bmt 0.8.0 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +1 -1
  3. data/lib/data/0.10/methodologies/cloud_config_aws.json +621 -0
  4. data/lib/data/0.10/methodologies/cloud_config_azure.json +1402 -0
  5. data/lib/data/0.10/methodologies/cloud_config_gcp.json +431 -0
  6. data/lib/data/0.10/methodologies/mobile_ios.json +438 -0
  7. metadata +19 -16
  8. data/lib/data/0.1/methodologies/mobile_ios.json +0 -452
  9. /data/lib/data/{0.1 → 0.10}/mappings/templates.json +0 -0
  10. /data/lib/data/{0.1 → 0.10}/mappings/templates.schema.json +0 -0
  11. /data/lib/data/{0.1 → 0.10}/methodologies/active_directory.json +0 -0
  12. /data/lib/data/{0.1 → 0.10}/methodologies/ai_llm.json +0 -0
  13. /data/lib/data/{0.1 → 0.10}/methodologies/api_testing.json +0 -0
  14. /data/lib/data/{0.1 → 0.10}/methodologies/binaries.json +0 -0
  15. /data/lib/data/{0.1 → 0.10}/methodologies/hardware_testing.json +0 -0
  16. /data/lib/data/{0.1 → 0.10}/methodologies/internal_network.json +0 -0
  17. /data/lib/data/{0.1 → 0.10}/methodologies/mobile_android.json +0 -0
  18. /data/lib/data/{0.1 → 0.10}/methodologies/network.json +0 -0
  19. /data/lib/data/{0.1 → 0.10}/methodologies/template.json +0 -0
  20. /data/lib/data/{0.1 → 0.10}/methodologies/website_testing.json +0 -0
  21. /data/lib/data/{0.1 → 0.10}/schema.json +0 -0
data/lib/data/0.10/methodologies/cloud_config_gcp.json ADDED
@@ -0,0 +1,431 @@
1
+ {
2
+ "metadata": {
3
+ "title": "GCP Cloud Configuration Review Methodology",
4
+ "release_date": "2025-10-30T00:00:00+00:00",
5
+ "description": "Methodology based on Google Cloud Platform Benchmarks",
6
+ "vrt_version": "1.15.1"
7
+ },
8
+ "content": {
9
+ "steps": [
10
+ {
11
+ "key": "identity_and_access_management",
12
+ "title": "Identity and Access Management",
13
+ "description": "This section covers security configurations for Google Cloud's Identity and Access Management (IAM), including organizational policies, user management, service accounts, and encryption keys.",
14
+ "type": "checklist",
15
+ "items": [
16
+ {
17
+ "key": "iam_domain_restricted_sharing",
18
+ "title": "Verify the Domain restricted sharing Organization Policy is Enforced",
19
+ "description": "The 'Domain restricted sharing' organization policy can be used to limit resource sharing to identities belonging to one or more specified organizations. This should be confirmed as enforced to prevent data exfiltration and ensure resources are not shared with unauthorized external entities like personal Gmail accounts.",
20
+ "tools": "",
21
+ "caption": ""
22
+ },
23
+ {
24
+ "key": "iam_no_personal_accounts",
25
+ "title": "Verify Corporate Credentials are Used for Cloud Access",
26
+ "description": "Personal accounts, such as consumer Gmail accounts, should not be used for managing corporate cloud resources. It should be confirmed that all IAM users are associated with corporate identities (via Google Workspace or Cloud Identity) to ensure proper lifecycle management and accountability.",
27
+ "tools": "",
28
+ "caption": ""
29
+ },
30
+ {
31
+ "key": "iam_mfa_enforced",
32
+ "title": "Confirm Multi-Factor Authentication is Enforced for Users",
33
+ "description": "Multi-factor authentication (MFA) is a critical security control. It should be verified that MFA is enforced for all non-service account users, especially those with privileged roles, to protect against credential compromise.",
34
+ "tools": "",
35
+ "caption": ""
36
+ },
37
+ {
38
+ "key": "iam_session_control_enforced",
39
+ "title": "Verify Session Control is Enforced for Cloud Identity and Workspace Users",
40
+ "description": "Session control policies for Cloud Identity or Google Workspace users can mitigate data exfiltration risks by setting limits on session length. It should be confirmed that this feature is enabled and configured appropriately to enforce these session duration limits for all users.",
41
+ "tools": "",
42
+ "caption": ""
43
+ },
44
+ {
45
+ "key": "iam_separation_of_duties",
46
+ "title": "Check for Separation of Duties in IAM Role Assignments",
47
+ "description": "The principle of separation of duties should be applied to IAM roles to prevent any single user from having excessive control. For example, the user who manages KMS encryption keys should not be the same user who uses those keys to encrypt or decrypt data. Role bindings should be reviewed to confirm this segregation is in place.",
