How does EchelonGraph detect CIS GCP 8.1 violations?

EchelonGraph automatically detects CIS GCP 8.1 violations using scanner rule GCP-RUN-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS GCP 8.1?

List all Cloud Run services with 'all' ingress setting. Which services genuinely need public internet access? Are internal services protected by IAM authentication?

🔷CIS GCP 8.1Rule: GCP-RUN-001high

Ensure Cloud Run services restrict ingress

Description

Cloud Run services should not allow all traffic from the internet unless required.

⚠️ Risk Impact

Unrestricted ingress exposes internal services to the internet, enabling direct attacks against application vulnerabilities.

🔍 How EchelonGraph Detects This

GCP-RUN-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Google Cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🖥️ Manual Verification

terminal

gcloud run services list --format='table(metadata.name,spec.template.metadata.annotations["run.googleapis.com/ingress"])'

🔧 Remediation

Set ingress to 'internal' or 'internal-and-cloud-load-balancing' for non-public services.

💀 Real-World Attack Scenario

An internal microservice deployed on Cloud Run was left with default 'all' ingress. The service had an unauthenticated admin endpoint at /admin/reset. An attacker discovered the Cloud Run URL through JavaScript source maps on the frontend and used the admin endpoint to wipe all cache data and inject malicious redirects.

💰 Cost of Non-Compliance

Internal services exposed to the internet are breached 5x more often than properly segmented services. Average internal service breach cost: $1.8M including data exposure and service disruption.

📋 Audit Questions

1.List all Cloud Run services with 'all' ingress setting.
2.Which services genuinely need public internet access?
3.Are internal services protected by IAM authentication?

🎯 MITRE ATT&CK Mapping

T1190 — Exploit Public-Facing ApplicationT1133 — External Remote Services

🏗️ Infrastructure as Code Fix

main.tf

resource "google_cloud_run_service" "internal" {
  metadata {
    annotations = {
      "run.googleapis.com/ingress" = "internal-and-cloud-load-balancing"
    }
  }
}

⚡ Common Pitfalls

⛔Deploying with default 'all' ingress and forgetting to restrict it
⛔Using 'internal' when 'internal-and-cloud-load-balancing' is needed for load balancer health checks
⛔Not enabling IAM authentication on top of ingress restrictions

📈 Business Value

Restricting Cloud Run ingress reduces attack surface by eliminating direct internet access to internal services. Combined with IAM authentication, it creates defense-in-depth.

⏱️ Effort Estimate

Manual

30 minutes per service to update ingress settings

With EchelonGraph

EchelonGraph monitors Cloud Run ingress settings in real-time

🔗 Cross-Framework References

SOC2-CC6.6ISO27001-A.13.1.3

Automate CIS GCP 8.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →