Skip to main content

Lacework for GCP - FAQs

Why is the GCP_CIS_1_2 compliance recommendation listed in Advanced Suppression but is not listed in the main Compliance Report panel?

This compliance recommendation is listed in a report only when the integration is at the organization level and the organization has no project. Here is the "GCP_CIS_1_2 - Ensure that multi-factor authentication is enabled for all non-service accounts (Not Scored)" compliance recommendation as listed in Advanced Suppression.
mceclip0.png

Here are the compliance reports for integration at the organization level when the organization has a project. Note that the GCP_CIS_1_2 compliance recommendation is not listed.

NotListedgcpcis12.png

Why are both the GCP CIS 1.0 and 1.2 benchmarks available in the Compliance reports?

As of v4.22 (platform release on 21st September 2021), the CIS 1.2 benchmarks were added to the Lacework GCP analyzers. You have the option of selecting either benchmark version on the GCP Compliance Reports page (alongside other benchmark options).

gcp_compliance_report_types.png

How do I start using the GCP CIS 1.2 benchmarks?

See the GCP CIS 1.2 Benchmark Report guide for instructions on how to enable the CIS 1.2 benchmarks.

Are the GCP K8s Benchmark rules part of the GCP CIS 1.2 benchmarks?

The GCP K8s Benchmarks are bespoke Lacework rules and are not associated with the latest CIS K8s benchmarks for GCP. They are related to the GCP CIS 1.0 rules. The K8s benchmarks are not removed. They are a separate report (which contains CIS 1.0 Kubernetes control rules) in the GCP reports tab and in the reports drop-down.

Why are some rules missing when viewing the GCP CIS benchmark reports?

The majority of the GCP CIS benchmark rules are evaluated at the Project level, however, some are evaluated at the Organization level. As such, depending on your level of integration with GCP, these Organization level rules may not display.

In addition, some rules are fully 'Automated' while some are categorized as 'Manual'. 'Manual' rule types cannot be assessed end-to-end by Lacework platform, and must be left to the customer to follow the auditing procedure.

The following table is a list of all the Organization level GCP CIS benchmark rules:

Rule IDAssessment StatusCategoryTitle
GCP_CIS_1_2ManualIdentity and Access ManagementEnsure that multi-factor authentication is enabled for all non-service accounts.
GCP_CIS12_1_1ManualIdentity and Access ManagementEnsure that corporate login credentials are used.
GCP_CIS12_1_2ManualIdentity and Access ManagementEnsure that multi-factor authentication is enabled for all non-service accounts.
GCP_CIS12_1_3ManualIdentity and Access ManagementEnsure that Security Key Enforcement is enabled for all admin accounts.
GCP_CIS12_2_1AutomatedLogging and MonitoringEnsure that Cloud Audit Logging is configured properly across all services and all users from a project.
GCP_CIS12_2_2AutomatedLogging and MonitoringEnsure that sinks are configured for all Log entries.
GCP_CIS12_2_3AutomatedLogging and MonitoringEnsure that retention policies on log buckets are configured using Bucket Lock.

For Organization level GCP rules that are Automated - if any violations are found, you can obtain the results as follows:

  • Go to the Compliance > GCP > Dashboard screen.
  • Search for the rule text and click the View Details button to view the violations modal dialog.

In addition, the resources in violation will surface to the Events Dossier screens.

For Organization level GCP rules that are Manual - these rules do not appear in the Lacework Platform.

In addition, GCP_CIS12_1_1 has been incorrectly categorized as an 'Automated' rule in the GCP CIS 1.2.0 benchmark. This is recognized by CIS as incorrect and will be updated to 'Manual' in subsequent benchmarks.