Merge pull request #118 from cloudgraphdev/feature/CG-1299-GCP-CIS-130-214

tyler-dunkel · web-flow · commit 96786a284097 · 2022-12-22T10:35:13.000-06:00
Feature/cg 1299 gcp cis 130 214
diff --git a/src/gcp/cis-1.3.0/README.md b/src/gcp/cis-1.3.0/README.md
@@ -84,6 +84,7 @@ Policy Pack based on the GCP Foundations 1.3.0 benchmark provided by the [Center
 | GCP CIS 2.11   | Ensure that the log metric filter and alerts exist for SQL instance configuration changes                                                                           |
 | GCP CIS 2.12   | Ensure that Cloud DNS logging is enabled for all VPC networks                                                                                                       |
 | GCP CIS 2.13   | Ensure Cloud Asset Inventory Is Enabled                                                                                                                             |
+| GCP CIS 2.14   | Ensure 'Access Transparency' is 'Enabled'                                                                                                                           |
 | GCP CIS 3.1    | Ensure that the default network does not exist in a project                                                                                                         |
 | GCP CIS 3.2    | Ensure legacy networks do not exist for a project                                                                                                                   |
 | GCP CIS 3.3    | Ensure that DNSSEC is enabled for Cloud DNS                                                                                                                         |
diff --git a/src/gcp/cis-1.3.0/rules/gcp-cis-1.3.0-2.14.ts b/src/gcp/cis-1.3.0/rules/gcp-cis-1.3.0-2.14.ts
@@ -0,0 +1,43 @@
+export default {
+  id: 'gcp-cis-1.3.0-2.14',
+  title:
+    'GCP CIS 2.14 Ensure \'Access Transparency\' is \'Enabled\'',
+  description: 'GCP Access Transparency provides audit logs for all actions that Google personnel take in syour Google Cloud resources.',
+  audit: `**Determine if Access Transparency is Enabled**
+
+  1. From the Google Cloud Home, click on the Navigation hamburger menu in the top left. Hover over the IAM & Admin Menu. Select settings in the middle of the column that opens.
+  2. The status will be under the heading *Access Transparency*. Status should be Enabled`,
+  rationale: `Controlling access to your information is one of the foundations of information security.
+  Given that Google Employees do have access to your organizations' projects for support
+  reasons, you should have logging in place to view who, when, and why your information is
+  being accessed.`,
+  remediation: `**Add privileges to enable Access Transparency**
+
+  1. From the Google Cloud Home, within the project you wish to check, click on the Navigation hamburger menu in the top left. Hover over the 'IAM and Admin'. Select IAM in the top of the column that opens.
+  2. Click the blue button the says *+add* at the top of the screen.
+  3. In the *principals* field, select a user or group by typing in their associated email address.
+  4. Click on the *role* field to expand it. In the filter field enter *Access Transparency Admin* and select it.
+  5. Click *save*.
+
+  **Verify that the Google Cloud project is associated with a billing account**
+
+  1. From the Google Cloud Home, click on the Navigation hamburger menu in the top left. Select *Billing*.
+  2. If you see *This project is not associated with a billing account* you will need to enter billing information or switch to a project with a billing account.
+  
+  **Enable Access Transparency**
+
+  1. From the Google Cloud Home, click on the Navigation hamburger menu in the top left. Hover over the IAM & Admin Menu. Select *settings* in the middle of the column that opens.
+  2. Click the blue button labeled Enable *Access Transparency for Organization*
+
+  **Default Value:**
+
+  By default Access Transparency is not enabled.`,
+  references: [
+    'https://cloud.google.com/cloud-provider-access-management/accesstransparency/docs/overview',
+    'https://cloud.google.com/cloud-provider-access-management/accesstransparency/docs/enable',
+    'https://cloud.google.com/cloud-provider-access-management/accesstransparency/docs/reading-logs',
+    'https://cloud.google.com/cloud-provider-access-management/accesstransparency/docs/reading-logs#justification_reason_codes',
+    'https://cloud.google.com/cloud-provider-access-management/accesstransparency/docs/supported-services',
+  ],
+  severity: 'unknown',
+}
diff --git a/src/gcp/cis-1.3.0/rules/index.ts b/src/gcp/cis-1.3.0/rules/index.ts
@@ -27,6 +27,7 @@ import Gcp_CIS_130_210 from './gcp-cis-1.3.0-2.10'
 import Gcp_CIS_130_211 from './gcp-cis-1.3.0-2.11'
 import Gcp_CIS_130_212 from './gcp-cis-1.3.0-2.12'
 import Gcp_CIS_130_213 from './gcp-cis-1.3.0-2.13'
+import Gcp_CIS_130_214 from './gcp-cis-1.3.0-2.14'
 import Gcp_CIS_130_31 from './gcp-cis-1.3.0-3.1'
 import Gcp_CIS_130_32 from './gcp-cis-1.3.0-3.2'
 import Gcp_CIS_130_33 from './gcp-cis-1.3.0-3.3'
@@ -105,6 +106,7 @@ export default [
   Gcp_CIS_130_211,
   Gcp_CIS_130_212,
   Gcp_CIS_130_213,
+  Gcp_CIS_130_214,
   Gcp_CIS_130_31,
   Gcp_CIS_130_32,
   Gcp_CIS_130_33,
