Ensure all Cloud SQL database instance requires all incoming connections to use SSL TF-S2006
Incoming connections should use SSL while making connections with Cloud SQL database instances.
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters TF-S2001
Stackdriver is the default logging solution for clusters deployed on GKE. GKE should have logging enabled so that access can be audited.
Ensure that Cloud SQL database instances are not open to the world TF-S2011
Ensure that Cloud SQL database instances is not publicly accessible to lower the attack surface.
Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters TF-S2010
Node auto-upgrade keeps nodes up-to-date with the latest cluster master version when your master is updated on your behalf, and it should enabled.
Cloud DNS has DNSSEC disabled TF-S2016
DNSSEC is a feature of the Domain Name System that authenticates responses to domain name lookups. DNSSEC prevents attackers from manipulating or poisoning the responses to DNS requests. We recommend ensuring that DNSSEC is enabled in any public DNS zone, the top-level domain registry, and the local DNS resolvers.