48
+ "tools": "",
49
+ "caption": ""
50
+ },
51
+ {
52
+ "key": "iam_service_account_least_privilege",
53
+ "title": "Confirm Service Accounts are Not Granted Overly Broad Roles",
54
+ "description": "Service accounts should not be assigned primitive roles like Owner, Editor, or Viewer at the project level. It should be verified that service accounts are granted specific, predefined or custom roles that adhere to the principle of least privilege.",
55
+ "tools": "",
56
+ "caption": ""
57
+ },
58
+ {
59
+ "key": "iam_service_account_key_rotation",
60
+ "title": "Verify User-Managed Service Account Keys are Rotated Periodically",
61
+ "description": "User-managed service account keys are long-lived credentials that pose a security risk if not managed properly. It should be confirmed that these keys are rotated on a regular schedule (e.g., every 90 days).",
62
+ "tools": "",
63
+ "caption": ""
64
+ },
65
+ {
66
+ "key": "kms_key_rotation",
67
+ "title": "Check that Automatic Key Rotation is Configured for KMS Keys",
68
+ "description": "Cloud KMS keys should be configured to rotate automatically on a defined schedule. The rotation period should be reviewed to confirm it meets compliance and security requirements (e.g., a maximum of 365 days).",
69
+ "tools": "",
70
+ "caption": ""
71
+ },
72
+ {
73
+ "key": "kms_separation_of_duties",
74
+ "title": "Verify Separation of Duties for KMS Key Management",
75
+ "description": "To maintain a clear separation of duties, it should be confirmed that IAM users granted administrative permissions for KMS (e.g., `cloudkms.admin`) are not the same users granted permissions to use those keys for cryptographic operations (e.g., `cloudkms.cryptoKeyEncrypterDecrypter`).",
76
+ "tools": "",
77
+ "caption": ""
78
+ }
79
+ ]
80
+ },
81
+ {
82
+ "key": "networking",
83
+ "title": "Networking",
84
+ "description": "This section reviews the security posture of Google Cloud networking resources, including VPCs, firewall rules, and DNS configurations.",
85
+ "type": "checklist",
86
+ "items": [
87
+ {
88
+ "key": "network_default_vpc_removed",
89
+ "title": "Confirm the Default VPC Network Has Been Removed from Projects",
90
+ "description": "The default VPC network is created with permissive firewall rules that can present a security risk. To reduce the project's attack surface, it should be confirmed that the default network has been deleted and replaced with a custom, more secure network configuration.",
91
+ "tools": "",
92
+ "caption": ""
93
+ },
94
+ {
95
+ "key": "network_private_google_access_enabled",
96
+ "title": "Confirm Private Google Access is Enabled for VPC Subnets",
97
+ "description": "Enabling Private Google Access allows VM instances on a subnet to reach Google APIs and services using an internal IP address rather than a public one. The configuration of all subnets should be reviewed to confirm this is enabled to reduce the public internet exposure of instances.",
98
+ "tools": "",
99
+ "caption": ""
100
+ },
101
+ {
102
+ "key": "network_firewall_rule_logging_enabled",
103
+ "title": "Check that Firewall Rule Logging is Enabled",
104
+ "description": "VPC Firewall Rule Logging provides visibility into the traffic that is being allowed or denied by your firewall rules. It should be confirmed that this feature is enabled for all non-default firewall rules to support security monitoring and incident response.",
105
+ "tools": "",
106
+ "caption": ""
107
+ },
108
+ {
109
+ "key": "network_restrict_rdp_access",
110
+ "title": "Verify Firewall Rules Restrict RDP Access from the Internet",
111
+ "description": "Allowing unrestricted access to RDP (TCP port 3389) from any source (0.0.0.0/0) creates a significant security risk. It should be confirmed that no firewall rules permit such access.",
112
+ "tools": "",
113
+ "caption": ""
114
+ },
115
+ {
116
+ "key": "network_restrict_ssh_access",
117
+ "title": "Verify Firewall Rules Restrict SSH Access from the Internet",
118
+ "description": "Unrestricted ingress from the internet to SSH (TCP port 22) exposes VM instances to brute-force attacks. It should be verified that no firewall rules are configured to allow access from any source (0.0.0.0/0).",
119
+ "tools": "",
120
+ "caption": ""
121
+ },
122
+ {
123
+ "key": "network_dnssec_enabled",
124
+ "title": "Confirm DNSSEC is Enabled for Cloud DNS Zones",
