Google Cloud best practices

alloydb.googleapis.com/Cluster

Verifies that AlloyDB clusters have an automated backup policy enabled, ensuring critical data is protected against loss and can be rapidly recovered to maintain business continuity and service reliability.

alloydb.googleapis.com/Cluster

Verifies AlloyDB clusters have continuous backup enabled, providing crucial pointintime recovery (PITR) to protect against data loss and ensure business continuity.

apikeys.googleapis.com/Key

Verifies that all API keys have restrictions applied, preventing misuse that could lead to security breaches, unauthorized data access, and unexpected costs.

apikeys.googleapis.com/Key

Ensures API keys are restricted to specific services, preventing potential misuse that could lead to unauthorized API activation, security vulnerabilities, and unexpected costs.

apikeys.googleapis.com/Key

Enforces a 90day rotation policy for API keys to minimize the security risk from lost, leaked, or compromised credentials.

apikeys.googleapis.com/Key

Flags the existence of any API key to encourage the use of more secure authentication methods, such as service accounts, thereby reducing the risk associated with static, longlived credentials.

bigquery.googleapis.com/Dataset

Checks if BigQuery datasets are encrypted using CustomerManaged Encryption Keys (CMEK) from Cloud KMS. While BigQuery encrypts data at rest by default with Googlemanaged keys, CMEK offers finergrained control over key management, including rotation, access control, and audit logging. This rule inspects the defaultEncryptionConfiguration field within the datasets configuration. A violation is triggered if this field is missing or if it exists but lacks a kmsKeyName property. The absence of defaultEncryptionConfiguration or kmsKeyName signifies that the dataset is not employing CMEK for encryption, potentially impacting compliance and security posture.

bigquery.googleapis.com/Dataset

Checks if a BigQuery dataset has labels applied. Labels are userdefined keyvalue pairs that help organize and manage resources within Google Cloud. They are used for filtering, grouping, and cost reporting. This rule checks for the presence of the labels field on the dataset. A violation is triggered if the labels field is missing or if its empty.

bigquery.googleapis.com/Dataset

Checks if a BigQuery dataset has resource tags applied. Resource tags are keyvalue pairs managed through Resource Manager. They are used for broader organizational purposes, including integration with other Google Cloud services and external systems (e.g., for access control via tag bindings). This rule checks for the presence of the resourceTags field. A violation is generated if the tags field is missing, or it is empty.

bigquery.googleapis.com/Dataset

Checks if BigQuery datasets are not publicly exposed. Publicly exposed datasets can lead to unintentional data leakage and potential privacy violations. BigQuery offers granular access controls via IAM roles, and datasets should be restricted to authorized users and service accounts only. This rule checks for the presence of allUsers or allAuthenticatedUsers in the datasets access control list, which grants public access. The absence of these entries indicates that the dataset is not publicly accessible.

bigquery.googleapis.com/Table

Checks if BigQuery tables are encrypted using CustomerManaged Encryption Keys (CMEK) in Cloud KMS. By default, BigQuery encrypts data at rest using Googlemanaged keys. CMEK provides more granular control over the encryption keys, allowing organizations to manage key rotation, access, and auditing. This rule examines the encryptionConfiguration field within the tables configuration. If this field is missing, or if it exists but does not contain a kmsKeyName, it indicates that the table is not using CMEK for encryption.

bigquery.googleapis.com/Table

Checks if a BigQuery table has an expiration time set. Setting an expiration time on tables is a best practice for managing data lifecycle and controlling storage costs, especially for temporary or staging tables. This rule examines the expirationTime field within the tables configuration. If expirationTime is null (or missing, which is treated the same way in Rego), it indicates that the table does not have an expiration time set, and a violation is generated. An explicit expiration time is a good practice for data governance.

bigquery.googleapis.com/Table

Checks if a BigQuery table has labels applied. Labels are userdefined keyvalue pairs that help organize and manage resources within Google Cloud. They are used for filtering, grouping, and cost reporting. This rule checks for the presence of the labels field on the table. A violation is triggered if the labels field is missing or if its empty.

bigquery.googleapis.com/Table

Checks if a BigQuery table has resource tags applied. Resource tags are keyvalue pairs managed through Resource Manager. They are used for broader organizational purposes, including integration with other Google Cloud services and external systems (e.g., for access control via tag bindings). This rule checks for the presence of the resourceTags field. A violation is generated if the resourceTags field is missing, or if it is empty.

bigquery.googleapis.com/Table

Checks if a timepartitioned BigQuery table has a partition expiration time set. Partition expiration automatically deletes partitions that are older than the specified duration. This is crucial for managing storage costs and data lifecycle, especially for large, timeseries datasets. This rule examines the timePartitioning field and, specifically, the expirationMs field within timePartitioning. If timePartitioning is missing, or expirationMs is missing or if its not a positive integer, it indicates that partition expiration is not configured correctly, and a violation is generated.

sqladmin.googleapis.com/Instance

Checks the expiration status of the Certificate Authority (CA) certificate for Cloud SQL instances. Regularly rotating CA certificates and ensuring they are not expired is a critical security best practice. An expired CA certificate can disrupt client connections to the database, leading to application downtime. This rule checks two key things 1. If a CA certificate exists for the instance (indicating that SSL/TLS is likely configured, which is recommended). 2. If the existing CA certificates expiration time (expirationTime) is in the future. A violation is generated if either no CA certificate is found or if the found certificate is expired (its expirationTime is in the past). The rule uses the current time (obtained via time.now_ns()) to perform the expiration check. The time is converted to seconds since the epoch for comparison.

sqladmin.googleapis.com/Instance

Verifies that Cloud SQL instances have Point-in-Time Recovery (PITR) enabled. PITR allows restoring the database to a specific point in time, providing crucial data recovery capabilities. This rule directly checks the pointInTimeRecoveryEnabled setting within the backupConfiguration. If pointInTimeRecoveryEnabled is false or not present, it indicates that PITR is not enabled.

sqladmin.googleapis.com/Instance

Checks if Cloud SQL instances have automatic storage resizing enabled. Enabling storageAutoResize allows the instances storage capacity to automatically increase as needed, preventing potential outofstorage errors and downtime. Without automatic resizing, the instance can become unavailable if it runs out of storage space. This rule checks for the presence and value of the storageAutoResize setting within the instances configuration. If storageAutoResize is false or not present, it indicates that automatic storage resizing is disabled, which can lead to operational issues. Enabling this feature is crucial for maintaining the reliability and availability of the database.

sqladmin.googleapis.com/Instance

Enabling local_infile on Cloud SQL for MySQL can expose the server to file read exploits; disable it unless absolutely necessary.

sqladmin.googleapis.com/Instance

Ensures the skip_show_database flag is enabled (set to on) for Cloud SQL for MySQL instances. Enabling this flag prevents users from using the SHOW DATABASES command unless they have the SHOW DATABASES privilege. This enhances security by limiting the ability of users to discover database names, reducing the risk of unauthorized access attempts and information disclosure. Its a form of security through obscurity.

sqladmin.googleapis.com/Instance

Checks if the slow_query_log database flag is enabled (set to on) for Cloud SQL for MySQL instances. Enabling this flag activates the slow query log, which records SQL statements that exceed a defined execution time threshold (controlled by long_query_time). The slow query log is an essential tool for identifying performance bottlenecks, optimizing queries, and troubleshooting database performance issues. Disabling this flag hinders your ability to diagnose and resolve slow query problems.

sqladmin.googleapis.com/Instance

Verifies that Cloud SQL instances have automated backups enabled, ensuring that critical data can be recovered in the event of corruption, deletion, or service failure. Disabling automated backups eliminates the ability to perform point-in-time recovery.

sqladmin.googleapis.com/Instance

Verifies that Cloud SQL instances have a password validation policy enabled. For security best practices, it is strongly recommended to set a Password Validation Policy. Relying on default or not setting the password validation, significantly increases the risk of unauthorized access and potential data breaches. This rule checks for the absence of password validation. If password validation is not enforced for Instance, it indicates a potential security vulnerability.

sqladmin.googleapis.com/Instance

Ensures that the log_checkpoints database flag is enabled (set to on) for Cloud SQL for PostgreSQL instances. Checkpoints are critical points in the transaction log sequence where PostgreSQL writes all dirty data buffers to disk and updates the control file. Logging checkpoints provides valuable information for monitoring database recovery time, diagnosing performance issues related to I/O, and understanding write activity. Disabling this flag can hinder troubleshooting and recovery analysis.

sqladmin.googleapis.com/Instance

Checks if the log_connections database flag is enabled (set to on) for Cloud SQL for PostgreSQL instances. When enabled, this flag logs each successful connection attempt to the database server, including the username and client IP address. This information is crucial for security auditing, tracking database access, and troubleshooting connectionrelated issues. It complements the log_disconnections flag, which logs the end of sessions. This rule flags instances where connection logging is disabled.

sqladmin.googleapis.com/Instance

Checks if the log_disconnections database flag is enabled (set to on) for Cloud SQL for PostgreSQL instances. When enabled, this flag logs the end of each client session, including the session duration. This information is valuable for auditing, security analysis (e.g., detecting unusual connection patterns), and troubleshooting connectionrelated issues. It complements the log_connections flag, which logs the start of connections. This rule flags instances where disconnection logging is disabled.

sqladmin.googleapis.com/Instance

Ensures that the log_error_verbosity database flag for Cloud SQL for PostgreSQL instances is set to either default or verbose. This flag controls the amount of detail included in error messages written to the server log. Setting it to default or verbose provides more information for troubleshooting and debugging compared to the terse setting, which minimizes detail. More verbose error logs can significantly aid in diagnosing the root cause of database problems.

sqladmin.googleapis.com/Instance

Ensures that the log_hostname database flag is enabled (set to on) for Cloud SQL for PostgreSQL instances. When enabled, this flag logs the hostnames of connecting clients in addition to their IP addresses. Logging hostnames can be valuable for troubleshooting, security auditing, and identifying the source of connections. This can be particularly helpful in environments where IP addresses change frequently (e.g., due to DHCP) or where multiple clients connect from the same IP address (e.g., through a proxy or NAT). However, enabling this can introduce a slight performance overhead due to the hostname.

sqladmin.googleapis.com/Instance

Ensures that the log_lock_waits database flag is enabled (set to on) for Cloud SQL for PostgreSQL instances. Enabling this flag logs long lock waits, which are often indicative of performance bottlenecks or concurrency issues within the database. By monitoring these logs, administrators can identify and address the root causes of slow queries or application performance problems. This proactive approach helps maintain database health and responsiveness.

