OS Login Should Be Enabled
Enable OS login to ensure that SSH keys used to connect to instances are mapped with IAM users.
Enable OS login to ensure that SSH keys used to connect to instances are mapped with IAM users.
IP forwarding should be disabled on all instances. This ensures that the instance sends and receives packets with matching destination or source IPs.
Managed instances are regional for availability purposes. Instances in a single zone creates a single point of failure for all systems in the VPC. It is recommended that all instances should be created as Regional to ensure proper failover.
Ensures the total number of VM instances does not exceed a set threshold. The number of running VM instances should be carefully audited, especially in unused regions, to ensure only approved applications are consuming compute resources. Many compromised Google accounts see large numbers of VM instances launched.
Instances should not be configured to allow project-wide SSH keys. To support the principle of least privilege and prevent potential privilege escalation, instances should not be given access to project-wide SSH keys.
Instances should not be configured to use the default service account with full access to all cloud APIs. The principle of least privilege should be used to prevent potential privilege escalation.
Ensures Customer Supplied Encryption Key is enabled on disks. Google encrypts all disks at rest by default. By using CSEK only authorized team members with the keys can access the disk. Anyone else, including Google, cannot access the disk data.
Serial ports connection should not be enabled for VM instances. As serial console does not allow restricting IP Addresses, so then it allows any IP address to connect to instance and should therefore be disabled.
Ensure Compute instances are launched with Shielded VM enabled.
Compute instances should not be configured to have external IP addresses.
It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.
Determines if the number of resources is close to the per-account limit. Google limits accounts to certain numbers of resources. Exceeding those limits could prevent resources from launching.
Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys. Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.