GCP Security Checks
79+ GCP Security Checks
Complete list of Google Cloud Platform security checks across 8+ services based on CIS GCP Benchmark v1.3.0, PCI-DSS v4.0, ISO 27001:2022, SOC 2, and 10+ compliance frameworks.
79+
Security Checks
8+
GCP Services
10+
Compliance Frameworks
v1.3.0
CIS Benchmark
Security Checks by GCP Service
Comprehensive security checks organized by Google Cloud service. Click any check for detailed remediation guidance.
Google Cloud IAM
Ensure service account keys are rotated within 90 days
CIS 1.4high
Ensure user-managed service account keys are not used
CIS 1.5medium
Ensure primitive roles (Owner, Editor, Viewer) are not used
CIS 1.6high
Ensure service accounts do not have admin privileges
CIS 1.7critical
Ensure MFA is enforced for all users
CIS 1.1critical
Ensure corporate login credentials are used
CIS 1.2high
Ensure Security Key enforcement is enabled for admin users
CIS 1.3high
Ensure API keys are restricted to specific APIs
CIS 1.8medium
Ensure API keys are restricted by IP addresses or referrers
CIS 1.9medium
Ensure API keys are rotated regularly
CIS 1.10medium
Ensure separation of duties for service accounts
medium
Ensure no service account has impersonation permissions
high
Google Cloud Storage
Ensure GCS buckets are not publicly accessible
CIS 5.1critical
Ensure uniform bucket-level access is enabled
CIS 5.2medium
Ensure GCS bucket encryption uses CMEK
CIS 5.3medium
Ensure GCS bucket logging is enabled
medium
Ensure GCS bucket versioning is enabled
medium
Ensure GCS bucket lifecycle policies are configured
low
Ensure GCS bucket retention policy is locked
medium
Ensure GCS bucket is not using legacy bucket ACLs
low
Ensure signed URLs have short expiration times
medium
Ensure GCS bucket does not allow public list operations
high
Google Compute Engine
Ensure instances do not have public IP addresses
CIS 4.9medium
Ensure Shielded VM is enabled
CIS 4.8medium
Ensure OS Login is enabled
CIS 4.4medium
Ensure serial port access is disabled
CIS 4.5medium
Ensure IP forwarding is disabled on instances
CIS 4.6medium
Ensure disk encryption uses CMEK
CIS 4.7medium
Ensure default service account is not used
CIS 4.1high
Ensure full access scopes are not used on instances
CIS 4.2high
Ensure block project-wide SSH keys is enabled
CIS 4.3medium
Ensure Confidential Computing is enabled for sensitive workloads
medium
Google Cloud VPC
Ensure default VPC network is not used
CIS 3.1medium
Ensure legacy networks do not exist
CIS 3.2high
Ensure firewall rules do not allow unrestricted SSH access
CIS 3.6critical
Ensure firewall rules do not allow unrestricted RDP access
CIS 3.7critical
Ensure VPC flow logs are enabled
CIS 3.8medium
Ensure Private Google Access is enabled for subnets
CIS 3.9medium
Ensure firewall rules do not allow all egress traffic
medium
Ensure DNSSEC is enabled for Cloud DNS zones
CIS 3.3medium
Ensure Cloud NAT is used for private instances
medium
Ensure firewall rules are logged
medium
Google Kubernetes Engine
Ensure GKE cluster uses private nodes
CIS 5.6.3high
Ensure GKE cluster uses private endpoint
CIS 5.6.4high
Ensure master authorized networks are configured
CIS 5.6.5high
Ensure Workload Identity is enabled
CIS 5.2.2high
Ensure GKE node auto-upgrade is enabled
CIS 5.5.3medium
Ensure GKE node auto-repair is enabled
CIS 5.5.4medium
Ensure GKE cluster uses Container-Optimized OS
CIS 5.5.1medium
Ensure Network Policies are enabled
CIS 5.6.7high
Ensure Pod Security Standards are enforced
high
Ensure Binary Authorization is enabled
high
Ensure Shielded GKE nodes are enabled
CIS 5.5.5medium
Ensure GKE release channel is configured
CIS 5.5.2medium
Google Cloud SQL
Ensure Cloud SQL instances are not publicly accessible
CIS 6.5critical
Ensure Cloud SQL database instances require SSL
CIS 6.1high
Ensure Cloud SQL database instances have backups configured
CIS 6.7medium
Ensure Cloud SQL uses CMEK encryption
medium
Ensure Cloud SQL instances have authorized networks configured
CIS 6.6high
Ensure Cloud SQL has point-in-time recovery enabled
medium
Ensure Cloud SQL instances have high availability configured
medium
Ensure Cloud SQL local_infile database flag is off for MySQL
CIS 6.3.1high
Ensure Cloud SQL log_checkpoints database flag is on for PostgreSQL
CIS 6.2.1medium
Ensure Cloud SQL log_connections database flag is on for PostgreSQL
CIS 6.2.2medium
Google Cloud KMS
Ensure KMS cryptokeys are not anonymously accessible
CIS 1.11critical
Ensure KMS key rotation is enabled
CIS 1.12medium
Ensure separation of duties for KMS admin and key user roles
CIS 1.13high
Ensure KMS keys are in supported regions
medium
Ensure KMS key destruction is protected
high
Ensure HSM protection is used for sensitive keys
medium
Ensure External Key Manager is configured for bring-your-own-key scenarios
low
Google Cloud Logging
Ensure Cloud Audit Logging is enabled for all services
CIS 2.1high
Ensure log bucket retention is configured
CIS 2.2medium
Ensure log sinks are configured to export logs
CIS 2.3medium
Ensure log metric filters and alerts are configured
CIS 2.4medium
Ensure alert for VPC network changes is configured
CIS 2.9medium
Ensure alert for Cloud Storage IAM changes is configured
CIS 2.10medium
Ensure alert for SQL instance configuration changes is configured
CIS 2.11medium
Ensure logs are not publicly accessible
critical
Supported Compliance Frameworks
Every check is mapped to relevant compliance framework controls
CIS GCP v1.3.0
CIS GCP v1.2.0
CIS GCP v2.0
PCI-DSS v4.0
SOC 2 Type II
ISO 27001:2022
HIPAA
NIST 800-53
GDPR
ENS RD2022
Run All 79+ GCP Security Checks
Get a comprehensive GCP security assessment in minutes. See all misconfigurations and compliance gaps.
No credit card required • Free tier available • 14-day trial