sqladmin.googleapis.com/Instance

Checks if the log_min_duration_statement database flag is set to 1 (disabled) on Cloud SQL for PostgreSQL instances. This flag controls the minimum execution time (in milliseconds) a statement must take before its logged. Setting it to 1 disables logging of statement durations, hindering performance monitoring and troubleshooting. Its generally recommended to set a specific threshold (e.g., 2000 for 2 seconds) to capture slow queries without overwhelming the logs. This rule flags instances where durationbased statement logging is disabled.

sqladmin.googleapis.com/Instance

Checks if the log_min_error_statement database flag is set to error, log, fatal, or panic for Cloud SQL for PostgreSQL instances. This flag controls the severity level of SQL statements that are logged as errors. Setting it to error or a stricter level (log, fatal, panic) ensures that all errorcausing statements are logged, which is crucial for troubleshooting, auditing, and security analysis. Settings less strict than error (e.g., warning, notice) may not capture all error conditions, hindering your ability to diagnose and resolve problems. This rule flags instances with a setting less strict than error.

sqladmin.googleapis.com/Instance

Checks if the log_min_messages database flag is set to its default value (warning) for Cloud SQL for PostgreSQL instances. This flag controls the severity level of messages that are written to the server log. While the default (warning) is generally appropriate, its often recommended to adjust this setting based on your specific operational needs and the desired level of logging detail. Setting it to a more verbose level (e.g., notice, info, debug) can provide more information for troubleshooting, while setting it to a less verbose level (e.g., error, log, fatal, panic) can reduce log volume. This rule flags instances where the setting is not the default (warning). Its a policy decision whether to enforce the default or allow deviations.

sqladmin.googleapis.com/Instance

Verifies that the log_statement database flag is configured to a value other than none for Cloud SQL for PostgreSQL instances. The log_statement flag controls which SQL statements are logged. Appropriate logging of SQL statements is crucial for auditing, security analysis, performance troubleshooting, and debugging. Setting it to values like ddl, mod, or all (depending on your needs) provides valuable insights into database activity. A setting of none disables statement logging entirely, hindering these important capabilities.

sqladmin.googleapis.com/Instance

Ensures that the log_temp_files database flag is enabled (set to a nonzero value) for Cloud SQL for PostgreSQL instances. This flag controls the logging of temporary file usage. Setting it to a value other than 0 (which disables logging) allows you to monitor the size and number of temporary files created by queries. Excessive temporary file creation can indicate inefficient queries, poorly tuned work_mem settings, or potential performance bottlenecks. Analyzing these logs can help optimize query performance and resource utilization. A value of 0 disables logging, while positive values indicate a threshold in KB.

sqladmin.googleapis.com/Instance

Ensures that the max_connections database flag is explicitly configured for Cloud SQL for PostgreSQL instances. Setting an appropriate value for max_connections is crucial for resource management and preventing connection exhaustion. Without a defined limit, a surge in connection requests could overwhelm the database, leading to performance degradation or denial of service. The optimal value depends on the instance size and workload.

sqladmin.googleapis.com/Instance

Checks if the cloudsql.enable_pgaudit flag is enabled (set to on) for Cloud SQL for PostgreSQL instances. This flag enables the pgaudit extension, which provides detailed session and object audit logging capabilities. pgaudit allows you to track specific database activities, such as SELECT, INSERT, UPDATE, and DELETE operations, and to configure granular auditing rules based on users, roles, and objects. This is crucial for security auditing, compliance, and forensic analysis.

sqladmin.googleapis.com/Instance

Detects Cloud SQL instances that are configured to allow connections from any IP address (0.0.0.0/0) in their authorized networks. Exposing a database instance to the public internet is a critical security risk and should be avoided unless absolutely necessary and with extreme caution. Public accessibility dramatically increases the attack surface, making the instance vulnerable to unauthorized access, bruteforce attacks, and data breaches. Access should be restricted to specific, known IP addresses or ranges.

sqladmin.googleapis.com/Instance

Enforces the use of SSL/TLS connections for all clients connecting to this Cloud SQL instance. Requiring SSL/TLS encrypts data in transit, protecting against eavesdropping and maninthemiddle attacks. This is a critical security best practice for any database handling sensitive information. Without SSL/TLS, data is transmitted in plain text.

sqladmin.googleapis.com/Instance

Checks if a root password is set for Cloud SQL instances. For security best practices, a strong, unique root password should be set for all Cloud SQL instances. This rule directly checks the rootPassword field within the instance configuration. An empty or missing rootPassword field indicates a significant security vulnerability, as it means the instance can be accessed without a password or with a default password.

sqladmin.googleapis.com/Instance

Checks if contained database authentication is enabled on Cloud SQL for SQL Server instances. Contained databases allow authentication at the database level, rather than solely at the instance (server) level. While this can simplify database portability, it also introduces potential security risks if not carefully managed. Users authenticated to a contained database may bypass instancelevel security controls. Its generally recommended to disable contained database authentication unless specifically required and with a thorough understanding of the security implications.

sqladmin.googleapis.com/Instance

Ensures that cross db ownership chaining is disabled (set to off) on Cloud SQL for SQL Server instances. Disabling this setting is a crucial security best practice. When enabled, it can allow users in one database to potentially gain unintended access to objects in other databases if ownership chains are not carefully managed. This can lead to privilege escalation vulnerabilities.

sqladmin.googleapis.com/Instance

Checks if the external scripts enabled flag is enabled on Cloud SQL for SQL Server instances. This flag controls the ability to execute external scripts (e.g., R, Python) within the SQL Server environment. While this feature can be useful for advanced analytics and machine learning, enabling it introduces potential security risks if not carefully managed. External scripts can potentially access system resources or execute malicious code. Its generally recommended to disable this feature unless specifically required and with appropriate security precautions in place.

sqladmin.googleapis.com/Instance

Ensures that the remote access database flag is disabled (set to off) on Cloud SQL for SQL Server instances. Disabling this flag prevents SQL Server clients on remote machines from connecting to this instance using the Dedicated Administrator Connection (DAC). While the DAC is a powerful troubleshooting tool, restricting its use to local connections only significantly reduces the attack surface. Misconfigured or compromised remote access can lead to unauthorized database control.

sqladmin.googleapis.com/Instance

Checks if trace flag 3625 is enabled on Cloud SQL for SQL Server instances. Trace flag 3625 limits the amount of information returned to nonsysadmin users in error messages, potentially masking sensitive details about the database structure or configuration. While useful in some security contexts, this trace flag is often disabled in development and testing environments to provide more detailed error information for troubleshooting. This rule flags instances where trace flag 3625 is enabled. Its important to understand the implications of this flag and whether it aligns with your security and operational needs.

sqladmin.googleapis.com/Instance

Checks if the user connections database flag is set to 0 (unlimited) on Cloud SQL for SQL Server instances. Setting user connections to 0 allows an unlimited number of simultaneous user connections, which can lead to resource exhaustion, performance degradation, and potential denialofservice. Its a best practice to configure a specific, reasonable limit for user connections based on the instance size and expected workload to prevent resource contention and maintain database stability. This rule flags instances where the connections are unlimited.

sqladmin.googleapis.com/Instance

Checks if the user options database flag is configured on Cloud SQL for SQL Server instances. The user options flag specifies serverwide default settings for query processing behavior for all users. Its generally recommended to avoid setting global user options and instead allow individual users or applications to configure their own sessionlevel settings as needed. Relying on global user options can lead to unexpected behavior or compatibility issues if different applications require different settings. This rule flags instances where user options is set (i.e., not its default, unconfigured state, typically represented by 0 or an empty string).

sqladmin.googleapis.com/Instance

Checks if a Cloud SQL instance is configured for high availability (HA). This rule focuses on zonal instances (nonregional) and verifies whether a failover replica is available. For zonal instances, having a failover replica is critical for resilience. If failoverReplicaAvailable is false for a zonal instance, it means that the instance is a single point of failure and is vulnerable to outages within that zone. A zonal instance without a failover replica does not meet the requirements for high availability. This is considered a high severity issue because it directly impacts the reliability and uptime of the database.

compute.googleapis.com/Network

Checks if a Compute Engine VPC network has the autoCreateSubnetworks feature enabled. Automode VPC networks automatically create a subnet in each Google Cloud region, which might not align with desired network segmentation or IP address management strategies. While convenient for setup, custommode VPCs offer more granular control. This rule identifies networks where autoCreateSubnetworks is explicitly set to true. It is often recommended to use custommode VPC networks for better control and security posture.

compute.googleapis.com/BackendService

Checks if logging is enabled for a Compute Engine Backend Service. Backend service logging records requests processed by the load balancer, providing essential visibility for monitoring traffic, troubleshooting errors, security analysis, and auditing. This rule examines the logConfig field within the backend services configuration. A violation is generated if logConfig is missing, or if logConfig.enable is missing or if its set to false.

compute.googleapis.com/BackendBucket

Checks if Cloud CDN is enabled for a Compute Engine backend bucket. Cloud CDN caches content closer to users, improving performance and reducing origin server load. This rule examines the enableCDN field within the backend buckets configuration. If enableCDN is false or missing, it indicates that Cloud CDN is not enabled, and a violation is generated.

compute.googleapis.com/BackendBucket

Checks if an Edge Security Policy is associated with a Compute Engine backend bucket. Edge Security Policies (part of Cloud Armor) provide advanced security features, such as DDoS protection and WAF, for globally distributed applications. For backend buckets serving content through an external load balancer, associating an Edge Security Policy is a security best practice. This rule checks for the presence of the edgeSecurityPolicy field within the backend buckets configuration. If edgeSecurityPolicy is missing or null, it indicates that no Edge Security Policy is associated, and a violation is generated.

compute.googleapis.com/BackendService

Checks if Cloud CDN is enabled for a Compute Engine backend service. Cloud CDN caches content closer to users, improving performance and reducing origin server load. This rule examines the enableCDN field within the backend services configuration. If enableCDN is false or missing, it indicates that Cloud CDN is not enabled, and a violation is generated.

compute.googleapis.com/BackendService

Checks if an external Compute Engine backend service has a security policy configured. For external load balancers, its crucial to have a Security Policy to protect against threats. This rule checks the following 1. loadBalancingScheme Verifies that the backend service is used for external load balancing. It checks for both "EXTERNAL" and "EXTERNAL_MANAGED". 2. securityPolicy Checks if a Security Policy is configured. Backend services use securityPolicy, not edgeSecurityPolicy. A violation is generated if the loadBalancingScheme indicates an external service and the securityPolicy is either missing or null.

