Google Cloud best practices

alloydb.googleapis.com/Cluster

Verifies that AlloyDB clusters have an automated backup policy enabled, ensuring critical data is protected against loss and can be rapidly recovered to maintain business continuity and service reliability.

alloydb.googleapis.com/Cluster

Verifies AlloyDB clusters have continuous backup enabled, providing crucial point-in-time recovery (PITR) to protect against data loss and ensure business continuity.

apikeys.googleapis.com/Key

Verifies that all API keys have restrictions applied, preventing misuse that could lead to security breaches, unauthorized data access, and unexpected costs.

apikeys.googleapis.com/Key

Ensures API keys are restricted to specific services, preventing potential misuse that could lead to unauthorized API activation, security vulnerabilities, and unexpected costs.

apikeys.googleapis.com/Key

Enforces a 90-day rotation policy for API keys to minimize the security risk from lost, leaked, or compromised credentials.

apikeys.googleapis.com/Key

Flags the existence of any API key to encourage the use of more secure authentication methods, such as service accounts, thereby reducing the risk associated with static, long-lived credentials.

bigquery.googleapis.com/Dataset

Checks if BigQuery datasets are encrypted using Customer-Managed Encryption Keys (CMEK) from Cloud KMS. While BigQuery encrypts data at rest by default with Google-managed keys, CMEK offers finer-grained control over key management, including rotation, access control, and audit logging. This rule inspects the `defaultEncryptionConfiguration` field within the dataset's configuration. A violation is triggered if this field is *missing* or if it exists but lacks a `kmsKeyName` property. The absence of `defaultEncryptionConfiguration` or `kmsKeyName` signifies that the dataset is *not* employing CMEK for encryption, potentially impacting compliance and security posture.

bigquery.googleapis.com/Dataset

Checks if a BigQuery dataset has labels applied. Labels are user-defined key-value pairs that help organize and manage resources within Google Cloud. They are used for filtering, grouping, and cost reporting. This rule checks for the presence of the `labels` field on the dataset. A violation is triggered if the `labels` field is missing or if it's empty.

bigquery.googleapis.com/Dataset

Checks if a BigQuery dataset has resource tags applied. Resource tags are key-value pairs managed through Resource Manager. They are used for broader organizational purposes, including integration with other Google Cloud services and external systems (e.g., for access control via tag bindings). This rule checks for the presence of the `resourceTags` field. A violation is generated if the tags field is missing, or it is empty.

bigquery.googleapis.com/Dataset

Checks if BigQuery datasets are not publicly exposed. Publicly exposed datasets can lead to unintentional data leakage and potential privacy violations. BigQuery offers granular access controls via IAM roles, and datasets should be restricted to authorized users and service accounts only. This rule checks for the presence of 'allUsers' or 'allAuthenticatedUsers' in the dataset's access control list, which grants public access. The absence of these entries indicates that the dataset is *not* publicly accessible.

bigquery.googleapis.com/Table

Checks if BigQuery tables are encrypted using Customer-Managed Encryption Keys (CMEK) in Cloud KMS. By default, BigQuery encrypts data at rest using Google-managed keys. CMEK provides more granular control over the encryption keys, allowing organizations to manage key rotation, access, and auditing. This rule examines the `encryptionConfiguration` field within the table's configuration. If this field is *missing*, or if it exists but does not contain a `kmsKeyName`, it indicates that the table is *not* using CMEK for encryption.

bigquery.googleapis.com/Table

Checks if a BigQuery table has an expiration time set. Setting an expiration time on tables is a best practice for managing data lifecycle and controlling storage costs, especially for temporary or staging tables. This rule examines the `expirationTime` field within the table's configuration. If `expirationTime` is *null* (or missing, which is treated the same way in Rego), it indicates that the table does *not* have an expiration time set, and a violation is generated. An explicit expiration time is a good practice for data governance.

bigquery.googleapis.com/Table

Checks if a BigQuery table has labels applied. Labels are user-defined key-value pairs that help organize and manage resources within Google Cloud. They are used for filtering, grouping, and cost reporting. This rule checks for the presence of the `labels` field on the table. A violation is triggered if the `labels` field is missing or if it's empty.

bigquery.googleapis.com/Table

Checks if a BigQuery table has resource tags applied. Resource tags are key-value pairs managed through Resource Manager. They are used for broader organizational purposes, including integration with other Google Cloud services and external systems (e.g., for access control via tag bindings). This rule checks for the presence of the `resourceTags` field. A violation is generated if the 'resourceTags' field is missing, or if it is empty.

