この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。
こんにちは、コンサル部@大阪オフィスのTodaです。
トレンドマイクロ社が提供しているCloud One ConformityにGoogle Cloud Platform(GCP)の監視がPreviewにて追加されましたので確認してみました。
Cloud One Conformityとは?
Cloud One Conformityはクラウドインフラストラクチャを継続監視してセキュリティ、コンプライアンス対応状況の確認、可視化、レポート、自動修復をするソリューションです。
クラウド環境はAWSおよびAzureに対応、SOC2、ISO 27001、NIST、CIS、GDPR、PCI DSS、GDPR、HIPAA、AWSおよびAzure Well-Architected Framework、CIS Microsoft Azure Foundations Security Benchmarkなどのベストプラクティスチェックに対応して継続的なチェックをおこないます。
■ Cloud One Conformity
https://www.trendmicro.com/ja_jp/business/products/hybrid-cloud/cloud-one-conformity.html
■ Cloud One Conformity 説明動画
www.trendmicro.com/ja_jp/business/products/hybrid-cloud/cloud-one-conformity.html?modal=s3a-icon-demo-0a5fe5
前提条件
現在(2021/10/11時点)GCPの監視はPreview版であり、今後変更される予定があるため、ご注意ください。
GCPを無料アカウントでご利用の場合は、課金を有効化する必要がございます。
監視内容について
2021/10/11時点で公開されている監視は下記サービス、項目を対象としています。
- GCP BigQuery
- Check for Publicly Accessible BigQuery Datasets
- Enable Encryption with Customer-Managed Keys
- Best practice rules for GCP Identity and Access Management (IAM)
- Check for IAM Members with Service Roles at the Project Level
- Corporate Login Credentials In Use
- Delete User-Managed Service Account Keys
- Enable Multi-Factor Authentication for User Accounts
- Enable Security Key Enforcement for Admin Accounts
- Enforce Separation of Duties for Service-Account Related Roles
- Minimize the Use of Primitive Roles
- Restrict Administrator Access for Service Accounts
- Rotate User-Managed Service Account Keys
- GCP Cloud Key Management Service (KMS)
- Check for Publicly Accessible Cloud KMS Keys
- Rotate Google Cloud KMS Keys
- GCP Cloud Load Balancing
- Check for Insecure SSL Cipher Suites
- Enable HTTPS for Google Cloud Load Balancers
- Enable Logging for HTTP(S) Load Balancing Backend Services
- GCP Cloud Logging
- Enable Logs Router Encryption with Customer-Managed Keys
- GCP Cloud Pub/Sub Service
- Enable Dead Lettering for Google Pub/Sub Subscriptions
- Enable Pub/Sub Topic Encryption with Customer-Managed Keys
- GCP Cloud SQL
- Check for Cloud SQL Database Instances with Public IPs
- Check for MySQL Major Version
- Check for PostgreSQL Major Version
- Check for Publicly Accessible Cloud SQL Database Instances
- Configure "log_min_error_statement" Flag for PostgreSQL Database Instances
- Configure "max_connections" Flag for PostgreSQL Database Instances
- Configure Automatic Storage Increase Limit
- Configure Root Password for MySQL Database Access
- Disable "Contained Database Authentication" Flag for SQL Server Database Instances
- Disable "Cross DB Ownership Chaining" Flag for SQL Server Database Instances
- Disable "local_infile" Flag for MySQL Database Instances
- Disable "log_min_duration_statement" Flag for PostgreSQL Database Instances
- Enable "log_checkpoints" Flag for PostgreSQL Database Instances
- Enable "log_checkpoints" Flag for PostgreSQL Database Server Configuration
- Enable "log_connections" Flag for PostgreSQL Database Instances
- Enable "log_disconnections" Flag for PostgreSQL Database Instances
- Enable "log_lock_waits" Flag for PostgreSQL Database Instances
- Enable "log_temp_files" Flag for PostgreSQL Database Instances
- Enable "slow_query_log" Flag for MySQL Database Servers
- Enable Automated Backups for Cloud SQL Database Instances
- Enable Automatic Storage Increase
- Enable Cloud SQL Instance Encryption with Customer-Managed Keys
- Enable High Availability for Cloud SQL Database Instances
- Enable Point-in-Time Recovery for MySQL Database Instances
- Enable SSL/TLS for SQL Server Incoming Connections
- Rotate Server Certificates for Cloud SQL Database Instances
- GCP Cloud Storage
- Check for Publicly Accessible Cloud Storage Buckets
- Check for Sufficient Data Retention Period
- Enable Lifecycle Management for Cloud Storage Objects
- Enable Object Encryption with Customer-Managed Keys
- Enable Object Versioning for Cloud Storage Buckets
- Enable Uniform Bucket-Level Access for Cloud Storage Buckets
- GCP VPC
- Check for DNSSEC Zone-Signing Algorithm in Use
- Check for Unrestricted DNS Access