compute.googleapis.com/BackendService

Checks if a Compute Engine Backend Service has IdentityAware Proxy (IAP) enabled while using the unencrypted HTTP protocol. Enabling IAP adds authentication and authorization, but if the connection between the load balancer and the backend service uses plain HTTP, the traffic (including potentially sensitive application data or session information) is unencrypted on the internal network. This poses a security risk. This rule checks if iap.enabled is true AND protocol is HTTP. It is strongly recommended to use HTTPS for backend services when IAP is enabled to ensure endtoend encryption.

compute.googleapis.com/BackendService

Checks if a Compute Engine Backend Service is configured to use the unencrypted HTTP or TCP protocols. Using plain HTTP or TCP for backend connections can expose application traffic, including potentially sensitive data, on the internal network. It is strongly recommended to use secure protocols like HTTPS, SSL, or HTTP/2, or appropriate proxy protocols (such as TCP_PROXY) to ensure data confidentiality and integrity. This rule flags backend services where the protocol field is set to HTTP or TCP.

compute.googleapis.com/BackendService

Checks if an external Compute Engine backend service has a security policy configured. For external load balancers, its crucial to have either an Edge Security Policy (for global external HTTP(S) load balancers) or a Security Policy (for classic external HTTP(S) load balancers, regional external HTTP(S) load balancers, external TCP proxy load balancers, and external SSL proxy load balancers) to protect against threats. This rule checks the following 1. loadBalancingScheme Verifies that the backend service is used for external load balancing. 2. edgeSecurityPolicy Checks if an Edge Security Policy is configured (for supported load balancer types). 3. securityPolicy Checks if a Security Policy is configured. A violation is generated if the loadBalancingScheme is EXTERNAL or EXTERNAL_MANAGED and both edgeSecurityPolicy and securityPolicy are either missing or null. This indicates a potentially vulnerable externalfacing service.

compute.googleapis.com/Instance

Detects Compute Engine instances that are using the default Compute Engine service account. The default service account is automatically created and has broad permissions (Editor role) by default, which violates the principle of least privilege. Its a security best practice to create and use custom service accounts with the minimum necessary permissions for each instance. Using the default service account increases the risk of unauthorized access and privilege escalation if an instance is compromised.

compute.googleapis.com/Disk

Checks if a Compute Engine disk is encrypted using CustomerSupplied Encryption Keys (CSEK). With CSEK, you provide your own encryption key, and Google Cloud uses that key, represented by its SHA256 hash, to protect your data. This rule examines the diskEncryptionKey field and, specifically, the sha256 field within it. If diskEncryptionKey is missing, or if sha256 is missing, empty, or null, it signifies that CSEK is not in use, triggering a violation.

compute.googleapis.com/Firewall

A firewall rule permitting internet traffic on all protocols significantly broadens the network attack surface, increasing the risk of unauthorized access, potential service disruptions, and costly security incidents.

compute.googleapis.com/Firewall

Checks if logging is enabled for a VPC Firewall rule. Firewall Rules Logging records connections that match the rule, providing valuable insights for security auditing, troubleshooting network connectivity, and understanding traffic patterns. This rule examines the logConfig field within the firewall rules configuration. A violation is generated if logConfig is missing, or if logConfig.enable is missing or if its set to false.

compute.googleapis.com/FirewallPolicy

This rule identifies overly permissive firewall configurations that allow unrestricted internet ingress on all protocols, helping you reduce your networks attack surface and safeguard against unauthorized access.

compute.googleapis.com/FirewallPolicy

Checks if a Compute Engine Firewall Policy contains any enabled rules that do not have logging enabled. Firewall logging records connections matching rules, essential for auditing and troubleshooting. This policy iterates through the rules array embedded within the FirewallPolicy resource. A violation is generated if the Firewall Policy contains at least one rule where disabled is not true (i.e., the rule is enabled) AND enableLogging is not true (i.e., logging is disabled), considering that missing boolean fields often default to false. Rules with the highest priority (typically default rules) are excluded.

compute.googleapis.com/FirewallPolicy

Checks if a Compute Engine Firewall Policy contains any enabled ingress rules allowing traffic from any source IP address (0.0.0.0/0 for IPv4 or /0 for IPv6). This policy iterates through the rules array embedded within the FirewallPolicy resource data. Allowing public ingress traffic can be a significant security risk if not intended. This rule flags the entire policy if even one such rule exists.

compute.googleapis.com/FirewallPolicy

Identifies firewall rules exposing unusual internetfacing protocols, enabling proactive attack surface reduction to enhance security and prevent costly system compromises.

compute.googleapis.com/FirewallPolicy

Enhances security by identifying firewall rules granting unrestricted public internet access to commonly targeted TCP ports (e.g., 20, 21, 22, 25, 53, 80, 110, 143, 443), enabling proactive attack surface reduction and defense against unauthorized exploitation.

compute.googleapis.com/FirewallPolicy

Identifies firewall policies that expose typically TCPassociated or other sensitive UDP ports to the internet, enabling you to reduce your attack surface and enhance service reliability by preventing potential misconfigurations or exploits.

compute.googleapis.com/Firewall

Detects Compute Engine firewall rules that are publicly exposed. A firewall rule is considered publicly exposed if it allows traffic from any IP address (0.0.0.0/0 for IPv4 or /0 for IPv6) for ingress rules, or allows traffic to any IP address for egress rules. Publicly exposed firewall rules significantly increase the attack surface and risk of unauthorized access. Firewall rules should be configured with the principle of least privilege, allowing only necessary traffic from/to specific, trusted sources/destinations. This rule checks for both ingress and egress rules with overly permissive source or destination ranges, including cases where ranges are empty or null.

compute.googleapis.com/Firewall

Reduces your attack surface by identifying active ingress firewall rules that expose uncommon network protocols (not TCP, UDP, or ICMP) to the internet, preventing potential breaches through unmonitored services.

compute.googleapis.com/Firewall

Reduce your systems internet attack surface by identifying and reviewing firewall rules that expose a curated list of potentially vulnerable TCP ports 20,21,22,25,53,80,110,143,443,587,989,990,995,1194] to public access.

compute.googleapis.com/Firewall

This rule enhances your network security by identifying publicly exposed firewall rules allowing unusual UDP ports 20,21,22,25,53,80,110,143,443,587,989,990,995,1194], thereby minimizing your attack surface and preventing potential service exploitation that could impact reliability, performance, or lead to unexpected costs.

compute.googleapis.com/Subnetwork

Checks if Private Google Access (PGA) is disabled for a Compute Engine Subnetwork. PGA allows VM instances in the subnet without external IP addresses to reach Google APIs and services using Googles internal network, enhancing security and potentially reducing egress costs. If PGA is disabled, VMs without external IPs cannot access these services directly. This rule examines the privateIpGoogleAccess field within the Subnetwork configuration. A violation is generated if privateIpGoogleAccess is missing or set to false.

compute.googleapis.com/TargetHttpProxy

This rule identifies HTTP load balancers, which transmit unencrypted data, critically exposing sensitive information, eroding customer trust, and often violating compliance mandates, thereby underscoring the necessity of HTTPS for secure, private, and trustworthy communications.

compute.googleapis.com/Image

Detects Compute Engine images that are older than 90 days and are not in a deprecated state. Old, unused images can accumulate, increasing storage costs and potentially posing security risks if they contain outdated software or vulnerabilities. Its a best practice to regularly review and deprecate or delete old images that are no longer needed. This rule flags images older than 90 days that havent been deprecated, prompting a review of their status and potential removal.

compute.googleapis.com/InterconnectAttachment

Checks if a Cloud Interconnect Attachment (VLAN attachment) is configured to use IPsec encryption. IPsec provides endtoend encryption for traffic traversing the attachment, adding a layer of security often used with Partner Interconnect or as an alternative/addition to MACsec. This rule examines the encryption field within the Interconnect Attachment configuration. A violation is generated if the encryption field is missing, or if its type is not set to IPSEC.

compute.googleapis.com/Interconnect

Checks if MACsec (Media Access Control Security) is enabled for a Cloud Interconnect (Dedicated Interconnect). MACsec provides Layer 2 encryption and integrity protection for traffic traversing the physical connection, enhancing security. This rule examines the macsecEnabled field within the Interconnect configuration. A violation is generated if the macsecEnabled field is missing or set to false. Enabling MACsec is a best practice for securing sensitive traffic over Dedicated Cloud Interconnect. Note This primarily applies to Dedicated Interconnect.

compute.googleapis.com/MachineImage

Ensures that Compute Engine Machine Images are encrypted with a Customer-Managed Encryption Key (CMEK), providing control over the encryption keys used to protect the image data at rest. This configuration is critical for meeting strict compliance requirements and enhancing data security. A misconfiguration occurs if the `machineImageEncryptionKey.kmsKeyName` field is missing or empty.

compute.googleapis.com/Instance

Ensures Compute Engine instances have labels applied for better resource organization, cost allocation, and filtering capabilities.

compute.googleapis.com/Instance

Ensures Compute Engine instances have Resource Manager tags applied via the params.resourceManagerTags field for consistent governance, policy enforcement, and cost analysis.

compute.googleapis.com/Instance

Ensures Compute Engine instances have network tags applied for effective firewall rule targeting and network segmentation.

compute.googleapis.com/Router

Enabling Cloud NAT logging provides critical telemetry for rapid troubleshooting and security analysis, enhancing network reliability and operational visibility.

compute.googleapis.com/Router

Enable comprehensive Cloud NAT logging for both translations and errors to significantly improve troubleshooting capabilities and operational visibility, as erroronly logging limits crucial diagnostic insights for network reliability and security analysis.

compute.googleapis.com/Router

Checks if logging is disabled for Cloud NAT configurations on a Compute Engine Router. Cloud NAT logging provides visibility into NAT translations and errors, crucial for monitoring, troubleshooting, and security analysis. This rule iterates through all NAT configurations (nats array) associated with a router. If any NAT configuration is found where the logConfig.enable field is missing or set to false, a violation is generated for the router.

compute.googleapis.com/Network

compute.googleapis.com/Network

Checks for the existence of the default Compute Engine network. The default network is automatically created in new projects (unless disabled) and comes with permissive firewall rules (e.g., allowinternal, allowrdp, allowssh from anywhere). While convenient for initial setup, using the default network for production workloads is discouraged due to its flat structure and overly broad default permissions. Its recommended to create custom VPC networks with more restrictive, purposebuilt firewall rules. This rule identifies networks named default.