bigquery.googleapis.com/Table

Checks if a time-partitioned BigQuery table has a partition expiration time set. Partition expiration automatically deletes partitions that are older than the specified duration. This is crucial for managing storage costs and data lifecycle, especially for large, time-series datasets. This rule examines the `timePartitioning` field and, specifically, the `expirationMs` field *within* `timePartitioning`. If `timePartitioning` is missing, or `expirationMs` is missing or if it's not a positive integer, it indicates that partition expiration is not configured correctly, and a violation is generated.

sqladmin.googleapis.com/Instance

Checks the expiration status of the Certificate Authority (CA) certificate for Cloud SQL instances. Regularly rotating CA certificates and ensuring they are not expired is a critical security best practice. An expired CA certificate can disrupt client connections to the database, leading to application downtime. This rule checks two key things

sqladmin.googleapis.com/Instance

Checks if Point-in-Time Recovery (PITR) is enabled for Cloud SQL instances. PITR allows restoring the database to a specific point in time, providing crucial data recovery capabilities. This rule directly checks the `pointInTimeRecoveryEnabled` setting within the `backupConfiguration`. If `pointInTimeRecoveryEnabled` is `false` or not present, it indicates that PITR is *not* enabled.

sqladmin.googleapis.com/Instance

Checks if Cloud SQL instances have automatic storage resizing enabled. Enabling `storageAutoResize` allows the instance's storage capacity to automatically increase as needed, preventing potential out-of-storage errors and downtime. Without automatic resizing, the instance can become unavailable if it runs out of storage space. This rule checks for the presence and value of the `storageAutoResize` setting within the instance's configuration. If `storageAutoResize` is `false` or not present, it indicates that automatic storage resizing is *disabled*, which can lead to operational issues. Enabling this feature is crucial for maintaining the reliability and availability of the database.

sqladmin.googleapis.com/Instance

Enabling local_infile on Cloud SQL for MySQL can expose the server to file read exploits; disable it unless absolutely necessary.

sqladmin.googleapis.com/Instance

Ensures the 'skip_show_database' flag is enabled (set to 'on') for Cloud SQL for MySQL instances. Enabling this flag prevents users from using the `SHOW DATABASES` command unless they have the `SHOW DATABASES` privilege. This enhances security by limiting the ability of users to discover database names, reducing the risk of unauthorized access attempts and information disclosure. It's a form of security through obscurity.

sqladmin.googleapis.com/Instance

Checks if the 'slow_query_log' database flag is enabled (set to 'on') for Cloud SQL for MySQL instances. Enabling this flag activates the slow query log, which records SQL statements that exceed a defined execution time threshold (controlled by 'long_query_time'). The slow query log is an essential tool for identifying performance bottlenecks, optimizing queries, and troubleshooting database performance issues. Disabling this flag hinders your ability to diagnose and resolve slow query problems.

sqladmin.googleapis.com/Instance

Detects Cloud SQL instances that have automated backups *disabled*. Automated backups are *critical* for data protection and disaster recovery. Without regular backups, data loss due to accidental deletion, corruption, or other failures is highly likely and may be irreversible. Enabling automated backups ensures that point-in-time recovery is possible, minimizing data loss and downtime.

sqladmin.googleapis.com/Instance

Checks if a password validation Policy is set for Cloud SQL instances. For security best practices, it is *strongly* recommended to set a Password Validation Policy. Relying on default or not setting the password validation, significantly increases the risk of unauthorized access and potential data breaches. This rule checks for the *absence* of password validation. If password validation is *not* enforced for Instance, it indicates a potential security vulnerability.

sqladmin.googleapis.com/Instance

Ensures that the 'log_checkpoints' database flag is enabled (set to 'on') for Cloud SQL for PostgreSQL instances. Checkpoints are critical points in the transaction log sequence where PostgreSQL writes all dirty data buffers to disk and updates the control file. Logging checkpoints provides valuable information for monitoring database recovery time, diagnosing performance issues related to I/O, and understanding write activity. Disabling this flag can hinder troubleshooting and recovery analysis.

sqladmin.googleapis.com/Instance

Checks if the 'log_connections' database flag is enabled (set to 'on') for Cloud SQL for PostgreSQL instances. When enabled, this flag logs each successful connection attempt to the database server, including the username and client IP address. This information is crucial for security auditing, tracking database access, and troubleshooting connection-related issues. It complements the 'log_disconnections' flag, which logs the end of sessions. This rule flags instances where connection logging is *disabled*.

