order to keep the functions secure and protected against vulnerabilities without manual intervention.

Ensure that your Google Cloud functions use Customer-Managed Encryption Keys (CMEK) instead of Google-managed encryption keys to encrypt data at rest. CMEKs provide greater control over the encryption and decryption process, enabling you to meet stringent compliance requirements.

Ensure that your Google Cloud functions are referencing existing, active service accounts in order to prevent execution failures and operational disruptions.

Ensure that your Google Cloud functions are not configured to allow unrestricted outbound network access in order to prevent security vulnerabilities and minimize cloud costs. To ensure that your function's outbound traffic is restricted to internal IP ranges and can't communicate with external networks or the public Internet, set the VpcConnectorEgressSettings parameter to PRIVATE_RANGES_ONLY.

Ensure that your Google Cloud functions are configured to use user-managed service accounts instead of the default service account managed by Google Cloud in order to follow the Principle of Least Privilege (POLP) and enhance the security posture of your functions.

Ensure that authentication using client certificates is disabled for your Google Kubernetes Engine (GKE) clusters. Client certificates require manual key rotation for authentication and are difficult to revoke. It is highly recommended to use alternative authentication methods like OpenID Connect, which is the default authentication method used by gcloud and handles token management automatically.

Ensure that logging is enabled for your Google Kubernetes Engine (GKE) clusters to collect logs emitted by your Kubernetes applications and the GKE infrastructure. Once enabled, the logging feature sends logs and metrics to a remote aggregator to reduce the risk of tampering in case of a breach locally.

Ensure that all your Google Cloud projects are using standard authentication flow instead of API keys for authentication. Google Cloud Platform (GCP) API keys are simple encrypted strings that can be used when calling certain APIs which don't need to access private user data. GCP API keys are usually accessible to clients, as they can be publicly viewed from within a browser, making it easy to discover and steal an API key.

Ensure that the "log_disconnections" database flag is enabled for all your Google Cloud PostgreSQL database instances. When this flag is enabled, PostgreSQL database logs the end of each session. The log output provides information similar to the one generated by the "log_connections" flag, plus the duration of the session. The database flag can be changed at the session start, and it cannot be changed during a session.

Checks if the "user options" database flag is configured for Google Cloud SQL Server instances, which can define global defaults for all database users.

Internal Google Cloud access tokens are exposed.