compute.googleapis.com/ResourcePolicy

Detects Compute Engine snapshot schedules (within resource policies) that have both a retention period exceeding 365 days and are configured to keep automatic snapshots even after the source disk is deleted (onSourceDiskDelete set to KEEP_AUTO_SNAPSHOTS). While long retention periods and keeping snapshots after source disk deletion might be valid in specific scenarios, this combination can lead to significant storage costs and potentially retain data longer than necessary. This rule flags such configurations for review to ensure that they align with data retention policies and cost optimization goals.

compute.googleapis.com/ResourcePolicy

Detects Compute Engine snapshot schedules (within resource policies) that do not have applicationconsistent snapshots enabled (i.e., guestFlush is not set to true). Applicationconsistent snapshots ensure that the data on the disk is in a consistent state at the time of the snapshot, which is crucial for reliable backups and recovery, especially for applications like databases. Without guestFlush, the snapshot might capture data in an inconsistent state, potentially leading to data corruption or unrecoverable backups. This rule flags snapshot schedules lacking application consistency.

compute.googleapis.com/Snapshot

Detects Compute Engine snapshots that are older than 365 days. Old snapshots can consume significant storage space and increase costs. While some snapshots may need to be retained for long periods, its a best practice to regularly review and delete snapshots that are no longer needed. This rule flags snapshots older than 365 days for review, allowing you to determine if they can be safely deleted or archived.

compute.googleapis.com/TargetSslProxy

Ensures that application traffic is served by modern HTTPS Load Balancers instead of legacy SSL Proxy Load Balancers. When an HTTPS Load Balancer is used, it provides layer 7 traffic management, including features like URL maps, integration with Googlemanaged certificates, and advanced security controls. This is valuable for enhancing security with features like SSL Policies and Cloud Armor integration, improving traffic management with contentbased routing, and simplifying certificate lifecycle management. This is particularly helpful for standard web applications that can benefit from applicationaware security and routing rules. However, the SSL Proxy Load Balancer may still be required for specific nonHTTP workloads that use SSL for transport layer encryption.

compute.googleapis.com/Subnetwork

Checks if VPC Flow Logs are enabled for a Compute Engine Subnetwork. VPC Flow Logs record a sample of network flows sent from and received by VM instances in the subnet. This provides crucial visibility for network monitoring, forensics, security analysis, and realtime troubleshooting. This rule examines the enableFlowLogs field within the Subnetwork configuration. A violation is generated if enableFlowLogs is missing or set to false.

compute.googleapis.com/TargetHttpsProxy

Checks if a Compute Engine TargetHttpsProxy resource has an SSL Policy defined. SSL Policies control the set of TLS features (such as TLS versions and cipher suites) that the proxy negotiates with clients. Associating a specific SSL Policy allows for enforcing stricter security standards than the default. This rule examines the sslPolicy field within the TargetHttpsProxy configuration. If sslPolicy is missing or null/empty, it indicates that no specific SSL Policy is assigned, and a violation is generated. Relying on default SSL settings might not meet specific security or compliance requirements.

compute.googleapis.com/TargetSslProxy

Validates SSL Proxy Load Balancer usage, guiding towards HTTPS Load Balancers for web traffic to enhance security, performance, and operational efficiency.

compute.googleapis.com/Address

Checks for Compute Engine external IP addresses that are reserved but not currently in use by any resource. Reserved but unused public IP addresses incur costs and may indicate orphaned resources or configuration oversights. This rule identifies addresses where the addressType is EXTERNAL and the status is RESERVED. It is recommended to either assign unused addresses to a resource or release them to avoid unnecessary charges.

compute.googleapis.com/Instance

Checks if Confidential Computing is enabled for Compute Engine VM instances. Confidential Computing uses hardwarebased encryption to protect data in use, even from the cloud provider. This provides a higher level of security and privacy for sensitive workloads. This rule flags instances where Confidential Computing is not enabled. Enabling Confidential Computing may be a requirement for compliance or to meet specific security needs.

compute.googleapis.com/Instance

Checks if deletion protection is enabled for Compute Engine VM instances. Deletion protection prevents accidental deletion of critical VMs. When enabled, any attempt to delete the instance through the API, CLI, or console will fail unless deletion protection is first explicitly disabled. This provides an important safeguard against human error or malicious actions. This rule flags instances without deletion protection enabled.

compute.googleapis.com/Instance

Checks if all disks attached to a Compute Engine VM instance are encrypted using a CustomerManaged Encryption Key (CMEK). Encrypting disks protects data at rest, preventing unauthorized access to the data if the physical storage is compromised. Using CMEKs gives you control over the encryption keys, including key rotation and access management. This rule flags instances where any attached disk is not encrypted with a CMEK.

compute.googleapis.com/Instance

Checks if IP forwarding is enabled for Compute Engine VM instances. Enabling IP forwarding allows a VM to route traffic between different networks, effectively acting as a router. While this capability is necessary for some use cases (e.g., NAT gateways, VPN servers), it should only be enabled when explicitly required. Enabling IP forwarding on instances that dont need it increases the attack surface and can potentially be exploited to bypass network security controls. This rule flags instances with IP forwarding enabled.

compute.googleapis.com/Instance

Checks if OS Login is enabled for Compute Engine VM instances without enabling twofactor authentication (2FA). While OS Login itself enhances security by using IAM for access control, requiring 2FA adds a crucial extra layer of protection against compromised credentials. Without 2FA, an attacker who obtains a users password could gain access to the VM. This rule flags instances where OS Login is enabled, but 2FA is not enabled.

compute.googleapis.com/Instance

Checks if OS Login is enabled for Compute Engine VM instances. OS Login provides centralized and granular access control to VMs using IAM roles, rather than relying on individual SSH keys managed at the instance or project level. OS Login improves security, simplifies key management, and enhances auditability. This rule flags instances where OS Login is not enabled.

compute.googleapis.com/Instance

Checks if a Compute Engine VM instance allows the use of projectwide SSH keys. Projectwide SSH keys can be added to a projects metadata and automatically grant access to all instances within that project unless explicitly blocked or OS Login is enabled. Relying solely on projectwide SSH keys violates the principle of least privilege and increases the risk of unauthorized access if a key is compromised. Its generally recommended to either use OS Login (which provides more granular control) or explicitly block projectwide SSH keys and use instancespecific keys instead. This rule flags instances that do not block projectwide SSH keys and do not have OS Login enabled.

compute.googleapis.com/Instance

Checks if serial port access is enabled for Compute Engine VM instances. The serial port provides a textbased console for interacting with the VM, primarily for debugging and troubleshooting. While useful in specific situations, enabling the serial port increases the attack surface, as it can potentially be used to gain unauthorized access if not properly secured. It is generally recommended to disable serial port access unless explicitly needed and with appropriate security measures (e.g., strong authentication, firewall rules). This rule flags instances with serial port access enabled.

compute.googleapis.com/Instance

Checks if all Shielded VM features (Integrity Monitoring, vTPM, and Secure Boot) are enabled for Compute Engine VM instances. Shielded VM provides verifiable integrity of your VM instances, helping to protect against advanced threats like rootkits and bootkits. Integrity Monitoring allows you to monitor the boot integrity of your instances. vTPM provides a virtualized Trusted Platform Module. Secure Boot helps ensure that the system only runs authentic software. This rule flags instances where any of these features are not enabled.

compute.googleapis.com/VpnTunnel

Checks if a Compute Engine VPN Tunnel is configured to use the IKEv1 protocol. IKEv1 (Internet Key Exchange version 1) is an older VPN protocol with known security weaknesses compared to the more modern IKEv2. Using IKEv1 increases the risk of security vulnerabilities. This rule examines the ikeVersion field within the VPN Tunnel configuration. A violation is generated if ikeVersion is set to 1. It is strongly recommended to use IKEv2 (version 2) for enhanced security and reliability.

dns.googleapis.com/Policy

Checks if logging is enabled for a Cloud DNS Policy. DNS policies define rules for DNS resolution behavior, often used for outbound forwarding or private DNS lookups. Enabling logging records the queries processed by the policy, which is essential for security auditing and troubleshooting DNS resolution issues within your VPC networks. This rule examines the enableLogging field within the DNS Policy configuration. A violation is generated if enableLogging is missing or if its false.

dns.googleapis.com/ManagedZone

Checks if DNSSEC (Domain Name System Security Extensions) is enabled for a public managed zone in Cloud DNS. DNSSEC adds a layer of security by digitally signing DNS records, preventing DNS spoofing and cache poisoning attacks. This rule examines the dnssecConfig field within the managed zones configuration. If dnssecConfig is missing, or if its state is off or missing, it indicates that DNSSEC is not enabled. A violation is generated if DNSSEC is not enabled for public zones. This rule filters to affect only managed zones where visibility is set to public.

dns.googleapis.com/ManagedZone

Checks if logging is enabled for a public Cloud DNS managed zone. Enabling DNS logging records the queries received by the zones name servers, which is essential for security auditing, troubleshooting, and compliance. This rule examines the loggingConfig field within the managed zones configuration. A violation is generated if the zones visibility is public and either loggingConfig is missing, or loggingConfig.enableLogging is missing or false.

file.googleapis.com/Instance

Ensures Filestore instances have deletion protection enabled to prevent accidental data loss and service disruption from unintentional deletions. Disabling deletion protection on critical file shares increases the risk of operational errors that can lead to irreversible data loss. This setting is controlled by the 'deletionProtectionEnabled' flag in the instance configuration.

file.googleapis.com/Instance

Ensures Filestore instances have labels applied for resource organization, filtering, and potentially aiding in cost allocation analysis.

file.googleapis.com/Instance

Ensures Filestore instances have Resource Manager tags applied for consistent governance, policy enforcement, and cost analysis across cloud resources.

cloudresourcemanager.googleapis.com/Project

Prevents unauthorized access and potential data exfiltration by detecting if a projects IAM policy grants public access (allUsers or allAuthenticatedUsers), which would expose all contained Compute Engine images.

container.googleapis.com/Cluster

Improves cluster resilience and reduces operational overhead by verifying GKE Standard node pools have autorepair enabled, ensuring automatic recovery from node failures to maintain application availability.

container.googleapis.com/Cluster

Strengthens cluster security and reduces maintenance overhead by verifying GKE Standard node pools have autoupgrade enabled, ensuring they receive timely security patches and stability fixes.