125
+ "description": "DNSSEC helps protect domains from spoofing and cache poisoning attacks by providing a mechanism to verify the authenticity of DNS data. For any public-facing DNS zones managed in Cloud DNS, it should be confirmed that DNSSEC is enabled.",
126
+ "tools": "",
127
+ "caption": ""
128
+ },
129
+ {
130
+ "key": "network_rsasha1_not_used_for_dnssec",
131
+ "title": "Verify RSASHA1 is Not Used for DNSSEC Zone-Signing Keys",
132
+ "description": "The RSASHA1 algorithm is no longer considered secure for DNSSEC. For any DNS zones using DNSSEC, the configuration should be reviewed to confirm that a stronger algorithm, such as RSASHA256 or RSASHA512, is used for the zone-signing keys.",
133
+ "tools": "",
134
+ "caption": ""
135
+ }
136
+ ]
137
+ },
138
+ {
139
+ "key": "compute_engine",
140
+ "title": "Compute Engine & VMs",
141
+ "description": "This section covers security configurations for Google Compute Engine virtual machine instances.",
142
+ "type": "checklist",
143
+ "items": [
144
+ {
145
+ "key": "vm_ip_forwarding_disabled",
146
+ "title": "Confirm IP Forwarding is Disabled on VM Instances",
147
+ "description": "Unless an instance is specifically intended to function as a router or NAT gateway, IP forwarding should be disabled. This prevents the instance from being used to route traffic it did not originate, which could be a security risk. The configuration for all VM instances should be reviewed to confirm this setting is disabled.",
148
+ "tools": "",
149
+ "caption": ""
150
+ },
151
+ {
152
+ "key": "vm_default_service_account_not_used",
153
+ "title": "Confirm VM Instances Do Not Use the Default Service Account",
154
+ "description": "The default Compute Engine service account has broad, project-level editor permissions, which often violates the principle of least privilege. It should be verified that all VM instances are assigned dedicated, narrowly-scoped service accounts instead.",
155
+ "tools": "",
156
+ "caption": ""
157
+ },
158
+ {
159
+ "key": "vm_default_service_account_no_full_access",
160
+ "title": "Check that the Default Service Account Does Not Have Full Access to All Cloud APIs",
161
+ "description": "The default service account should not be configured with the 'Allow full access to all Cloud APIs' scope. Instead, it should be given granular permissions. The configuration of all VM instances using the default service account should be reviewed to confirm this access scope is not in use.",
162
+ "tools": "",
163
+ "caption": ""
164
+ },
165
+ {
166
+ "key": "vm_block_project_wide_ssh_disabled",
167
+ "title": "Verify Block project-wide SSH keys is Enabled for VM Instances",
168
+ "description": "To prevent the use of common, project-wide SSH keys, which can lead to unauthorized access if a key is compromised, it should be confirmed that all VM instances are configured to block them. This forces the use of instance-specific SSH keys.",
169
+ "tools": "",
170
+ "caption": ""
171
+ },
172
+ {
173
+ "key": "vm_serial_port_access_disabled",
174
+ "title": "Confirm Serial Port Access is Disabled for VM Instances",
175
+ "description": "Access to a VM's serial port can be used for interactive troubleshooting but also presents a security risk if not properly controlled. It should be verified that serial port access is disabled for all instances unless there is an explicit and documented need for it.",
176
+ "tools": "",
177
+ "caption": ""
178
+ },
179
+ {
180
+ "key": "vm_shielded_vm_enabled",
181
+ "title": "Check that Shielded VM Features are Enabled",
182
+ "description": "Shielded VM provides verifiable integrity of Compute Engine instances, helping to defend against boot-level and kernel-level malware and rootkits. It should be confirmed that features like Secure Boot, vTPM, and Integrity Monitoring are enabled.",
183
+ "tools": "",
184
+ "caption": ""
185
+ },
186
+ {
187
+ "key": "vm_disk_encryption_cmek",
188
+ "title": "Verify VM Disks are Encrypted with Customer-Managed Encryption Keys (CMEK)",
189
+ "description": "For enhanced control over data protection, Compute Engine persistent disks should be encrypted with a Customer-Managed Encryption Key (CMEK) from Cloud KMS, rather than the default Google-managed key. The encryption configuration for all disks should be reviewed.",
190
+ "tools": "",
191
+ "caption": ""
192
+ }
193
+ ]
194