sqladmin.googleapis.com/Instance

Checks if the 'log_disconnections' database flag is enabled (set to 'on') for Cloud SQL for PostgreSQL instances. When enabled, this flag logs the end of each client session, including the session duration. This information is valuable for auditing, security analysis (e.g., detecting unusual connection patterns), and troubleshooting connection-related issues. It complements the 'log_connections' flag, which logs the start of connections. This rule flags instances where disconnection logging is *disabled*.

sqladmin.googleapis.com/Instance

Ensures that the 'log_error_verbosity' database flag for Cloud SQL for PostgreSQL instances is set to either 'default' or 'verbose'. This flag controls the amount of detail included in error messages written to the server log. Setting it to 'default' or 'verbose' provides more information for troubleshooting and debugging compared to the 'terse' setting, which minimizes detail. More verbose error logs can significantly aid in diagnosing the root cause of database problems.

sqladmin.googleapis.com/Instance

Ensures that the 'log_hostname' database flag is enabled (set to 'on') for Cloud SQL for PostgreSQL instances. When enabled, this flag logs the hostnames of connecting clients in addition to their IP addresses. Logging hostnames can be valuable for troubleshooting, security auditing, and identifying the source of connections. This can be particularly helpful in environments where IP addresses change frequently (e.g., due to DHCP) or where multiple clients connect from the same IP address (e.g., through a proxy or NAT). However, enabling this can introduce a slight performance overhead due to the hostname.

sqladmin.googleapis.com/Instance

Ensures that the 'log_lock_waits' database flag is enabled (set to 'on') for Cloud SQL for PostgreSQL instances. Enabling this flag logs long lock waits, which are often indicative of performance bottlenecks or concurrency issues within the database. By monitoring these logs, administrators can identify and address the root causes of slow queries or application performance problems. This proactive approach helps maintain database health and responsiveness.

sqladmin.googleapis.com/Instance

Checks if the 'log_min_duration_statement' database flag is set to '-1' (disabled) on Cloud SQL for PostgreSQL instances. This flag controls the minimum execution time (in milliseconds) a statement must take before it's logged. Setting it to '-1' disables logging of statement durations, hindering performance monitoring and troubleshooting. It's generally recommended to set a specific threshold (e.g., 2000 for 2 seconds) to capture slow queries without overwhelming the logs. This rule flags instances where duration-based statement logging is *disabled*.

sqladmin.googleapis.com/Instance

Checks if the 'log_min_error_statement' database flag is set to 'error', 'log', 'fatal', or 'panic' for Cloud SQL for PostgreSQL instances. This flag controls the severity level of SQL statements that are logged as errors. Setting it to 'error' or a stricter level (log, fatal, panic) ensures that all error-causing statements are logged, which is crucial for troubleshooting, auditing, and security analysis. Settings less strict than 'error' (e.g., 'warning', 'notice') may not capture all error conditions, hindering your ability to diagnose and resolve problems. This rule flags instances with a setting *less strict* than 'error'.

sqladmin.googleapis.com/Instance

Checks if the 'log_min_messages' database flag is set to its default value ('warning') for Cloud SQL for PostgreSQL instances. This flag controls the severity level of messages that are written to the server log. While the default ('warning') is generally appropriate, it's often recommended to adjust this setting based on your specific operational needs and the desired level of logging detail. Setting it to a more verbose level (e.g., 'notice', 'info', 'debug') can provide more information for troubleshooting, while setting it to a less verbose level (e.g., 'error', 'log', 'fatal', 'panic') can reduce log volume. This rule flags instances where the setting is *not* the default ('warning'). It's a policy decision whether to enforce the default or allow deviations.

sqladmin.googleapis.com/Instance

Verifies that the 'log_statement' database flag is configured to a value *other than* 'none' for Cloud SQL for PostgreSQL instances. The 'log_statement' flag controls which SQL statements are logged. Appropriate logging of SQL statements is crucial for auditing, security analysis, performance troubleshooting, and debugging. Setting it to values like 'ddl', 'mod', or 'all' (depending on your needs) provides valuable insights into database activity. A setting of 'none' disables statement logging entirely, hindering these important capabilities.

sqladmin.googleapis.com/Instance

Ensures that the 'log_temp_files' database flag is enabled (set to a non-zero value) for Cloud SQL for PostgreSQL instances. This flag controls the logging of temporary file usage. Setting it to a value other than '0' (which disables logging) allows you to monitor the size and number of temporary files created by queries. Excessive temporary file creation can indicate inefficient queries, poorly tuned `work_mem` settings, or potential performance bottlenecks. Analyzing these logs can help optimize query performance and resource utilization. A value of 0 disables logging, while positive values indicate a threshold in KB.