container_Cluster_RESOURCE_2

Enhances security by verifying Private Google Access is enabled on the clusters subnetwork, allowing private GKE nodes to pull images and access Google APIs without requiring public IP addresses.

container.googleapis.com/Cluster

Enhances cluster security and stability by verifying all GKE node pools use Googles ContainerOptimized OS (COS), a purposebuilt, hardened operating system.

container_Cluster_RESOURCE_IAM_POLICY_1

Mitigates a critical containertoproject privilege escalation risk by ensuring GKE node pools do not use the default service account when it has projectlevel Admin permissions, preventing a compromised pod from gaining control over all project resources.

container_Cluster_RESOURCE_IAM_POLICY_1

Enforce least privilege on GKE nodes by disallowing default service accounts with editor roles, critically reducing security vulnerabilities to protect workloads and enhance cluster reliability.

container_Cluster_RESOURCE_IAM_POLICY_1

Ensures GKE nodes do not use the default Compute Engine service account with the highly privileged Owner role, enforcing least privilege to significantly reduce security risks and the potential impact of a node compromise.

container_Cluster_RESOURCE_IAM_POLICY_1

Enhance GKE security by ensuring default service accounts do not possess broad writer permissions, significantly reducing the risk of unauthorized cluster modifications and upholding the principle of least privilege.

container_Cluster_RESOURCE_IAM_POLICY_1

Verify GKE node pools use dedicated, minimallypermissioned service accounts instead of the default Compute Engine service account to enhance cluster security posture by strictly adhering to the principle of least privilege.

cloudresourcemanager_Project_RESOURCE_1

cloudresourcemanager.googleapis.com/Folder

This rule identifies groups assigned overly broad basic roles (e.g., Owner, Editor) at the folder level, enabling customers to enforce the principle of least privilege, which significantly reduces security risks from excessive permissions and simplifies access governance.

cloudresourcemanager.googleapis.com/Organization

This rule identifies groups that are assigned the highly permissive basic roles (such as Owner or Editor) at the organization level. Its a critical check to prevent widespread security vulnerabilities and ensures adherence to the principle of least privilege across all your cloud resources.

cloudresourcemanager.googleapis.com/Project

Reduce security risks and prevent unintended project alterations by identifying groups with overly broad basic roles (such as Owner or Editor), thereby enforcing least privilege for enhanced operational stability.

cloudresourcemanager.googleapis.com/Folder

Identifies service accounts granted overly permissive basic roles (such as Owner or Editor) at the folder level, crucial for enforcing the principle of least privilege to bolster security, maintain operational reliability, and control costs.

cloudresourcemanager.googleapis.com/Organization

Ensure service accounts at the organization level do not possess broad basic roles, a critical step to uphold the principle of least privilege, prevent widespread security breaches, and maintain operational reliability.

cloudresourcemanager.googleapis.com/Project

This rule identifies service accounts that are granted overly permissive basic roles (such as Owner or Editor) at the project level. This rule enables proactive enforcement of the principle of least privilege to significantly reduce security risks and limit the potential impact of compromised credentials.

cloudresourcemanager.googleapis.com/Folder

Identifying users with overly permissive basic roles (e.g., Owner, Editor) at the folder level is crucial for enforcing least privilege, which directly enhances your security posture, improves operational stability by preventing unintended changes.

cloudresourcemanager.googleapis.com/Organization

Identifying individual users with broad basic roles at the organization level is critical to mitigate risks of widespread unauthorized access or accidental changes, safeguarding your cloud environments security, reliability, and costefficiency.

cloudresourcemanager.googleapis.com/Project

Flagging direct assignment of broad basic roles to individual users at the project level enhances security and simplifies access management by encouraging adherence to the principle of least privilege via groupbased permissions.

cloudbilling.googleapis.com/BillingAccount

This rule enhances financial security by identifying principals with broad billing administrator privileges at the billing account level, and helps you prevent unauthorized spending and ensure robust cost governance.

cloudresourcemanager.googleapis.com/Organization

Strengthen financial governance and security by identifying principals with direct organizationlevel billing administrator privileges, crucial for preventing unauthorized widespread billing modifications and enforcing the principle of least privilege.

cloudbilling.googleapis.com/BillingAccount

Detecting individual users with direct Billing Account Administrator privileges is crucial for mitigating financial risks and preventing service disruptions by enforcing the principle of least privilege.

cloudresourcemanager.googleapis.com/Organization

Enhance security, reliability, and cost control by restricting broad billing administrator permissions for individual user accounts at the organization level, thereby minimizing risks of unauthorized changes, service disruptions, and financial impact.

cloudbilling.googleapis.com/BillingAccount

Ensures only authorized individuals can view and export billing account cost data, safeguarding sensitive financial information and supporting stringent cost governance.

cloudresourcemanager.googleapis.com/Organization

Identifies principals with organizationlevel billing cost manager roles, helping you enforce the principle of least privilege to safeguard sensitive, comprehensive billing data and maintain appropriate cost visibility controls.

cloudbilling.googleapis.com/BillingAccount

Ensure robust cost governance by restricting the Billing Costs Manager role for individual users at the billing account level, preventing potential budget misconfigurations and maintaining clear accountability for financial operations.

cloudresourcemanager.googleapis.com/Organization

Enhances financial security and cost control by identifying individual user accounts with organizationwide billing cost management permissions, thereby promoting least privilege and reducing risk.

cloudresourcemanager.googleapis.com/Organization

Detects domains assigned the Billing Account Creator role at the organization level, a crucial check to prevent unauthorized billing account proliferation and maintain robust financial oversight.

cloudresourcemanager.googleapis.com/Organization

This rule identifies principals with organizationlevel billing creator privileges, crucial for preventing uncontrolled cloud spending and ensuring stringent financial governance over new billing account creation.

cloudresourcemanager.googleapis.com/Organization

This rule identifies users with organizationlevel billing creation rights to prevent uncontrolled cloud spending and enforce critical financial governance.

cloudbilling.googleapis.com/BillingAccount

Preventing the assignment of the Billing Account User role to the overly broad principal identifier at the billing account level is critical to protect sensitive financial data and control spending by ensuring only specific, intended users or groups can manage billing.

cloudresourcemanager.googleapis.com/Organization

Ensures least privilege by identifying principals with the Billing Account User role at the organization level, crucial for safeguarding sensitive financial data and strengthening cost governance.

cloudbilling.googleapis.com/BillingAccount

Identifies individual user accounts directly assigned billing user roles, promoting groupbased permissions for enhanced security, simplified administration, and robust cost control.

cloudresourcemanager.googleapis.com/Organization

This rule enhances security by identifying roles/billing.user assignments at the organization level, which prevents overly broad access to sensitive financial data and enforces the principle of least privilege.

cloudbilling.googleapis.com/BillingAccount

This rule enhances security by identifying principals with direct billing account viewer roles, ensuring adherence to least privilege to prevent unintended broad access to sensitive billing information.

cloudresourcemanager.googleapis.com/Organization

Secure sensitive financial data and enforce least privilege by identifying principals with organizationlevel billing viewer access, thereby minimizing risks of unauthorized information exposure.

cloudbilling.googleapis.com/BillingAccount

Pinpoints users directly assigned billing viewer roles at the billing account level, enabling enforcement of least privilege to safeguard sensitive financial data and prevent unauthorized cost exposure.

cloudresourcemanager.googleapis.com/Organization

This rule enhances financial data security by identifying individual users with organizationwide Billing Viewer access, crucial for enforcing least privilege and minimizing sensitive cost exposure.

cloudresourcemanager.googleapis.com/Folder

Detects if groups possess project creator roles at the folder level, enabling proactive governance to prevent resource sprawl, enforce security baselines, and control costs.

cloudresourcemanager.googleapis.com/Organization

This rule identifies groups with organizationwide project creation capabilities, helping you prevent uncontrolled project sprawl and associated costs while strengthening security and governance over resource provisioning.

cloudresourcemanager.googleapis.com/Organization

Identifying highly privileged Organization Administrator assignments enables you to secure your entire cloud environment by strictly controlling ultimate access, thereby preventing widespread security vulnerabilities and operational disruptions.

cloudresourcemanager.googleapis.com/Folder

This rule flags groups holding Owner permissions on folders, a critical check to prevent widespread security vulnerabilities and accidental operational disruptions by enforcing tighter access control.

cloudresourcemanager.googleapis.com/Organization

Identifies groups with organizationlevel owner permissions, crucial for preventing catastrophic security breaches and operational failures stemming from indirect, hardtoaudit privilege escalations through group membership changes.

cloudresourcemanager.googleapis.com/Project

This rule identifies Google Groups assigned the powerful owner role at the project level, which is crucial for mitigating security vulnerabilities from excessive permissions, preventing operational disruptions, and controlling unintended cloud expenditures.

cloudresourcemanager.googleapis.com/Folder

This rule critically enhances security by identifying service accounts with highly permissive Owner roles at the folder level, essential for mitigating risks from excessive privileges and enforcing the principle of least privilege for robust resource control.

cloudresourcemanager.googleapis.com/Organization

Safeguard your organization against critical security threats by detecting service accounts with excessive owner privileges at the organization level, preventing widespread unauthorized control and manipulation of all cloud resources.

cloudresourcemanager.googleapis.com/Project

This rule identifies service accounts with projectlevel owner roles, a critical security risk. This rule help enforce the principle of least privilege, which is crucial for enhancing security, ensuring operational reliability, and preventing uncontrolled cloud spend.

cloudresourcemanager.googleapis.com/Folder

This check identifies userassigned Owner roles at the folder level, enabling proactive mitigation of security risks from excessive permissions and prevention of unintended, potentially costly or disruptive, resource modifications.

cloudresourcemanager.googleapis.com/Organization

Detects users assigned the organizationlevel owner role, a critical check to prevent broad, unintended changes that could compromise security, disrupt service reliability, impair performance, and lead to uncontrolled costs.

cloudresourcemanager.googleapis.com/Project

Prevents unintended costs by identifying users assigned the owner role, thereby mitigating risks from excessive privileges.

cloudresourcemanager.googleapis.com/Folder

Strengthen security by preventing broad, groupbased impersonation of service accounts at the folder level, thus reducing the risk of privilege escalation and unauthorized resource access.

cloudresourcemanager.googleapis.com/Organization

This rule identifies groups that are assigned organizationlevel Service Account User or Token Creator roles, and helps you mitigate critical security risks such as privilege escalation and broad resource compromise by enforcing least privilege principles.

