How to Check Your GCP Account for Compliance with the CIS v2 Benchmark

The Center for Internet Security (CIS) regularly publishes sets of security configuration standards to help organizations maintain secure and compliant cloud infrastructure. 

These benchmarks provide a comprehensive list of over 400 best practice cloud security controls to reduce attack surface and protect data for each platform.

In this guide, we’ll share how your organization can use the CIS GCP Benchmark to establish standardized internal policies and compliance controls.

Understanding the CIS Benchmark for GCP

The CIS Benchmark for GCP is designed by the CIS to provide detailed implementation guidance on how organizations can secure their GCP environment.

The benchmark report is organized into two distinct levels that cover a range of controls from basic to advanced configurations.

• Level 1 focuses on easy-to-implement settings that, when implemented, can lower the attack surface and preserve performance.
• Level 2 is designed to provide organizations with additional levels of security through more robust settings, though they may come with potential performance or compatibility trade-offs.

The two levels enable organizations to customize their cloud security standards for their unique needs. And once your internal controls are established, it’s important for organizations to check compliance periodically to identify weaknesses, either with manual or automated assessments.

For example, with the latest GCP CIS Benchmark (v2) released at the end of 2022, some controls are now recommended to be automated, such as ensuring strict permissions on API keys, strong hash algorithms, and no anonymously or publicly-accessible BigQuery Datasets. You can read more about the difference between V1 and V2 in this release recap by Steampipe.

Checking Compliance with the CIS GCP Benchmark

Ensuring compliance with the CIS GCP Benchmark requires you to review the following areas:

• Identity and Access Management
• Logging and Monitoring
• Network Security Settings
• VM Configuration Settings
• Data Storage and Backups
• Encryption Key Management
• Resource Management

Running these checks manually can be very time and resource intensive. Automation is critical for checking quickly and regularly. This is where Blink can help.

Running CIS GCP Compliance Checks with Blink

With Blink, you can run an automation to check these controls daily, take actions based on the results, and share a formatted report to a Slack or Teams channel.

Blink Automation: Validate GCP Network Policy against the CIS v2.0.0 Benchmark Daily

Blink + GCP

Try This Automation

This GCP compliance automation in the Blink library runs on a schedule that you can specify. When it runs, it does the following steps:

1. Sets a variable for the Slack channel you want to send the report to.
2. Runs the Steampipe benchmark compliance check with the necessary mod and formats the output in JSON.
3. If there are any alarms in the output, it will format the output into a message and send it to the specified Slack channel.

You can import this automation from the library into your account and customize it based on your organization’s needs. For example, you can drag-and-drop new actions into the canvas or set up conditional subflows.

You can build your own automation from scratch or use one of our 5K pre-built automations today.

Get started with Blink today to see how easy automation can be.