+ },
195
+ {
196
+ "key": "storage",
197
+ "title": "Storage",
198
+ "description": "This section reviews security configurations for Google Cloud Storage.",
199
+ "type": "checklist",
200
+ "items": [
201
+ {
202
+ "key": "storage_bucket_not_public",
203
+ "title": "Verify Cloud Storage Buckets Are Not Publicly Accessible",
204
+ "description": "Granting public access to a Cloud Storage bucket can result in unintended data exposure. All buckets should be reviewed to confirm that neither `allUsers` nor `allAuthenticatedUsers` are granted permissions in their IAM policies, except where public access is explicitly intended and documented.",
205
+ "tools": "",
206
+ "caption": ""
207
+ },
208
+ {
209
+ "key": "storage_uniform_bucket_access_enabled",
210
+ "title": "Verify Uniform Bucket-Level Access is Enabled on Cloud Storage Buckets",
211
+ "description": "Uniform bucket-level access simplifies permissions management by disabling object-level ACLs. All permissions are then managed through IAM. It should be confirmed that this setting is enabled on all buckets to maintain a consistent and manageable permissions model.",
212
+ "tools": "",
213
+ "caption": ""
214
+ },
215
+ {
216
+ "key": "storage_bucket_logging_enabled",
217
+ "title": "Confirm Access Logging is Enabled for Cloud Storage Buckets",
218
+ "description": "Bucket access logs provide a record of all requests made to a bucket, which is crucial for security auditing and incident investigation. It should be verified that logging is enabled for all buckets containing sensitive or critical data.",
219
+ "tools": "",
220
+ "caption": ""
221
+ },
222
+ {
223
+ "key": "storage_bucket_encryption_cmek",
224
+ "title": "Check that Cloud Storage Buckets are Encrypted with Customer-Managed Encryption Keys (CMEK)",
225
+ "description": "For greater control over data at rest, Cloud Storage buckets should be configured to use a Customer-Managed Encryption Key (CMEK) from Cloud KMS for default encryption. This should be verified for all buckets storing sensitive data.",
226
+ "tools": "",
227
+ "caption": ""
228
+ }
229
+ ]
230
+ },
231
+ {
232
+ "key": "database_and_analytics_services",
233
+ "title": "Database and Analytics Services",
234
+ "description": "This section covers security best practices for Google's managed data platforms, including Cloud SQL and BigQuery.",
235
+ "type": "checklist",
236
+ "items": [
237
+ {
238
+ "key": "sql_restrict_public_ip",
239
+ "title": "Confirm Cloud SQL Instances Restrict Ingress from Any IP Address",
240
+ "description": "Cloud SQL instances should not be configured to accept connections from any IP address (0.0.0.0/0). The 'Authorized networks' configuration for each instance should be reviewed to ensure that access is restricted to specific, known IP ranges.",
241
+ "tools": "",
242
+ "caption": ""
243
+ },
244
+ {
245
+ "key": "sql_require_ssl",
246
+ "title": "Verify SSL Encryption is Required for Cloud SQL Connections",
247
+ "description": "Requiring SSL for connections to a Cloud SQL instance encrypts data in transit. The configuration of each SQL instance should be reviewed to confirm that only SSL connections are allowed.",
248
+ "tools": "",
249
+ "caption": ""
250
+ },
251
+ {
252
+ "key": "sql_automated_backups_enabled",
253
+ "title": "Check that Automated Backups are Configured for Cloud SQL Instances",
254
+ "description": "Automated backups are essential for data recovery. It should be confirmed that all production Cloud SQL instances have automated backups enabled with an appropriate schedule.",
255
+ "tools": "",
256
+ "caption": ""
257
+ },
258
+ {
259
+ "key": "sql_contained_database_auth_disabled_sqlserver",
260
+ "title": "Verify Contained Database Authentication Flag is Disabled for Cloud SQL for SQL Server",
261
+ "description": "Contained database authentication allows users to be managed at the database level, which can bypass centralized IAM controls. For SQL Server instances, it should be verified that the `contained database authentication` flag is set to `off`.",
262
+ "tools": "",
263
+ "caption": ""
264
+ },
265
+ {
266
+ "key": "sql_cross_db_ownership_chaining_disabled_sqlserver",
267
+ "title": "Verify Cross-DB Ownership Chaining Flag is Disabled for Cloud SQL for SQL Server",
268
+ "description": "Cross-database ownership chaining is a legacy feature that can create security risks by allowing implicit access across databases. For SQL Server instances, it should be confirmed that this database flag is set to `off`.",
269
+ "tools": "",
270
+ "caption": ""
271
+ },
272
+ {
273
+ "key": "sql_local_infile_disabled_mysql",
274
+ "title": "Verify local infile Flag is Disabled for Cloud SQL for MySQL",
275
+ "description": "The `local_infile` flag in MySQL allows for loading local data, which can be a security risk if an attacker can control the file path. It should be verified that this flag is set to `off` on all Cloud SQL for MySQL instances.",
276
+ "tools": "",
277
+ "caption": ""
278
+ },
279
+ {
280
+ "key": "sql_log_error_verbosity_default_postgres",
281
+ "title": "Confirm log error verbosity Flag is Not Overly Verbose for Cloud SQL for PostgreSQL",
282
+ "description": "The `log_error_verbosity` flag controls the level of detail in error logs. Setting it to `TERSE` or `DEFAULT` is recommended to avoid logging potentially sensitive information. The configuration for all PostgreSQL instances should be reviewed.",
283
+ "tools": "",
284
+ "caption": ""
285
+ },
286
+ {
287
+ "key": "bigquery_public_access_disabled",
288
+ "title": "Verify Public Access is Disabled for BigQuery Datasets",
289
+ "description": "BigQuery datasets may contain sensitive information and should not be publicly accessible. The IAM policy for each dataset should be reviewed to confirm that it does not grant permissions to `allUsers` or `allAuthenticatedUsers`.",
290
+ "tools": "",
291
+ "caption": ""
292
+ }
293
+ ]
294
+ },
295
+ {
296
+ "key": "ai_ml_platforms",
297
+ "title": "AI & ML Platforms",
298
+ "description": "This section provides security checks for Google Cloud's AI and Machine Learning services, such as Vertex AI.",
299
+ "type": "checklist",
300
+ "items": [
301
+ {
302
+ "key": "vertexai_no_public_ip",
303
+ "title": "Verify Vertex AI Instances Do Not Have Public IP Addresses",
304
+ "description": "To reduce the attack surface, Vertex AI instances should not have public IP addresses. Instead, they should be accessible only through their private IP address within a VPC. The configuration of each instance should be reviewed to confirm this setting.",
305
+ "tools": "",
306
+ "caption": ""
307
+ },
308
+ {
309
+ "key": "vertexai_notebooks_encrypted_cmek",
310
+ "title": "Check that Vertex AI Notebooks are Encrypted with Customer-Managed Keys (CMEK)",
311
+ "description": "For greater control over the encryption of data within AI notebooks, it should be confirmed that Vertex AI notebooks are configured to use a Customer-Managed Encryption Key (CMEK) from Cloud KMS.",
312
+ "tools": "",
313
+ "caption": ""
314
+ }
315
+ ]
316
+ },
317
+ {
318
+ "key": "logging_and_monitoring",
319
+ "title": "Logging and Monitoring",
320
+ "description": "This section covers configurations for Google Cloud's operations suite, including Cloud Logging, Cloud Monitoring, and Audit Logs.",
321
+ "type": "checklist",
322
+ "items": [
323
+ {
324
+ "key": "logging_all_entries_sink_configured",
325
+ "title": "Confirm Log Sinks are Configured for All Log Entries",
326
+ "description": "To ensure that all log entries are captured for long-term retention and analysis, log sinks should be configured. The configuration should be reviewed to confirm that a sink is established to export all log entries to a designated destination, such as Cloud Storage, BigQuery, or Pub/Sub.",
327
+ "tools": "",
328
+ "caption": ""
329
+ },
330
+ {
331
+ "key": "logging_audit_logs_not_modified",
332
+ "title": "Verify the Default Audit Log Configuration has Not Been Modified",
333
+ "description": "Google Cloud's default audit logging configuration is designed to capture critical security information. It should be confirmed that no exclusion filters have been applied to the default sinks that would prevent Data Access or Admin Read audit logs from being recorded.",
334
+ "tools": "",
335
+ "caption": ""
336
+ },
337
+ {
338
+ "key": "logging_storage_bucket_retention_enabled",
339
+ "title": "Check that Log Storage Buckets Have Retention Policies and are Not Public",
340
+ "description": "The Cloud Storage bucket used as a destination for log sinks should be configured with a retention policy to meet compliance needs. Additionally, it must be confirmed that the bucket is not publicly accessible.",
341
+ "tools": "",
342
+ "caption": ""