cloudresourcemanager.googleapis.com/Project

Enhances project security by identifying groups with Service Account User or Token Creator roles, enabling proactive risk mitigation from overly broad impersonation capabilities and simplifying access audit trails.

cloudresourcemanager.googleapis.com/Folder

Check to detect service account user and token creator on principals at folder level

cloudresourcemanager.googleapis.com/Organization

This rule identifies principals with organizationlevel service account user or token creator roles, enabling proactive enforcement of least privilege to prevent widespread system compromise and significantly reduce security risk.

cloudresourcemanager.googleapis.com/Project

This rule detects principals with projectlevel Service Account User or Token Creator roles, which grant sweeping and highrisk impersonation capabilities over any service account. This role detection helps you enforce the principle of least privilege and drastically reduce the security risks.

cloudresourcemanager.googleapis.com/Folder

Identifies principalSet assignments with Service Account User or Token Creator roles at the folder level, preventing excessive service account impersonation privileges to enhance security and enforce least privilege.

cloudresourcemanager.googleapis.com/Organization

Reduces organizational risk by identifying principalSets with overly broad service account impersonation or token creation privileges at the organization level, preventing potential widespread security breaches and unauthorized resource access.

cloudresourcemanager.googleapis.com/Project

Restricting service account user/token creator roles for broad principalSets (such as groups or domains) at the project level mitigates widespread privilege escalation risks and unauthorized impersonation, enhancing overall project security posture.

cloudresourcemanager.googleapis.com/Folder

Check to detect service account user and token creator on users at folder level

cloudresourcemanager.googleapis.com/Organization

Check to detect service account user and token creator on users at organization level

cloudresourcemanager.googleapis.com/Project

This rule identifies users with extensive projectlevel service account impersonation or token creation privileges, and helps preemptively neutralize major security vulnerabilities, such as privilege escalation via compromised accounts, thereby protecting vital assets and curtailing potential financial losses from breaches.

cloudresourcemanager.googleapis.com/Folder

Strengthen data protection and helps you enforce the principle of least privilege by identifying and rectifying overly broad folderlevel permissions that grant widespread access to secrets, minimizing the risk of unauthorized exposure.

cloudresourcemanager.googleapis.com/Organization

This rule identifies organizationlevel IAM roles granting broad secret access (such as Owner, Secret Manager Admin/Accessor), crucial for enforcing the principle of least privilege and minimizing the risk of widespread sensitive data exposure.

cloudresourcemanager.googleapis.com/Project

This rule identifies projectlevel IAM bindings granting overly permissive roles (such as roles/owner, roles/secretmanager.admin, or roles/secretmanager.secretAccessor) with broad access to all secrets. This rule helps you enforce the principle of least privilege, thereby safeguarding sensitive data and reducing the risk of costly security incidents.

iam.googleapis.com/ServiceAccountKey

Enforcing a 90day rotation for usermanaged service account keys significantly reduces the risk of prolonged unauthorized access from compromised credentials, safeguarding your critical services and preventing costly security incidents.

iam.googleapis.com/ServiceAccountKey

Identifying active usermanaged service account keys older than 90 days enables proactive rotation, significantly reducing the attack surface and minimizing risks of unauthorized access or credential compromise.

iam.googleapis.com/ServiceAccountKey

Usermanaged service account keys lack automatic rotation, increasing security vulnerabilities and operational burden; migrating to Googlemanaged keys enhances security and simplifies key management.

iam.googleapis.com/ServiceAccountKey

Define expiration dates for usermanaged service account keys to limit their active lifespan, which is crucial for minimizing security risks and protecting your resources from unauthorized access if a key is compromised.

cloudresourcemanager.googleapis.com/Folder

This rule enhances security by detecting principals on a folder who can both use and fully manage service accounts, a critical overpermissioning that, if compromised, dramatically increases the risk of widespread unauthorized access and resource manipulation.

cloudresourcemanager.googleapis.com/Organization

This rule identifies principals possessing both Service Account User and Admin roles at the organization level, a critical check to prevent significant privilege escalation and enforce least privilege, thereby safeguarding your resources and maintaining operational reliability.

cloudresourcemanager.googleapis.com/Project

Identifies principals with redundant Service Account User and Admin roles on a project to help you enforce the principle of least privilege, simplifying IAM and bolstering security.

iam.googleapis.com/ServiceAccount

This rule identifies principals holding both Service Account User and Admin roles at the organization level, a critical check for enforcing least privilege to reduce the attack surface and minimize risks from excessive permissions.

iam_ServiceAccount_RESOURCE_1

This rule identifies service accounts employing usermanaged keys, which necessitate manual rotation and pose a heightened security risk. This rule helps you strengthen the security posture by transitioning to Googlemanaged keys or implementing rigorous key lifecycle controls.

cloudresourcemanager.googleapis.com/Folder

This rule identifies users with direct project creation privileges at the folder level, critical for preventing uncontrolled resource sprawl to safeguard budgets, enforce security policies, and maintain operational stability.

cloudresourcemanager.googleapis.com/Organization

Validating that project creation rights are not granted to users directly at the organization level helps enforce least privilege, preventing uncontrolled resource sprawl to improve cost management, security, and overall governance.

cloudresourcemanager_Project_RESOURCE_2

Enable automated container scanning to proactively detect vulnerabilities, thereby bolstering application security, enhancing operational reliability, maintaining performance integrity, and mitigating costly breach risks.

cloudresourcemanager_Project_RESOURCE_2

Enable container ondemand scanning to proactively detect vulnerabilities in your container images, thereby safeguarding your applications, ensuring operational reliability, and preventing costly security incidents.

cloudkms.googleapis.com/CryptoKey

Checks if a Cloud KMS CryptoKeys protection level is set to HSM. The protectionLevel determines where cryptographic operations are performed. HSM means they occur within a Hardware Security Module. HSM provides a higher level of security. This rule checks the versionTemplate.protectionLevel field. A violation is generated if the protectionLevel is HSM. While SOFTWARE protection level is acceptable for some use cases, HSM is generally recommended for higher security requirements.

cloudkms.googleapis.com/CryptoKey

Checks if a Cloud KMS CryptoKeys protection level is set to SOFTWARE. The protectionLevel determines where cryptographic operations are performed. SOFTWARE means operations occur in software, while HSM means they occur within a Hardware Security Module. HSM provides a higher level of security. This rule checks the versionTemplate.protectionLevel field. A violation is generated if the protectionLevel is SOFTWARE. While SOFTWARE protection level is acceptable for some use cases, HSM is generally recommended for higher security requirements.

cloudkms.googleapis.com/CryptoKey

Checks if a Cloud KMS CryptoKey with the GOOGLE_SYMMETRIC_ENCRYPTION algorithm and an ENABLED state has key rotation configured. Regular key rotation is a critical security best practice. This rule verifies the following 1. state The keys state is ENABLED. 2. purpose The keys purpose is ENCRYPT_DECRYPT. 3. versionTemplate.algorithm The algorithm is GOOGLE_SYMMETRIC_ENCRYPTION. 4. rotationPeriod or nextRotationTime If either of these fields is missing, it indicates that rotation is not configured, and a violation is generated. The absence of rotation significantly increases the risk if a key is compromised.

cloudresourcemanager.googleapis.com/Folder

Detects publicly exposed KMS keys within a folder for preventing unauthorized access and decryption of sensitive data, thereby safeguarding your critical information assets and mitigating breach risks.

cloudresourcemanager.googleapis.com/Organization

Ensure your organizations KMS encryption keys are not publicly exposed through IAM policies, safeguarding sensitive data from unauthorized access and preventing costly data breaches.

cloudresourcemanager.googleapis.com/Project

Safeguard critical data and maintain compliance by preventing public KMS key exposure, which restricts cryptographic operations to authorized identities only and mitigates risks of unauthorized access and data breaches.

cloudkms.googleapis.com/CryptoKey

This rule identifies publicly exposed KMS keys, preventing unauthorized data decryption to safeguard sensitive information, ensure data integrity, and avert costly breaches.

cloudkms.googleapis.com/KeyRing

Prevent unauthorized access to sensitive encrypted data by ensuring KMS key ring IAM policies do not grant public permissions, thereby safeguarding data confidentiality and integrity.

cloudkms.googleapis.com/CryptoKey

Checks if Google Cloud Key Management Service (KMS) keys have automatic key rotation enabled. Regular key rotation is a critical security best practice to limit the potential impact of a compromised key. If a key is compromised, rotation limits the time an attacker can use it. This rule flags KMS keys that either do not have rotation enabled. Shorter rotation periods are generally preferred for enhanced security.

cloudkms.googleapis.com/CryptoKey

Checks if Google Cloud Key Management Service (KMS) keys have automatic key rotation enabled and if the rotation period is within an acceptable limit (not greater than 365 days). Regular key rotation is a critical security best practice to limit the potential impact of a compromised key. If a key is compromised, rotation limits the time an attacker can use it. This rule flags KMS keys that either do not have rotation enabled or have a rotation period exceeding 365 days. Shorter rotation periods are generally preferred for enhanced security.

