Why is the "GCP_CIS_1_2 - Ensure that multi-factor authentication is enabled for all non-service accounts (Not Scored)" compliance recommendation listed in Advanced Suppression but is not listed in the main Compliance Report panel?
This compliance recommendation is listed in a report only when the integration is at the organization level and the organization has no project. Here is the GCP_CIS_1_2 compliance recommendation as listed in Advanced Suppression.
Here are the compliance reports for integration at the organization level when the organization has a project. Note that the GCP_CIS_1_2 compliance recommendation is not listed.
Why are both the GCP CIS 1.0 and 1.2 benchmarks available in the Compliance reports?
As of v4.22 (platform release on 21st September 2021), the CIS 1.2 benchmarks were added to the Lacework GCP analyzers. You have the option of selecting either benchmark version on the GCP Compliance Reports page (alongside other benchmark options):
How do I start using the GCP CIS 1.2 benchmarks?
See the GCP CIS 1.2 Addition section in Create a GCP Service Account and Grant Access for instructions on how to setup access for the new benchmarks.
Once access is granted, the CIS 1.2 benchmarks are suppressed by default (see the known issue below if you have Lacework Policy subscriptions enabled in General Settings). Switch them on by going to the GCP Compliance Reports page (Compliance > GCP > Reports) and selecting Actions > Advanced Suppression on any of the benchmark rules. The GCP CIS 1.2 benchmarks are shown in the format of GCP_CIS12_*, switch on the ones that you require.
In a future release, the option to enable or disable all rules in a Suppressions list will be available.
Known Issue: Check if your Lacework Policy subscriptions (Settings > General Settings) are automatically enabled (or enabled for any severity):
If they are enabled, the Advanced Suppression modal window will display the status as ON for some or all of the GCP_CIS12_* rules. This is a known issue in the Lacework Console when first running a GCP CIS 1.2 compliance report and these rules will still be disabled internally.
To resolve this, manually disable all of the GCP_CIS12_* rules that are ON and click SAVE. Once this is done, the GCP CIS 1.2 rules can be enabled in the normal way.
Are the GCP K8s Benchmark rules part of the GCP CIS 1.2 benchmarks?
The GCP K8s Benchmarks are bespoke Lacework rules and are not associated with the latest CIS K8s benchmarks for GCP. They are related to the GCP CIS 1.0 rules. The K8s benchmarks are not removed. They are a separate report (which contains CIS 1.0 Kubernetes control rules) in the GCP reports tab and in the reports drop-down.
Why are some rules missing when viewing the GCP CIS benchmark reports?
The majority of the GCP CIS benchmark rules are evaluated at the Project level, however, some are evaluated at the Organization level. As such, depending on your level of integration with GCP, these Organization level rules may not display.
The following table is a list of all the Organization level GCP CIS benchmark rules:
| Rule ID | Category | Title |
|---|---|---|
| GCP_CIS_1_2 | Identity and Access Management | Ensure that multi-factor authentication is enabled for all non-service accounts. |
| GCP_CIS12_1_1 | Identity and Access Management | Ensure that corporate login credentials are used. |
| GCP_CIS12_1_2 | Identity and Access Management | Ensure that multi-factor authentication is enabled for all non-service accounts. |
| GCP_CIS12_1_3 | Identity and Access Management | Ensure that Security Key Enforcement is enabled for all admin accounts. |
| GCP_CIS12_2_1 | Logging and Monitoring | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project. |
| GCP_CIS12_2_2 | Logging and Monitoring | Ensure that sinks are configured for all Log entries. |
| GCP_CIS12_2_3 | Logging and Monitoring | Ensure that retention policies on log buckets are configured using Bucket Lock. |