Cloud controls that support batch scanning only

The following detective cloud controls don't support near-real-time scanning; they support batch scans only. For more information, see Compliance Manager scan types for detective controls.

  • Allocate Audit Log Storage Capacity
  • Assign Redis Role at Project Level
  • Block Automatic IAM Grants to Default Service Accounts
  • Block External IP Address Access on Compute Engine VM Instances
  • Block File Downloading in JupyterLab Console
  • Block Internet Access for Runtime Templates in Agent Platform Colab Enterprise
  • Block Internet Access for Vertex AI Runtime Templates
  • Block Root Access on Agent Platform Workbench Instances
  • Block Root Access on Vertex AI Workbench Instances
  • Block Service Account Key Creation
  • Block Service Account Key Uploads
  • Block Terminal Access on Agent Platform Workbench Instances
  • Block Terminal Access on Vertex AI Workbench Instances
  • Cloud Armor Policy Missing cve-canary Rule
  • Configure Access Controls for the Network Boundary
  • Configure Log Metrics and Alerts for Cloud SQL Configuration Changes
  • Configure Log Metrics and Alerts for Cloud Storage IAM Policy Changes
  • Configure Log Metrics and Alerts for VPC Network Changes
  • Configure Log Metrics and Alerts for VPC Route Changes
  • Configure Model Armor with Sensitive Data Filters
  • Configure Network Traffic Monitoring
  • Configure Remote Access Inactivity Timeout
  • Configure Security Logging Policies for Google Cloud Services
  • Configure the Allowed Ingress Settings for Cloud Run Organization Policy Constraint
  • Configure the Allowed VPC Egress Settings for Cloud Run Organization Policy Constraint
  • Configure the Disable VM Serial Port Logging to Stackdriver Organization Policy
  • Configure the Disable VPC External IPv6 Usage Organization Policy
  • Configure the Disable VPC Internal IPv6 Usage Organization Policy
  • Create and Manage Asymmetric Keys
  • Define a Security Policy to Mitigate for DDoS Events
  • Define Agent Platform Workbench Instance Access Mode
  • Define Secret Manager Rotation Schedule
  • Define Vertex AI Access Mode
  • Define VPC Connector Egress For Cloud Run Functions
  • Disable File Downloads on Agent Platform Workbench Instances
  • Disable File Downloads on Vertex AI Workbench Instances
  • Don't Use Legacy Networks
  • Enable Artifact Analysis Vulnerability Scanning
  • Enable Audit Logging for Agent Platform at Organization Level
  • Enable Audit Logging for Agent Platform
  • Enable Audit Logging for Google Agent Platform
  • Enable Audit Logs for Google Cloud Services
  • Enable Automatic Upgrades for Agent Platform WorkBench Instances
  • Enable Automatic Upgrades for Vertex AI WorkBench Instances
  • Enable Cloud Asset Inventory Service
  • Enable Cloud DNS Logs Monitoring
  • Enable CMEK for Agent Platform Datasets
  • Enable CMEK for Agent Platform Feature Store
  • Enable CMEK for Agent Platform Metadata Stores
  • Enable CMEK for Agent Platform Model Endpoints
  • Enable CMEK for Agent Platform Models
  • Enable CMEK for BigQuery Tables
  • Enable CMEK for Vertex AI Datasets
  • Enable CMEK for Vertex AI Endpoints
  • Enable CMEK for Vertex AI Featurestore
  • Enable CMEK for Vertex AI Metadata Stores
  • Enable CMEK for Vertex AI Models
  • Enable Data Access Logging for Agent Platform
  • Enable Data Access Logs for AlloyDB at Organization Level
  • Enable Data Access Logs for AlloyDB
  • Enable Data Access Logs for Bigtable at Organization Level
  • Enable Data Access Logs for Bigtable
  • Enable Data Access Logs for Cloud SQL at Organization Level
  • Enable Data Access Logs for Cloud SQL
  • Enable Data Access Logs for Cloud Storage at Organization Level
  • Enable Data Access Logs for Cloud Storage
  • Enable Data Access Logs for Datastore at Organization Level
  • Enable Data Access Logs for Datastore
  • Enable Data Access Logs for Filestore at Organization Level
  • Enable Data Access Logs for Filestore
  • Enable Data Access Logs for Firestore at Organization Level
  • Enable Data Access Logs for Firestore
  • Enable Data Access Logs for Secret Manager at Organization Level
  • Enable Data Access Logs for Secret Manager
  • Enable Data Access Logs for Spanner at Organization Level
  • Enable Data Access Logs for Spanner
  • Enable Data Lineage API
  • Enable Delete to Trash Feature for Agent Platform Workbench Instances
  • Enable Delete to Trash Feature for Vertex AI Workbench Instances
  • Enable L7 DDoS Protection
  • Enable Model Armor
  • Enable OS Login
  • Enable Provenance Tracking of Agent Platform Synthetic Datasets
  • Enable Provenance Tracking of Synthetic Datasets
  • Enable SDP for Data Discovery
  • Enable Secure Boot for Runtime Templates in Agent Platform Colab Enterprise
  • Enable Secure Boot for Vertex AI Runtime Templates
  • Enable Security Command Center
  • Enable Sensitive Data Protection to Detect PII in Agent Platform Training Data
  • Enable Sensitive Data Protection to Detect PII in Training Data
  • Enable Subnet Flow Logs
  • Enable the Confidential VM Organization Policy Constraint
  • Enable the Restrict Authorized Networks on Cloud SQL Instances Organization Policy Constraint
  • Enable VPC Flow Logs for Compute Engine Instances
  • Encrypt Data at Rest with CMEK
  • Enforce CMEK for Supported Services
  • Enforce CMEK
  • Enforce Compute Session Inactive Policy
  • Enforce Public Access Prevention
  • Ensure Minimum TLS 1.2 Version
  • Ensure Minimum TLS Version
  • GKE Node Pool Autoscaling
  • Implement Continuous Network Traffic Monitoring
  • Implement Event Logging for Google Cloud Services
  • Label Dataset Sensitivity Based on Sensitive Data Protection Findings
  • Prevent Nested Virtualization for Compute Engine VMs
  • Require Auto Upgrade Schedule Set for Agent Platform Workbench
  • Require Auto Upgrade Schedule Set for Vertex AI Workbench
  • Require IAM Logs
  • Restrict Default Network Creation for Compute Engine Instances
  • restrict firestore access to firestore agent
  • Restrict Legacy IAM Roles
  • Restrict Legacy TLS Versions
  • Restrict Public Access to BigQuery Datasets
  • Restrict Public Access to Cloud Storage Buckets
  • Restrict Public IP Addresses on Agent Platform Workbench Notebooks and Instances
  • Restrict Public IP Addresses on Vertex AI Workbench Notebooks and Instances
  • Retain Audit Records
  • Set Uniform Bucket Level Access for Cloud Storage Buckets
  • SQL No Additional Local Users
  • Terminate Network Connections
  • Use Default Encryption
  • Use TLS 1.2 or Higher
  • Verify Cloud SQL Failover Replication
  • Verify Cloud Storage Regional Deployment
  • Verify GKE Container Optimized OS
  • VPC Flow Logs Disabled for Workstation Subnet
  • Workstation DNS Not Using Customer Managed DNS Zone