cloudkms_CryptoKey_RESOURCE_IAM_POLICY_1

Restricting the highly permissive Owner role on KMS projects safeguards cryptographic keys from accidental or malicious actions, enhancing data security and operational stability.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the appengine.disableCodeDownload organization policy is configured on the project or its parents to prevent unauthorized code downloads and protect against potential security risks.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.disableGuestAttributesAccess organization policy is enforced on the project or any parent, preventing potential unauthorized access to guest attributes.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.disableInternetNetworkEndpointGroup organization policy is enforced on the project or its parents, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.disableNestedVirtualization is configured on the project or any parent, preventing unauthorized use of nested virtualization.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.disableSerialPortLogging organization policy is enforced on the project or any parent, preventing potential security risks from unauthorized serial port access.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.disableSerialPortAccess organization policy is enforced on the project or its parents, preventing unauthorized access to serial ports.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.requireOsLogin organization policy is enforced to ensure OS Login is enabled on the project or its parents, preventing unauthorized access to virtual machines.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.requireShieldedVm is enforced on the project or its parents, ensuring that only shielded VMs are created, thus enhancing security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.restrictDedicatedInterconnectUsage organization policy is enforced on the project or any parent, preventing potential risks associated with unrestricted dedicated interconnect usage.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.restrictLoadBalancerCreationForTypes organization policy is enforced to prevent the creation of insecure load balancers on the project or its parents.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.restrictProtocolForwardingCreationForTypes is configured on the project or any parent, to prevent potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.restrictSharedVpcHostProjects is configured on the project or any parent, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.restrictSharedVpcSubnetworks organization policy is enforced on the project or its parents, ensuring only approved subnets are used, thereby enhancing network security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.restrictVpcPeering is enforced on the project or its parents, preventing potential unauthorized VPC peering.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.restrictVpnPeerIPs is configured on the project or any parent, preventing unauthorized VPN peer IP access.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.restrictXpnProjectLienRemoval organization policy is enforced on the project or its parents, preventing unauthorized removal of project liens.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.skipDefaultNetworkCreation organization policy is enforced on the project or its parents, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.storageResourceUseRestrictions is enforced to ensure that storage resource use restrictions are configured on the project or its parents, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.trustedImageProjects is configured on the project or any parent, preventing the use of untrusted images.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.vmCanIpForward organization policy is configured on the project or its parents to allow VMs to forward IP traffic, ensuring proper network functionality.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.vmExternalIpAccess organization policy is enforced on the project or its parents, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the cloudfunctions.allowedVpcConnectorEgressSettings organization policy is enforced on the project or its parents, preventing unauthorized egress settings for Cloud Functions, thereby enhancing security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the cloudfunctions.requireVPCConnector organization policy is enforced to ensure Cloud Functions use VPC connectors, enhancing network security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.disablePrivateServiceConnectCreationForConsumers is configured to prevent unauthorized Private Service Connect creation.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy gcp.detailedAuditLoggingMode is configured on the project or any parent to enable detailed audit logging, aiding in comprehensive security monitoring and compliance.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy gcp.disableCloudLogging is configured on the project or any parent to ensure that Cloud Logging is properly enforced.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the gcp.resourceLocations organization policy is enforced on the project or any parent, ensuring resources are created in the designated geographic locations, thereby meeting compliance requirements.

cloudresourcemanager_Project_RESOURCE_3

Reduces your attack surface by identifying active ingress firewall rules that expose uncommon network protocols (not TCP, UDP, or ICMP) to the internet, preventing potential breaches through unmonitored services.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy iam.allowServiceAccountCredentialLifetimeExtension is configured on the project or any parent, ensuring that service account credential lifetime extensions are managed to maintain security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the iam.allowedPolicyMemberDomains organization policy is enforced on the project or its parents, ensuring only approved domains can be added as policy members, enhancing security by preventing unauthorized access.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the iam.automaticIamGrantsForDefaultServiceAccounts organization policy is enforced on the project or any parent to ensure that the default service accounts are not automatically granted IAM roles, improving security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the iam.disableServiceAccountCreation organization policy is enforced to prevent the creation of service accounts, reducing the risk of unauthorized access and potential security breaches.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the iam.disableServiceAccountKeyUpload organization policy is enforced on the project or any parent, preventing potential security risks associated with unauthorized service account key uploads.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the iam.disableWorkloadIdentityClusterCreation organization policy is enforced on the project or any parent, preventing the creation of workload identity clusters if the policy is not configured.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the iam.workloadIdentityPoolProviders organization policy is enforced on the project or any parent, ensuring that workload identity pool providers are correctly configured to prevent unauthorized access.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.restrictNonConfidentialComputing is configured on the project or its parents, preventing the use of nonconfidential computing resources that could lead to data exposure.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.restrictPartnerInterconnectUsage organization policy is enforced on the project or any parent, preventing potential unauthorized usage of Partner Interconnect.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy serviceuser.services is configured on the project or its parents, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the sql.restrictAuthorizedNetworks organization policy is enforced on the project or its parents, preventing unauthorized access to Cloud SQL instances from unapproved networks.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the sql.restrictPublicIp organization policy is enforced on the project or its parents, preventing potential security vulnerabilities by restricting public IP access to Cloud SQL instances.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the storage.retentionPolicySeconds organization policy is enforced on the project or its parents to ensure data is protected from accidental or malicious deletion.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the storage.uniformBucketLevelAccess organization policy is enforced on the project or any parent, ensuring consistent access control for all objects within a bucket and preventing potential data breaches.

osconfig.googleapis.com/VulnerabilityReport

Detects OS Config vulnerability reports that contain vulnerabilities with a 'CRITICAL' severity level. Vulnerability reports provide information about vulnerabilities found on Compute Engine VM instances. Critical vulnerabilities represent the highest level of risk and should be addressed immediately to prevent potential exploitation. This rule flags any vulnerability report containing at least one critical vulnerability.

cloudresourcemanager.googleapis.com/Project

Identifies projects created directly under an organization, which bypasses folderlevel policy inheritance essential for consistent governance, security posture, and cost management.

pubsub.googleapis.com/Subscription

Checks if a Pub/Sub subscription has a deadletter topic configured. A deadletter topic (DLT) is essential for handling message delivery failures. When a message cannot be delivered to a subscriber after multiple attempts, it can be sent to a DLT, preventing message loss and allowing for analysis of delivery issues. This rule examines the deadLetterPolicy field within the subscriptions configuration. If deadLetterPolicy is missing or if it exists but does not have a deadLetterTopic field, the rule generates a violation. Using a DLT is a best practice for reliable message processing.

redis.googleapis.com/Instance

Checks if Memorystore for Redis instances have Redis AUTH enabled. Redis AUTH requires clients to authenticate with a password before accessing the database. This is a fundamental security measure to prevent unauthorized access. This rule flags instances where authEnabled is false.

redis.googleapis.com/Instance

Checks if Memorystore for Redis instances have an authorized network configured. Restricting access to a specific VPC network limits the potential attack surface. While this rule doesnt validate the specific network, it checks that some network restriction is in place. A more robust check would compare against a list of allowed networks (using parameters).

redis.googleapis.com/Instance

Checks if Memorystore for Redis instances have a maintenance window configured. A defined maintenance window allows you to control when potentially disruptive maintenance operations occur. Without a defined window, updates can happen at any time, which could impact application availability. This rule flags instances that do not have a maintenancePolicy defined.

redis.googleapis.com/Instance

Checks if Memorystore for Redis instances are using the BASIC tier. The BASIC tier provides a single Redis node and does not offer replication or automatic failover. This makes it unsuitable for production workloads that require high availability. This rule flags any instance using the BASIC tier. Upgrading to STANDARD_HA is strongly recommended for production environments.

redis.googleapis.com/Instance

Checks if Memorystore for Redis instances is using the STANDARD_HA tier and has at least one replica. While STANDARD_HA provides high availability features, a replica count of zero eliminates the redundancy benefits. This rule flags instances not on STANDARD_HA and with zero replicas configured. Increasing the replica count to at least 1 (and ideally 2 or more, up to 5) is recommended for true high availability.

compute.googleapis.com/Project

Checks if a Google Cloud project is configured as a Shared VPC Host Project. Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, hosted in a designated Host Project. This allows for centralized network administration. This rule identifies host projects by checking the xpnProjectStatus field within the projects Compute Engine metadata. A status of HOST indicates its a Shared VPC Host Project. This policy is informational, identifying projects with this specific configuration.

cloudresourcemanager.googleapis.com/Organization

Activating Security Command Center (SCC) at the organization level provides essential, centralized visibility into security findings and compliance status, enabling proactive risk mitigation to safeguard your Google Cloud resources.

secretmanager.googleapis.com/SecretVersion

Checks if a Secret Manager secret is both enabled and older than 90 days since its creation time. Regularly rotating secrets is a security best practice to minimize the impact of potential compromise. This rule examines two fields 1. state Checks if the secret is in the ENABLED state. 2. createTime Checks if the secrets creation time is more than 90 days in the past. A violation is generated if both conditions are true the secret is enabled and its createTime indicates its older than 90 days. The rule uses time.now_ns() and time.parse_rfc3339_ns() for accurate time comparisons.

spanner.googleapis.com/Database

Enforces drop protection on Cloud Spanner databases to safeguard against accidental deletion, which can lead to irreversible data loss and significant service disruption. This rule checks if the `enableDropProtection` flag is missing or explicitly set to 'false', which leaves the database vulnerable to unintended removal.

compute.googleapis.com/SslPolicy

Checks if a Compute Engine SSL Policy meets recommended security standards by having its profile set to MODERN and its minimum TLS version set to TLS_1_2. The MODERN profile includes strong cipher suites and disables older, less secure TLS versions. Setting the minimum TLS version to TLS_1_2 further enhances security by disallowing TLS 1.0 and 1.1. This rule examines the profile and minTlsVersion fields. A violation is generated if the profile is not MODERN OR the minTlsVersion is not TLS_1_2.

storage.googleapis.com/Bucket

Identifies Cloud Storage buckets that have lifecycle rules defined, but where those rules are missing a specified action. A lifecycle rule without an action is ineffective and serves no purpose. Lifecycle rules are designed to manage object lifecycle through actions like deletion or storage class transitions. An empty action indicates a configuration error that should be corrected. This could be a sign of an incomplete setup or a typo in the configuration.

storage.googleapis.com/Bucket

Checks if a Google Cloud Storage bucket is located outside of the European Union (EU) geographical boundaries. For organizations subject to GDPR or similar data residency regulations, storing data in compliant locations is critical. This rule identifies buckets where the location field does not correspond to an EU multiregion (EU) or a specific EU region (typically starting with EUROPE). Buckets found outside the EU region might require review for compliance.

storage.googleapis.com/Bucket

Checks if a Cloud Storage bucket is encrypted using a CustomerManaged Encryption Key (CMEK). Using CMEKs provides greater control over your data encryption keys compared to Googlemanaged encryption. With CMEKs, you manage the key lifecycle, including rotation, access control, and auditing, within Cloud KMS. This is often a requirement for regulatory compliance or enhanced security postures where you need direct control over your encryption keys. If a bucket is not using a CMEK, its using Googlemanaged encryption by default.

storage.googleapis.com/Bucket

Checks if object versioning is enabled for the Cloud Storage bucket. Object versioning preserves previous versions of an object when its overwritten or deleted, providing a crucial safeguard against accidental data loss or corruption. With versioning enabled, you can restore earlier versions of objects if needed. Disabling versioning means that overwrites and deletions are permanent.