343
+ },
344
+ {
345
+ "key": "monitoring_alarm_for_iam_changes",
346
+ "title": "Verify an Alarm Exists for IAM Policy Changes",
347
+ "description": "A log metric and alert should be configured to detect and notify administrators of any changes to IAM policies within a project. This provides timely awareness of modifications to user permissions.",
348
+ "tools": "",
349
+ "caption": ""
350
+ },
351
+ {
352
+ "key": "monitoring_alarm_for_firewall_changes",
353
+ "title": "Verify an Alarm Exists for VPC Firewall Rule Changes",
354
+ "description": "Changes to firewall rules can directly impact network security. A log metric and alert should be in place to monitor for the creation, patching, or deletion of firewall rules.",
355
+ "tools": "",
356
+ "caption": ""
357
+ },
358
+ {
359
+ "key": "monitoring_alarm_for_route_changes",
360
+ "title": "Verify an Alarm Exists for VPC Route Changes",
361
+ "description": "A log metric and alert should be configured to detect the creation or deletion of routes in a VPC's route table. This helps monitor for potentially malicious changes to network traffic paths.",
362
+ "tools": "",
363
+ "caption": ""
364
+ },
365
+ {
366
+ "key": "monitoring_alarm_for_custom_role_changes",
367
+ "title": "Verify an Alarm Exists for Custom IAM Role Changes",
368
+ "description": "The creation, deletion, or updating of custom IAM roles are sensitive security events. A log metric and alert should be configured to provide notifications for these activities.",
369
+ "tools": "",
370
+ "caption": ""
371
+ },
372
+ {
373
+ "key": "monitoring_alarm_for_sql_instance_changes",
374
+ "title": "Verify an Alarm Exists for Cloud SQL Instance Configuration Changes",
375
+ "description": "Any configuration change to a Cloud SQL instance should be monitored. A log metric and alert should be established to provide notifications for these events.",
376
+ "tools": "",
377
+ "caption": ""
378
+ }
379
+ ]
380
+ },
381
+ {
382
+ "key": "security_operations",
383
+ "title": "Security Operations",
384
+ "description": "This section covers the configuration of Google Cloud's centralized security management platform, Security Command Center.",
385
+ "type": "checklist",
386
+ "items": [
387
+ {
388
+ "key": "scc_enabled",
389
+ "title": "Confirm Security Command Center is Enabled",
390
+ "description": "Security Command Center is a centralized security and risk management platform for Google Cloud. It should be confirmed that this service is enabled at the organization level to provide visibility into assets, vulnerabilities, and threats.",
391
+ "tools": "",
392
+ "caption": ""
393
+ },
394
+ {
395
+ "key": "scc_discovery_notifications_enabled",
396
+ "title": "Verify Notifications for Security Command Center Discovery Findings are Enabled",
397
+ "description": "Notifications should be configured for findings generated by Security Command Center's asset discovery. This ensures that relevant teams are alerted to changes in the cloud asset inventory.",
398
+ "tools": "",
399
+ "caption": ""
400
+ },
401
+ {
402
+ "key": "scc_vulnerability_notifications_enabled",
403
+ "title": "Verify Notifications for Security Command Center Vulnerability Findings are Enabled",
404
+ "description": "Security Command Center can identify various vulnerabilities, such as open firewall ports or publicly exposed buckets. It should be confirmed that notifications are enabled for these critical findings to ensure timely remediation.",
405
+ "tools": "",
406
+ "caption": ""
407
+ },
408
+ {
409
+ "key": "scc_error_notifications_enabled",
410
+ "title": "Verify Notifications for Security Command Center Error Findings are Enabled",
411
+ "description": "Notifications should be configured for findings related to service misconfigurations, such as errors in Cloud Audit Logging. This ensures that operational issues affecting security posture are promptly addressed.",
412
+ "tools": "",
413
+ "caption": ""
414
+ }
415
+ ]
416
+ },
417
+ {
418
+ "key": "upload_logs",
419
+ "title": "Upload logs",
420
+ "description": "This should include all associated traffic associated to the in-scope targets.",
421
+ "type": "large_upload"
422
+ },
423
+ {
424
+ "key": "executive_summary",
425
+ "title": "Executive summary",
426
+ "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
427
+ "type": "executive_summary"
428
+ }
429
+ ]
430
+ }
431
+ }