Table: gcp_compute_instances
This table shows data for GCP Compute Instances.
https://cloud.google.com/compute/docs/reference/rest/v1/instances#Instance (opens in a new tab)
The primary key for this table is self_link.
Columns
Name | Type |
---|---|
_cq_id | uuid |
_cq_parent_id | uuid |
project_id | utf8 |
advanced_machine_features | json |
can_ip_forward | bool |
confidential_instance_config | json |
cpu_platform | utf8 |
creation_timestamp | utf8 |
deletion_protection | bool |
description | utf8 |
disks | json |
display_device | json |
fingerprint | utf8 |
guest_accelerators | json |
hostname | utf8 |
id | int64 |
instance_encryption_key | json |
key_revocation_action_type | utf8 |
kind | utf8 |
label_fingerprint | utf8 |
labels | json |
last_start_timestamp | utf8 |
last_stop_timestamp | utf8 |
last_suspended_timestamp | utf8 |
machine_type | utf8 |
metadata | json |
min_cpu_platform | utf8 |
name | utf8 |
network_interfaces | json |
network_performance_config | json |
params | json |
private_ipv6_google_access | utf8 |
reservation_affinity | json |
resource_policies | list<item: utf8, nullable> |
resource_status | json |
satisfies_pzs | bool |
scheduling | json |
self_link (PK) | utf8 |
service_accounts | json |
shielded_instance_config | json |
shielded_instance_integrity_policy | json |
source_machine_image | utf8 |
source_machine_image_encryption_key | json |
start_restricted | bool |
status | utf8 |
status_message | utf8 |
tags | json |
zone | utf8 |
Example Queries
These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.
Ensure that IP forwarding is not enabled on Instances (Automated)
SELECT
name AS resource_id,
'Ensure that IP forwarding is not enabled on Instances (Automated)' AS title,
project_id AS project_id,
CASE WHEN can_ip_forward = true THEN 'fail' ELSE 'pass' END AS status
FROM
gcp_compute_instances;
Ensure that instances are not configured to use the default service account (Automated)
SELECT
DISTINCT
gci.name AS resource_id,
'Ensure that instances are not configured to use the default service account (Automated)'
AS title,
gci.project_id AS project_id,
CASE
WHEN gci.name NOT LIKE 'gke-'
AND gcisa->>'email'
= (
SELECT
default_service_account
FROM
gcp_compute_projects
WHERE
project_id = gci.project_id
)
THEN 'fail'
ELSE 'pass'
END
AS status
FROM
gcp_compute_instances AS gci,
jsonb_array_elements(gci.service_accounts) AS gcisa;
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs (Automated)
SELECT
DISTINCT
gci.name AS resource_id,
'Ensure that instances are not configured to use the default service account with full access to all Cloud APIs (Automated)'
AS title,
gci.project_id AS project_id,
CASE
WHEN gcisa->>'email'
= (
SELECT
default_service_account
FROM
gcp_compute_projects
WHERE
project_id = gci.project_id
)
AND ARRAY['https://www.googleapis.com/auth/cloud-platform']
<@ ARRAY (SELECT jsonb_array_elements_text(gcisa->'scopes'))
THEN 'fail'
ELSE 'pass'
END
AS status
FROM
gcp_compute_instances AS gci,
jsonb_array_elements(gci.service_accounts) AS gcisa;
Ensure that Compute instances do not have public IP addresses (Automated
SELECT
DISTINCT
gci.name AS resource_id,
'Ensure that Compute instances do not have public IP addresses (Automated'
AS title,
gci.project_id AS project_id,
CASE
WHEN gci.name NOT LIKE 'gke-%'
AND (
(ac4->>'nat_i_p') IS NOT NULL
OR ac4->>'nat_i_p' != ''
OR (ac6->>'nat_i_p') IS NOT NULL
OR ac6->>'nat_i_p' != ''
)
THEN 'fail'
ELSE 'pass'
END
AS status
FROM
gcp_compute_instances AS gci,
jsonb_array_elements(gci.network_interfaces) AS ni
LEFT JOIN jsonb_array_elements(ni->'access_configs') AS ac4 ON true
LEFT JOIN jsonb_array_elements(ni->'ipv6_access_configs') AS ac6 ON true;
Ensure Compute instances are launched with Shielded VM enabled (Automated)
SELECT
name AS resource_id,
'Ensure Compute instances are launched with Shielded VM enabled (Automated)'
AS title,
project_id AS project_id,
CASE
WHEN (shielded_instance_config->>'enable_integrity_monitoring')::BOOL = false
OR (shielded_instance_config->>'enable_vtpm')::BOOL = false
OR (shielded_instance_config->>'enable_secure_boot')::BOOL = false
THEN 'fail'
ELSE 'pass'
END
AS status
FROM
gcp_compute_instances;
Ensure "Block Project-wide SSH keys" is enabled for VM instances (Automated)
SELECT
gci.name AS resource_id,
'Ensure "Block Project-wide SSH keys" is enabled for VM instances (Automated)'
AS title,
gci.project_id AS project_id,
CASE
WHEN (gcmi->>'key') IS NULL
OR NOT (gcmi->>'value' = ANY ('{1,true,True,TRUE,y,yes}'))
THEN 'fail'
ELSE 'pass'
END
AS status
FROM
gcp_compute_instances AS gci
LEFT JOIN jsonb_array_elements(gci.metadata->'items') AS gcmi ON
gcmi->>'key' = 'block-project-ssh-keys';
Ensure that Compute instances have Confidential Computing enabled (Automated)
SELECT
name AS resource_id,
'Ensure that Compute instances have Confidential Computing enabled (Automated)'
AS title,
project_id AS project_id,
CASE
WHEN (confidential_instance_config->>'enable_confidential_compute')::BOOL
= false
THEN 'fail'
ELSE 'pass'
END
AS status
FROM
gcp_compute_instances;
Ensure "Enable connecting to serial ports" is not enabled for VM Instance (Automated)
SELECT
name AS resource_id,
'Ensure "Enable connecting to serial ports" is not enabled for VM Instance (Automated)'
AS title,
project_id AS project_id,
CASE
WHEN gcmi->>'key' = 'serial-port-enable'
AND gcmi->>'value' = ANY ('{1,true,True,TRUE,y,yes}')
THEN 'fail'
ELSE 'pass'
END
AS status
FROM
gcp_compute_instances AS gci,
jsonb_array_elements(gci.metadata->'items') AS gcmi;