storage.googleapis.com/Bucket

Checks if a Google Cloud Storage bucket has a retention policy configured and if that policy is locked. A retention policy specifies a minimum duration that objects in the bucket must be retained. Locking the retention policy makes it permanent and immutable, preventing accidental or malicious deletion or modification of the policy. This rule checks for two conditions 1. If a retention policy (retentionPolicy) is not configured on the bucket. 2. If a retention policy is configured, but it is not locked (retentionPolicy.isLocked is false or missing). If either of these conditions is true, the rule generates a violation. Having an unlocked retention policy, or no policy at all, can increase the risk of data loss or tampering. A locked retention policy is crucial for compliance and data governance.

storage.googleapis.com/Bucket

Checks if a Google Cloud Storage bucket has a retention policy configured and if that policy is locked. A retention policy specifies a minimum duration that objects in the bucket must be retained. Locking the retention policy makes it permanent and immutable, preventing accidental or malicious deletion or modification of the policy. This rule checks for two conditions 1. If a retention policy (retentionPolicy) is not configured on the bucket. 2. If a retention policy is configured, but it is not locked (retentionPolicy.isLocked is false or missing). If either of these conditions is true, the rule generates a violation. Having an unlocked retention policy, or no policy at all, can increase the risk of data loss or tampering. A locked retention policy is crucial for compliance and data governance.

storage.googleapis.com/Bucket

Checks if Uniform BucketLevel Access (UBLA) is enabled for the Cloud Storage bucket. Enabling UBLA provides a simplified and consistent way to manage permissions using IAM roles at the bucket level, rather than managing individual object ACLs. This is generally recommended for improved security and manageability. With UBLA, you only use IAM to control access, making permissions easier to audit and understand. Disabling UBLA means you are relying on a combination of IAM and object ACLs, which can become complex and difficult to manage.

aiplatform.googleapis.com/CustomJob

Ensures Vertex AI custom training jobs are protected with customer-managed encryption keys (CMEK), providing granular control over data encryption for enhanced security and compliance. This rule checks that the `encryptionSpec.kmsKeyName` field is properly configured in the job's specification.

aiplatform.googleapis.com/Dataset

Ensures Vertex AI datasets are protected with customer-managed encryption keys (CMEK), providing granular control over data encryption for enhanced security and compliance. This rule checks that the `encryptionSpec.kmsKeyName` field is properly configured for the dataset.

aiplatform.googleapis.com/Endpoint

Ensures that Vertex AI Endpoints are encrypted with a customer-managed encryption key (CMEK), providing granular control over data encryption for deployed models and enhancing security. This setting is critical for compliance and protecting sensitive data at rest. This rule checks that the `encryptionSpec.kmsKeyName` field is properly configured on the endpoint.

aiplatform.googleapis.com/Featurestore

Ensures Vertex AI Featurestores are protected with customer-managed encryption keys (CMEK), providing granular control over data encryption for enhanced security and compliance. This rule checks that the `encryptionSpec.kmsKeyName` field is properly configured.

aiplatform.googleapis.com/HyperparameterTuningJob

Ensures Vertex AI hyperparameter tuning jobs are protected with customer-managed encryption keys (CMEK), providing granular control over data encryption for enhanced security and compliance. This rule checks that the `encryptionSpec.kmsKeyName` field is properly configured in the job's specification.

aiplatform.googleapis.com/MetadataStore

Ensures Vertex AI Metadata Stores are protected with customer-managed encryption keys (CMEK) for greater control over data encryption. This rule verifies that the `encryptionSpec.kmsKeyName` field is present and configured, which is essential for compliance and enhancing data security by ensuring metadata is not just encrypted by default, but with a key that you control.

aiplatform.googleapis.com/Model

Ensures Vertex AI models are protected with customer-managed encryption keys (CMEK) for enhanced control over data encryption and to meet compliance requirements. This rule verifies that the `encryptionSpec.kmsKeyName` field is properly configured in the model's resource data.

aiplatform.googleapis.com/NotebookRuntime

Ensures Vertex AI Notebook Runtimes are protected with customer-managed encryption keys (CMEK), providing granular control over data encryption for enhanced security and compliance. A Notebook Runtime without CMEK uses Google-managed encryption keys by default.

aiplatform.googleapis.com/NotebookRuntime

Enforces automatic idle shutdown on Vertex AI Notebook Runtimes to optimize costs by terminating inactive resources. A misconfiguration occurs if the `idleShutdownConfig` is not defined or if the `idleShutdownDisabled` flag within it is set to `true`, leading to continuous resource billing even when not in use.

aiplatform.googleapis.com/NotebookRuntime

Ensures Vertex AI Notebook Runtimes do not have direct internet access to mitigate risks such as data exfiltration and unauthorized access to external resources. Disabling internet access enhances the security posture by isolating the runtime environment. Internet access is controlled by the `networkSpec.enableInternetAccess` setting.

aiplatform.googleapis.com/NotebookRuntime

Ensures Secure Boot is enabled on Vertex AI Notebook Runtimes to protect against boot-level threats. Secure Boot is a core Shielded VM feature that verifies the digital signature of all boot components, preventing the execution of unauthorized or malicious code during the boot process. This rule checks that the `enableSecureBoot` flag is explicitly set to `true`.

aiplatform.googleapis.com/NotebookRuntimeTemplate

Ensures Vertex AI Notebook Runtimes are protected with customer-managed encryption keys (CMEK), providing granular control over data encryption for enhanced security and compliance. A Notebook Runtime without CMEK uses Google-managed encryption keys by default.

aiplatform.googleapis.com/NotebookRuntimeTemplate

Enforces automatic idle shutdown on Vertex AI Notebook Runtime Templates to optimize costs by terminating inactive resources. A misconfiguration occurs if the `idleShutdownConfig` is not defined or if the `idleShutdownDisabled` flag within it is set to `true`, leading to continuous resource billing even when not in use.

aiplatform.googleapis.com/NotebookRuntimeTemplate

Ensures Vertex AI runtime templates are not exposed to the public internet, which reduces the external attack surface and helps prevent potential data exfiltration. This is violated when the 'enableInternetAccess' setting is true.

aiplatform.googleapis.com/NotebookRuntimeTemplate

Verifies that Vertex AI Notebook Runtime Templates have Secure Boot enabled to ensure operating system integrity and protect against unauthorized boot-level code. Secure Boot is a critical security feature that helps prevent the execution of malicious code during the boot process. This setting is controlled by the 'enableSecureBoot' flag within the 'shieldedVmConfig' object.

aiplatform.googleapis.com/Tensorboard

Ensures Vertex AI TensorBoard instances are protected with customer-managed encryption keys (CMEK), providing granular control over the encryption of experiment data and model visualizations for enhanced security and compliance. This rule checks that the `encryptionSpec.kmsKeyName` field is properly configured.

aiplatform.googleapis.com/TrainingPipeline

Ensures Vertex AI training pipelines are protected with customer-managed encryption keys (CMEK), providing granular control over data encryption for enhanced security and compliance. This rule checks that the `encryptionSpec.kmsKeyName` field is properly configured in the pipeline's specification.

notebooks.googleapis.com/Instance

Ensures that Vertex AI Workbench instances have automatic environment upgrades enabled. Enabling automatic upgrades is crucial for keeping instances up-to-date with the latest features, framework updates, and security patches, which enhances both security and reliability. This setting is controlled by the 'notebook-upgrade-schedule' metadata key, which should be present and have a value defined.

notebooks.googleapis.com/Instance

Ensures that Vertex AI Workbench instances are encrypted using a Customer-Managed Encryption Key (CMEK), which is critical for maintaining control over data encryption and meeting specific compliance requirements. This policy verifies that the `kmsKey` property is configured for both the boot and data disks within the instance's `gceSetup`.

notebooks.googleapis.com/Instance

Disabling the use of the default VPC network for Vertex AI Workbench instances is a key security measure to prevent exposure to overly permissive firewall rules. This misconfiguration is caused when a Workbench instance is attached to the network resource named 'default', bypassing a more secure, intentionally designed network architecture.

notebooks.googleapis.com/Instance

Ensures Vertex AI Workbench instances have deletion protection enabled, preventing accidental deletion of critical development environments and associated data. This protection is vital for maintaining operational reliability, as a misconfiguration can lead to irreversible loss of work. The 'deletionProtection' flag must be explicitly set to 'true'.

notebooks.googleapis.com/Instance

To prevent data exfiltration, this policy ensures that file downloads from the JupyterLab interface in Vertex AI Workbench instances are disabled. A misconfiguration occurs if the `notebook-disable-downloads` metadata key is missing or not set to 'true', creating a potential vector for unauthorized data removal.

notebooks.googleapis.com/Instance

Disabling root access on Vertex AI Workbench instances is a crucial security measure to prevent privilege escalation and unauthorized system modifications. This setting is controlled by the `notebook-disable-root` metadata key within the GCE setup, which should be set to 'true'.

notebooks.googleapis.com/Instance

Ensures Vertex AI Workbench instances have Shielded VM integrity monitoring enabled, providing a foundational layer of defense against boot-level and kernel-level malware. A violation occurs if the `enableIntegrityMonitoring` flag within the instance's Shielded VM configuration is missing, empty, or set to false.

notebooks.googleapis.com/Instance

Ensures Vertex AI Workbench instances do not have public IP addresses assigned by verifying the `disablePublicIp` setting is explicitly set to `true`. Disabling public IPs is a crucial security measure that reduces the instance's exposure to the public internet, minimizing the risk of unauthorized access. A violation occurs if the `disablePublicIp` setting is missing, empty, or set to false.

notebooks.googleapis.com/Instance

Ensures that Vertex AI Workbench instances do not use the default Compute Engine service account. Assigning dedicated, least-privilege service accounts to Workbench instances is a critical security measure that minimizes the potential impact of a compromise by limiting the instance's access to only necessary Google Cloud services. This check flags instances configured with a service account ending in '-compute@developer.gserviceaccount.com', which indicates the use of the overly permissive default service account.

notebooks.googleapis.com/Instance

Ensures Vertex AI Workbench instances have Secure Boot enabled, a critical security feature that verifies the digital signature of all boot components to protect against bootkits and rootkits. This setting, `enableSecureBoot`, is part of the instance's Shielded VM configuration and must be set to true.

notebooks.googleapis.com/Instance

Verifies that Vertex AI Workbench instances have the virtual trusted platform module (vTPM) enabled to ensure a secure and measured boot process. Activating vTPM is a critical component of Google Cloud's Shielded VM capabilities, which protects instances from boot-level malware and rootkits by providing verifiable integrity of the instance's bootloader, kernel, and boot drivers. This setting is managed within the `shieldedInstanceConfig` of the instance.