You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: includes/mdfc/mdfc-recs-gcp-compute.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,8 +31,8 @@ There are **26** GCP recommendations in this category.
31
31
|[Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/492fed4e-1871-4c12-948d-074ee0f07559) |The "log_min_error_statement" flag defines the minimum message severity level that is considered as an error statement. <br> Messages for error statements are logged with the SQL statement. <br> Valid values include "DEBUG5", "DEBUG4", "DEBUG3", "DEBUG2", "DEBUG1", "INFO", "NOTICE", "WARNING", "ERROR", "LOG", "FATAL", and "PANIC". <br> Each severity level includes the subsequent levels mentioned above. <br> Note: To effectively turn off logging failing statements, set this parameter to PANIC. <br> ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy. <br>Auditing helps in troubleshooting operational problems and also permits forensic analysis. <br> If "log_min_error_statement" is not set to the correct value, messages may not be classified as error messages appropriately. <br> Considering general log messages as error messages would make it difficult to find actual errors, while considering only stricter severity levels as error messages may skip actual errors to log their SQL statements. <br> The "log_min_error_statement" flag should be set in accordance with the organization's logging policy. <br> This recommendation is applicable to PostgreSQL database instances. |Low |
32
32
|[Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' ](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/29622fc0-14dc-4d65-a5a8-e9a39ffc4b62)|PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed "work_mem". <br> The "log_temp_files" flag controls logging names and the file size when it is deleted. <br> Configuring "log_temp_files" to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes. <br> A value of "-1" disables temporary file information logging. <br> If all temporary files are not logged, it may be more difficult to identify potential performance issues that may be due to either poor application coding or deliberate resource starvation attempts. |Low |
33
33
|[Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Key](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/6ca40f30-2508-4c90-85b6-36564b909364) |Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine.<br> If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data.<br> By default, Google Compute Engine encrypts all data at rest.<br> Compute Engine handles and manages this encryption for you without any additional actions on your part.<br> However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.<br>By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. <br>However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.<br>If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data. <br>Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.<br>Google does not store your keys on its servers and cannot access your protected data unless you provide the key. <br>This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.<br>At least business critical VMs should have VM disks encrypted with CSEK. |Medium |
34
-
|[GCP projects should have Azure Arc auto provisioning enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/1716d754-8d50-4b90-87b6-0404cad9b4e3)|For full visibility of the security content from Microsoft Defender for servers, GCP VM instances should be connected to Azure Arc. To ensure that all eligible VM instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the GCP project level. Learn more about <ahref='https://docs.microsoft.com/azure/azure-arc/servers/overview'>Azure Arc</a>, and <ahref='https://docs.microsoft.com/azure/security-center/defender-for-servers-introduction'>Microsoft Defender for Servers</a>. |High |
35
-
|[GCP VM instances should be connected to Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206)|Connect your GCP Virtual Machines to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about <ahref='https://docs.microsoft.com/azure/azure-arc/'>Azure Arc</a>, and about <ahref='https://docs.microsoft.com/azure/security-center/defender-for-servers-introduction'>Microsoft Defender for Servers</a> on hybrid-cloud environment. |High |
34
+
|[GCP projects should have Azure Arc auto provisioning enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/1716d754-8d50-4b90-87b6-0404cad9b4e3)|For full visibility of the security content from Microsoft Defender for servers, GCP VM instances should be connected to Azure Arc. To ensure that all eligible VM instances automatically receive Azure Arc, enable auto-provisioning from Defender for Cloud at the GCP project level. Learn more about [Azure Arc](/azure/azure-arc/servers/overview), and [Microsoft Defender for Servers](/azure/security-center/defender-for-servers-introduction). |High |
35
+
|[GCP VM instances should be connected to Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/9bbe2f0f-d6c6-48e8-b4d0-cf25d2c50206)|Connect your GCP Virtual Machines to Azure Arc in order to have full visibility to Microsoft Defender for Servers security content. Learn more about [Azure Arc](/azure/azure-arc/), and about [Microsoft Defender for Servers](/azure/security-center/defender-for-servers-introduction) on hybrid-cloud environment. |High |
36
36
|[GCP VM instances should have OS config agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/20622d8c-2a4f-4a03-9896-a5f2f7ede717)|To receive the full Defender for Servers capabilities using Azure Arc auto-provisioning, GCP VMs should have OS config agent enabled |High |
37
37
|[GKE cluster's auto repair feature should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/6aeb69dc-0d01-4228-88e9-7e610891d5dd)|This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoRepair', 'value': true. |Medium |
38
38
|[GKE cluster's auto upgrade feature should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/1680e053-2e9b-4e77-a1c7-793ae286155e)|This recommendation evaluates the management property of a node pool for the key-value pair, 'key': 'autoUpgrade', 'value': true. |High |
Copy file name to clipboardExpand all lines: includes/mdfc/mdfc-recs-gcp-container.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ There are **4** GCP recommendations in this category.
