📝 Google Cloud DNS Managed Zone DNSSEC is not enabled 🟢

• Contextual name: 📝 Managed Zone DNSSEC is not enabled 🟢
• ID: /ce/ca/google/dns/dnssec-settings-for-cloud-dns
• Located in: 📁 Google Cloud DNS

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY
  • RELIABILITY

Similar Policies

• Cloud Conformity
  • Enable DNSSEC for Google Cloud DNS Zones

Logic

• 🧠 prod.logic.yaml 🟢
  • 📗 Google Cloud DNS Managed Zone
  • 🔌 Google Cloud DNS Managed Zone - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.

Rationale

Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated. Having a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today’s web-based applications. Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.

Audit

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to Cloud DNS by visiting https://console.cloud.google.com/net-services/dns/zones.
2. For each zone of Type Public, set DNSSEC to On.

From Google Cloud CLI

Use the below command to enable DNSSEC for Cloud DNS Zone Name.

        gcloud dns managed-zones update ZONE_NAME --dnssec-state on

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v1.2.0 → 💼 3.3 Ensure that DNSSEC is enabled for Cloud DNS - Level 1 (Automated)			1
💼 CIS GCP v1.3.0 → 💼 3.3 Ensure That DNSSEC Is Enabled for Cloud DNS - Level 1 (Automated)			1
💼 CIS GCP v2.0.0 → 💼 3.3 Ensure That DNSSEC Is Enabled for Cloud DNS - Level 1 (Automated)			1
💼 CIS GCP v3.0.0 → 💼 3.3 Ensure That DNSSEC Is Enabled for Cloud DNS - Level 1 (Automated)			1
💼 Cloudaware Framework → 💼 System Configuration			30
💼 Cloudaware Framework → 💼 Threat Protection			27
💼 FedRAMP High Security Controls → 💼 AC-18 Wireless Access (L)(M)(H)	4		5
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	24
💼 FedRAMP High Security Controls → 💼 CM-6 Configuration Settings (L)(M)(H)	2		12
💼 FedRAMP High Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3	18	33
💼 FedRAMP High Security Controls → 💼 CM-9 Configuration Management Plan (M)(H)			8
💼 FedRAMP Low Security Controls → 💼 AC-18 Wireless Access (L)(M)(H)			5
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			23
💼 FedRAMP Low Security Controls → 💼 CM-6 Configuration Settings (L)(M)(H)			11
💼 FedRAMP Low Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)			29
💼 FedRAMP Moderate Security Controls → 💼 AC-18 Wireless Access (L)(M)(H)	2		5
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		24
💼 FedRAMP Moderate Security Controls → 💼 CM-6 Configuration Settings (L)(M)(H)	1		12
💼 FedRAMP Moderate Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3		33
💼 FedRAMP Moderate Security Controls → 💼 CM-9 Configuration Management Plan (M)(H)			8
💼 ISO/IEC 27001:2013 → 💼 A.8.2.3 Handling of assets			4
💼 ISO/IEC 27001:2022 → 💼 8.9 Configuration management			12
💼 NIST CSF v1.1 → 💼 PR.DS-1: Data-at-rest is protected		15	28
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	31
💼 NIST CSF v1.1 → 💼 PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition			7
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	66
💼 NIST CSF v1.1 → 💼 PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)		4	26
💼 NIST CSF v1.1 → 💼 PR.IP-6: Data is destroyed according to policy			4
💼 NIST CSF v1.1 → 💼 PR.PT-2: Removable media is protected and its use restricted according to policy			4
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			134
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			21
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			88
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			114
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			94
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			108
💼 NIST SP 800-53 Revision 5 → 💼 AC-18 Wireless Access	5		5
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		23
💼 NIST SP 800-53 Revision 5 → 💼 CM-6 Configuration Settings	4		12
💼 NIST SP 800-53 Revision 5 → 💼 CM-7 Least Functionality	9		23
💼 NIST SP 800-53 Revision 5 → 💼 CM-9 Configuration Management Plan	1		8
💼 PCI DSS v3.2.1 → 💼 1.1 Establish and implement firewall and router configuration standards	7	1	38
💼 PCI DSS v3.2.1 → 💼 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.		1	27
💼 PCI DSS v3.2.1 → 💼 1.1.7 Requirement to review firewall and router rule sets at least every six months.			8
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.		6	19
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.			19
💼 PCI DSS v3.2.1 → 💼 1.3.5 Permit only “established” connections into the network.			19
💼 PCI DSS v3.2.1 → 💼 1.4 Install personal firewall software or equivalent functionality on any portable computing devices that connect to the Internet when outside the network, and which are also used to access the CDE.			8
💼 PCI DSS v3.2.1 → 💼 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.			8
💼 PCI DSS v3.2.1 → 💼 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.	5	3	30
💼 PCI DSS v3.2.1 → 💼 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.			8
💼 PCI DSS v4.0.1 → 💼 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.			8
💼 PCI DSS v4.0.1 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.			34
💼 PCI DSS v4.0.1 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.			27
💼 PCI DSS v4.0.1 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.			27
💼 PCI DSS v4.0.1 → 💼 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.			8
💼 PCI DSS v4.0.1 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.			19
💼 PCI DSS v4.0.1 → 💼 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.			8
💼 PCI DSS v4.0.1 → 💼 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.			8
💼 PCI DSS v4.0.1 → 💼 2.2.1 Configuration standards are developed, implemented, and maintained.			11
💼 PCI DSS v4.0 → 💼 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.			8
💼 PCI DSS v4.0 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.		24	34
💼 PCI DSS v4.0 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.		15	27
💼 PCI DSS v4.0 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.		6	27
💼 PCI DSS v4.0 → 💼 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.			8
💼 PCI DSS v4.0 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.		7	19
💼 PCI DSS v4.0 → 💼 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.			8
💼 PCI DSS v4.0 → 💼 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.			8
💼 PCI DSS v4.0 → 💼 2.2.1 Configuration standards are developed, implemented, and maintained.			11
💼 SOC 2 → 💼 CC5.2-2 Establishes Relevant Technology Infrastructure Control Activities			7