- Check for Unrestricted FTP Access
- Check for Unrestricted ICMP Access
- Check for Unrestricted Inbound Access on Uncommon Ports
- Check for Unrestricted MySQL Database Access
- Check for Unrestricted Oracle Database Access
- Check for Unrestricted Outbound Access on All Ports
- Check for Unrestricted PostgreSQL Database Access
- Check for Unrestricted RDP Access
- Check for Unrestricted RPC Access
- Check for Unrestricted SMTP Access
- Check for Unrestricted SQL Server Access
- Check for Unrestricted SSH Access
- Check for VPC Firewall Rules with Port Ranges
- Enable Logging for VPC Firewall Rules
- Enable VPC Flow Logs for VPC Subnets
- Exclude Metadata from Firewall Logging
- GCP Compute Engine
- Approved Virtual Machine Image in Use
- Check for Desired Machine Type(s)
- Check for Instance-Associated Service Accounts with Full API Access
- Check for Instances Associated with Default Service Accounts
- Check for Publicly Shared Disk Images
- Check for Virtual Machine Instances with Public IP Addresses
- Configure Maintenance Behavior for VM Instances
- Disable Auto-Delete for VM Instance Persistent Disks
- Disable IP Forwarding for Virtual Machine Instances
- Disable Interactive Serial Console Support
- Disable Preemptibility for VM Instances
- Enable "Block Project-Wide SSH Keys" Security Feature
- Enable "Shielded VM" Security Feature
- Enable Automatic Restart for VM Instances
- Enable Deletion Protection for VM Instances
- Enable Instance Group Autohealing
- Enable OS Login for GCP Projects
- Enable VM Disk Encryption with Customer-Supplied Encryption Keys
- Enable Virtual Machine Disk Encryption with Customer-Managed Keys
- Enforce HTTPS Connections for App Engine Applications
- Remove Old Persistent Disk Snapshots
- Use OS Login with 2FA Authentication for VM Instances
- GCP Dataproc Service
- Enable Dataproc Cluster Encryption with Customer-Managed Keys
- GCP Google Kubernetes Engine Service
- Enable Application-Layer Secrets Encryption for GKE Clusters
- Enable Auto-Repair for GKE Cluster Nodes
- Enable Auto-Upgrade for GKE Cluster Nodes
- Enable GKE Cluster Node Encryption with Customer-Managed Keys
- Enable Integrity Monitoring for GKE Cluster Nodes
- Enable Secure Boot for GKE Cluster Nodes
- Restrict Network Access to GKE Clusters
- Use Shielded GKE Cluster Nodes
- GCP Resource Manager
- Define Allowed External IPs for VM Instances
- Disable Automatic IAM Role Grants for Default Service Accounts
- Disable Guest Attributes of Compute Engine Metadata
- Disable Serial Port Access Support at Organization Level
- Disable Service Account Key Upload
- Disable User-Managed Key Creation for Service Accounts
- Disable Workload Identity at Cluster Creation
- Enforce Detailed Audit Logging Mode
- Enforce Uniform Bucket-Level Access at Organization Level
- Prevent Service Account Creation for Google Cloud Organizations
- Require OS Login
- Restrict Allowed Google Cloud APIs and Services
- Restrict Authorized Networks on Cloud SQL instances
- Restrict Default Google-Managed Encryption for Cloud SQL Instances
- Restrict Load Balancer Creation Based on Load Balancer Types
- Restrict Public IP Access for Cloud SQL Instances at Organization Level
- Restrict Shared VPC Subnetworks
- Restrict VPC Peering Usage
- Restrict VPN Peer IPs
- Restrict Virtual Machine IP Forwarding
- Restrict the Creation of Cloud Resources to Specific Locations
- Restricting the Use of Images
- Skip Default VPC Network Creation
詳細の監視ルールは下記ページをご確認ください。
■ Best practice rules for Google Cloud Platform - Conformity
https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/
GCPの監視を試すには?
GCPの監視をお試し頂く場合は、[アカウントの追加]から登録をおこないます。
Conformityを新規お試し頂く場合は、初期選択画面でGCPが選択肢として表示されます。
GCPの導入手順について
GCPへのConformityの導入は下記手順をお試しください。
GCPの設定時には各GoogleAPIの設定が必要になります。
GCPのアカウントを無料お試し頂いている場合、有料への変更を求めれますのでご注意ください。
■ Add A GCP Account - Conformity
https://cloudone.trendmicro.com/docs/conformity/add-a-gcp-account/
さいごに
Cloud One ConformityのGCP監視(Preview)をご案内いたしました。
GCPの監視が正式版になった場合、AWS, Azure, GCPの3つのクラウド環境を監視出来るようになります。
またGCPが正式になった際は導入手順などご案内したいと思います。