12
12
|Recommendation |Description |Severity |
13
13
|---|---|---|
14
14
|[Advanced configuration of Defender for Containers should be enabled on GCP connectors](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/b7683ca3-3a11-49b6-b9d4-a112713edfa3)|Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. To ensure you the solution is provisioned properly, and the full set of capabilities are available, enable all advanced configuration settings. |High |
15
-
|[GKE clusters should have Microsoft Defender's extension for Azure Arc installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/0faf27b6-f1d5-4f50-b22a-5d129cba0113)|Microsoft Defender's <ahref="https://docs.microsoft.com/azure/azure-arc/kubernetes/extensions">cluster extension</a> provides security capabilities for your GKE clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats. <br> The extension works with <ahref="https://docs.microsoft.com/azure/azure-arc/kubernetes/overview">Azure Arc-enabled Kubernetes</a>. <br>Learn more about <ahref="https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks">Microsoft Defender for Cloud's security features for containerized environments</a>. |High |
16
-
|[GKE clusters should have the Azure Policy extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/6273e20b-8814-4fda-a297-42a70b16fcbf)|Azure Policy extension for Kubernetes extends <atarget="_blank"href="https://github.com/open-policy-agent/gatekeeper">Gatekeeper</a> v3, an admission controller webhook for <atarget="_blank"href="https://www.openpolicyagent.org/">Open Policy Agent</a> (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. <br> The extension works with <ahref="https://docs.microsoft.com/azure/azure-arc/kubernetes/overview">Azure Arc-enabled Kubernetes</a>. |High |
15
+
|[GKE clusters should have Microsoft Defender's extension for Azure Arc installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/0faf27b6-f1d5-4f50-b22a-5d129cba0113)|Microsoft Defender's [cluster extension](/azure/azure-arc/kubernetes/extensions)provides security capabilities for your GKE clusters. The extension collects data from a cluster and its nodes to identify security vulnerabilities and threats. <br> The extension works with [Azure Arc-enabled Kubernetes](/azure/azure-arc/kubernetes/overview). <br>Learn more about [Microsoft Defender for Cloud's security features for containerized environments](/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks). |High |
16
+
|[GKE clusters should have the Azure Policy extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/6273e20b-8814-4fda-a297-42a70b16fcbf)|Azure Policy extension for Kubernetes extends [Gatekeeper](https://github.com/open-policy-agent/gatekeeper) v3, an admission controller webhook for <atarget="_blank"href="https://www.openpolicyagent.org/">Open Policy Agent</a> (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. <br> The extension works with [Azure Arc-enabled Kubernetes](/azure/azure-arc/kubernetes/overview). |High |
17
17
|[Microsoft Defender for Containers should be enabled on GCP connectors](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d42ac63d-0592-43b2-8bfa-ff9199da595e)|Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. Enable Containers plan on your GCP connector, to harden the security of Kubernetes clusters and remediate security issues. Learn more about Microsoft Defender for Containers. |High |
0 commit comments