The following detective cloud controls don't support near-real-time scanning; they support batch scans only. For more information, see Compliance Manager scan types for detective controls.
- Allocate Audit Log Storage Capacity
- Assign Redis Role at Project Level
- Block Automatic IAM Grants to Default Service Accounts
- Block External IP Address Access on Compute Engine VM Instances
- Block File Downloading in JupyterLab Console
- Block Internet Access for Runtime Templates in Agent Platform Colab Enterprise
- Block Internet Access for Vertex AI Runtime Templates
- Block Root Access on Agent Platform Workbench Instances
- Block Root Access on Vertex AI Workbench Instances
- Block Service Account Key Creation
- Block Service Account Key Uploads
- Block Terminal Access on Agent Platform Workbench Instances
- Block Terminal Access on Vertex AI Workbench Instances
- Cloud Armor Policy Missing cve-canary Rule
- Configure Access Controls for the Network Boundary
- Configure Log Metrics and Alerts for Cloud SQL Configuration Changes
- Configure Log Metrics and Alerts for Cloud Storage IAM Policy Changes
- Configure Log Metrics and Alerts for VPC Network Changes
- Configure Log Metrics and Alerts for VPC Route Changes
- Configure Model Armor with Sensitive Data Filters
- Configure Network Traffic Monitoring
- Configure Remote Access Inactivity Timeout
- Configure Security Logging Policies for Google Cloud Services
- Configure the Allowed Ingress Settings for Cloud Run Organization Policy Constraint
- Configure the Allowed VPC Egress Settings for Cloud Run Organization Policy Constraint
- Configure the Disable VM Serial Port Logging to Stackdriver Organization Policy
- Configure the Disable VPC External IPv6 Usage Organization Policy
- Configure the Disable VPC Internal IPv6 Usage Organization Policy
- Create and Manage Asymmetric Keys
- Define a Security Policy to Mitigate for DDoS Events
- Define Agent Platform Workbench Instance Access Mode
- Define Secret Manager Rotation Schedule
- Define Vertex AI Access Mode
- Define VPC Connector Egress For Cloud Run Functions
- Disable File Downloads on Agent Platform Workbench Instances
- Disable File Downloads on Vertex AI Workbench Instances
- Don't Use Legacy Networks
- Enable Artifact Analysis Vulnerability Scanning
- Enable Audit Logging for Agent Platform at Organization Level
- Enable Audit Logging for Agent Platform
- Enable Audit Logging for Google Agent Platform
- Enable Audit Logs for Google Cloud Services
- Enable Automatic Upgrades for Agent Platform WorkBench Instances
- Enable Automatic Upgrades for Vertex AI WorkBench Instances
- Enable Cloud Asset Inventory Service
- Enable Cloud DNS Logs Monitoring
- Enable CMEK for Agent Platform Datasets
- Enable CMEK for Agent Platform Feature Store
- Enable CMEK for Agent Platform Metadata Stores
- Enable CMEK for Agent Platform Model Endpoints
- Enable CMEK for Agent Platform Models
- Enable CMEK for BigQuery Tables
- Enable CMEK for Vertex AI Datasets
- Enable CMEK for Vertex AI Endpoints
- Enable CMEK for Vertex AI Featurestore
- Enable CMEK for Vertex AI Metadata Stores
- Enable CMEK for Vertex AI Models
- Enable Data Access Logging for Agent Platform
- Enable Data Access Logs for AlloyDB at Organization Level
- Enable Data Access Logs for AlloyDB
- Enable Data Access Logs for Bigtable at Organization Level
- Enable Data Access Logs for Bigtable
- Enable Data Access Logs for Cloud SQL at Organization Level
- Enable Data Access Logs for Cloud SQL
- Enable Data Access Logs for Cloud Storage at Organization Level
- Enable Data Access Logs for Cloud Storage
- Enable Data Access Logs for Datastore at Organization Level
- Enable Data Access Logs for Datastore
- Enable Data Access Logs for Filestore at Organization Level
- Enable Data Access Logs for Filestore
- Enable Data Access Logs for Firestore at Organization Level
- Enable Data Access Logs for Firestore
- Enable Data Access Logs for Secret Manager at Organization Level
- Enable Data Access Logs for Secret Manager
- Enable Data Access Logs for Spanner at Organization Level
- Enable Data Access Logs for Spanner
- Enable Data Lineage API
- Enable Delete to Trash Feature for Agent Platform Workbench Instances
- Enable Delete to Trash Feature for Vertex AI Workbench Instances
- Enable L7 DDoS Protection
- Enable Model Armor
- Enable OS Login
- Enable Provenance Tracking of Agent Platform Synthetic Datasets
- Enable Provenance Tracking of Synthetic Datasets
- Enable SDP for Data Discovery
- Enable Secure Boot for Runtime Templates in Agent Platform Colab Enterprise
- Enable Secure Boot for Vertex AI Runtime Templates
- Enable Security Command Center
- Enable Sensitive Data Protection to Detect PII in Agent Platform Training Data
- Enable Sensitive Data Protection to Detect PII in Training Data
- Enable Subnet Flow Logs
- Enable the Confidential VM Organization Policy Constraint
- Enable the Restrict Authorized Networks on Cloud SQL Instances Organization Policy Constraint
- Enable VPC Flow Logs for Compute Engine Instances
- Encrypt Data at Rest with CMEK
- Enforce CMEK for Supported Services
- Enforce CMEK
- Enforce Compute Session Inactive Policy
- Enforce Public Access Prevention
- Ensure Minimum TLS 1.2 Version
- Ensure Minimum TLS Version
- GKE Node Pool Autoscaling
- Implement Continuous Network Traffic Monitoring
- Implement Event Logging for Google Cloud Services
- Label Dataset Sensitivity Based on Sensitive Data Protection Findings
- Prevent Nested Virtualization for Compute Engine VMs
- Require Auto Upgrade Schedule Set for Agent Platform Workbench
- Require Auto Upgrade Schedule Set for Vertex AI Workbench
- Require IAM Logs
- Restrict Default Network Creation for Compute Engine Instances
- restrict firestore access to firestore agent
- Restrict Legacy IAM Roles
- Restrict Legacy TLS Versions
- Restrict Public Access to BigQuery Datasets
- Restrict Public Access to Cloud Storage Buckets
- Restrict Public IP Addresses on Agent Platform Workbench Notebooks and Instances
- Restrict Public IP Addresses on Vertex AI Workbench Notebooks and Instances
- Retain Audit Records
- Set Uniform Bucket Level Access for Cloud Storage Buckets
- SQL No Additional Local Users
- Terminate Network Connections
- Use Default Encryption
- Use TLS 1.2 or Higher
- Verify Cloud SQL Failover Replication
- Verify Cloud Storage Regional Deployment
- Verify GKE Container Optimized OS
- VPC Flow Logs Disabled for Workstation Subnet
- Workstation DNS Not Using Customer Managed DNS Zone