Checks for GCP

• Cloud SQL – Configure Private IP Ensures Cloud SQL instances use private IP addresses to prevent exposure to the public internet.
• Cloud SQL – Monitor CPU Utilization Monitors CPU usage to detect performance bottlenecks and ensure optimal database performance.
• Cloud SQL – Enable Deletion Protection Prevents accidental or unauthorized deletion of Cloud SQL instances.
• Cloud SQL – Enable Disk Encryption Ensures data at rest is protected using Google-managed or customer-managed encryption keys.
• Cloud SQL – Enable Automated Backups Automatically backs up Cloud SQL databases to support data recovery and business continuity.
• Cloud SQL – Enable Log Export Exports database logs to Cloud Logging for monitoring, auditing, and troubleshooting.
• Cloud SQL – Enforce Password Validation Ensures strong password policies are enforced to enhance database security.
• Cloud SQL – Protect From Internet Access Restricts direct public internet access to Cloud SQL instances to reduce attack surfaces.
• Cloud SQL – Enforce Secure Transport Requires encrypted connections using SSL/TLS to protect data in transit.
• Compute Engine – Block Project-Wide SSH Keys Prevents the use of project-wide SSH keys to enforce granular access control.
• Compute Engine – Disable IP Forwarding Ensures IP forwarding is disabled to prevent unauthorized network routing.
• Compute Engine – Disable Public IP Addresses Ensures virtual machines are not assigned public IPs to reduce external exposure.
• Compute Engine – Disable Serial Port Access Disables serial port access to prevent unauthorized administrative access.
• Compute Engine – Enable Confidential Computing Protects sensitive data by encrypting it during processing using confidential VM technology.
• Compute Engine – Enable OS Login Centralizes SSH access management using IAM roles for improved security and auditing.
• Compute Engine – Enable Shielded VM Protects VM instances from rootkits and boot-level malware using secure boot features.
• Compute Engine – Restrict Default Service Account Limits the permissions of default service accounts to follow the principle of least privilege.
• General – Deny Public Access to KMS Keys Prevents public access to Cloud KMS keys to safeguard sensitive encryption resources.
• General – Enforce Duties Separation Implements separation of duties to reduce the risk of unauthorized or fraudulent activities.
• General – Enforce KMS Key Rotation Ensures encryption keys are rotated regularly to enhance data protection and compliance.
• General – Restrict Admin Roles on Service Accounts Prevents excessive privileges by restricting administrative roles on service accounts.
• Cloud Run – Configure Timeout Settings Configures appropriate request timeouts to improve application reliability and prevent abuse.
• Cloud Storage – Enable Bucket Encryption Ensures data stored in Cloud Storage buckets is encrypted at rest.
• Cloud Storage – Enable Bucket Logging Enables access logging to track bucket activity for monitoring and auditing purposes.
• Cloud Storage – Enable Bucket Versioning Maintains historical versions of objects to protect against accidental deletion or overwrites.
• Cloud Storage – Enforce Uniform Bucket-Level Access Simplifies access management by enforcing IAM policies at the bucket level.
• Cloud Storage – Restrict Public Access Prevents unauthorized public access to sensitive data stored in Cloud Storage.
• IAM Users – Enforce GCP-Managed Keys Ensures Google-managed keys are used to enhance security and reduce key management risks.
• IAM Users – Rotate External User-Managed Service Account Keys Requires regular rotation of user-managed service account keys to minimize security risks.

View More