Detailed checklist | GCP Compute | 100% Free!

Monitor your GCP Compute resources for best practices.

Security

OS Login Enabled
Enable OS login to ensure that SSH keys used to connect to instances are mapped with IAM users.

IP Forwarding Disabled
IP forwarding should be disabled on all instances. This ensures that the instance sends and receives packets with matching destination or source IPs.

Instance Level SSH Only
Instances should not be configured to allow project-wide SSH keys. To support the principle of least privilege and prevent potential privilege escalation, instances should not be given access to project-wide SSH keys.

VM Instances Least Privilege
Instances should not be configured to use the default service account with full access to all cloud APIs. The principle of least privilege should be used to prevent potential privilege escalation.

CSEK Encryption Enabled
Ensures Customer Supplied Encryption Key is enabled on disks. Google encrypts all disks at rest by default. By using CSEK only authorized team members with the keys can access the disk. Anyone else, including Google, cannot access the disk data.

Connect Serial Ports Disabled
Serial ports connection should not be enabled for VM instances. As serial console does not allow restricting IP Addresses, so then it allows any IP address to connect to instance and should therefore be disabled.

Cryptographic Keys
Rotate cryptographic keys on a regular schedule. Thus, key rotation should be enabled on all cryptographic keys. Google will handle the rotation of the encryption key itself, so previous data does not need to be re-encrypted before the rotation occurs.

Reliability

Multi AZ Instances
Managed instances are regional for availability purposes. Instances in a single zone creates a single point of failure for all systems in the VPC. It is recommended that all instances should be created as Regional to ensure proper failover.

Operational Maturity

VM Max Instances
Ensures the total number of VM instances does not exceed a set threshold. The number of running VM instances should be carefully audited, especially in unused regions, to ensure only approved applications are consuming compute resources. Many compromised Google accounts see large numbers of VM instances launched.

Sources

https://www.cloudanix.com/recipelist/gcp/gcpcomputemonitoring

https://cloud.google.com/compute/docs/instances/managing-instance-access

https://cloud.google.com/vpc/docs/using-routes

https://cloud.google.com/vpc/docs/vpc

https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys

https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances

https://cloud.google.com/compute/docs/disks/customer-supplied-encryption

https://cloud.google.com/compute/docs/instances/interacting-with-serial-console

https://cloud.google.com/vpc/docs/using-cryptoKeys

Help Us Improve!

If you have any suggestions to improve this checklist, please let us know by filling out this form.