sqladmin.googleapis.com/Instance

Ensures that the 'max_connections' database flag is explicitly configured for Cloud SQL for PostgreSQL instances. Setting an appropriate value for 'max_connections' is crucial for resource management and preventing connection exhaustion. Without a defined limit, a surge in connection requests could overwhelm the database, leading to performance degradation or denial of service. The optimal value depends on the instance size and workload.

sqladmin.googleapis.com/Instance

Checks if the 'cloudsql.enable_pgaudit' flag is enabled (set to 'on') for Cloud SQL for PostgreSQL instances. This flag enables the pgaudit extension, which provides detailed session and object audit logging capabilities. pgaudit allows you to track specific database activities, such as SELECT, INSERT, UPDATE, and DELETE operations, and to configure granular auditing rules based on users, roles, and objects. This is crucial for security auditing, compliance, and forensic analysis.

sqladmin.googleapis.com/Instance

Detects Cloud SQL instances that are configured to allow connections from any IP address (0.0.0.0/0) in their authorized networks. Exposing a database instance to the public internet is a **critical security risk** and should be avoided unless absolutely necessary and with extreme caution. Public accessibility dramatically increases the attack surface, making the instance vulnerable to unauthorized access, brute-force attacks, and data breaches. Access should be restricted to specific, known IP addresses or ranges.

sqladmin.googleapis.com/Instance

Enforces the use of SSL/TLS connections for all clients connecting to this Cloud SQL instance. Requiring SSL/TLS encrypts data in transit, protecting against eavesdropping and man-in-the-middle attacks. This is a critical security best practice for any database handling sensitive information. Without SSL/TLS, data is transmitted in plain text.

sqladmin.googleapis.com/Instance

Checks if a root password is set for Cloud SQL instances. For security best practices, a strong, unique root password should be set for all Cloud SQL instances. This rule directly checks the `rootPassword` field within the instance configuration. An empty or missing `rootPassword` field indicates a significant security vulnerability, as it means the instance can be accessed without a password or with a default password.

sqladmin.googleapis.com/Instance

Checks if 'contained database authentication' is enabled on Cloud SQL for SQL Server instances. Contained databases allow authentication at the database level, rather than solely at the instance (server) level. While this can simplify database portability, it also introduces potential security risks if not carefully managed. Users authenticated to a contained database may bypass instance-level security controls. It's generally recommended to *disable* contained database authentication unless specifically required and with a thorough understanding of the security implications.

sqladmin.googleapis.com/Instance

Ensures that 'cross db ownership chaining' is disabled (set to 'off') on Cloud SQL for SQL Server instances. Disabling this setting is a crucial security best practice. When enabled, it can allow users in one database to potentially gain unintended access to objects in other databases if ownership chains are not carefully managed. This can lead to privilege escalation vulnerabilities.

sqladmin.googleapis.com/Instance

Checks if the 'external scripts enabled' flag is enabled on Cloud SQL for SQL Server instances. This flag controls the ability to execute external scripts (e.g., R, Python) within the SQL Server environment. While this feature can be useful for advanced analytics and machine learning, enabling it introduces potential security risks if not carefully managed. External scripts can potentially access system resources or execute malicious code. It's generally recommended to *disable* this feature unless specifically required and with appropriate security precautions in place.

sqladmin.googleapis.com/Instance

Ensures that the 'remote access' database flag is disabled (set to 'off') on Cloud SQL for SQL Server instances. Disabling this flag prevents SQL Server clients on remote machines from connecting to this instance using the Dedicated Administrator Connection (DAC). While the DAC is a powerful troubleshooting tool, restricting its use to local connections only significantly reduces the attack surface. Misconfigured or compromised remote access can lead to unauthorized database control.

sqladmin.googleapis.com/Instance

Checks if trace flag 3625 is enabled on Cloud SQL for SQL Server instances. Trace flag 3625 limits the amount of information returned to non-sysadmin users in error messages, potentially masking sensitive details about the database structure or configuration. While useful in some security contexts, this trace flag is often *disabled* in development and testing environments to provide more detailed error information for troubleshooting. This rule flags instances where trace flag 3625 is *enabled*. It's important to understand the implications of this flag and whether it aligns with your security and operational needs.

sqladmin.googleapis.com/Instance

Checks if the 'user connections' database flag is set to '0' (unlimited) on Cloud SQL for SQL Server instances. Setting 'user connections' to '0' allows an unlimited number of simultaneous user connections, which can lead to resource exhaustion, performance degradation, and potential denial-of-service. It's a best practice to configure a specific, reasonable limit for user connections based on the instance size and expected workload to prevent resource contention and maintain database stability. This rule flags instances where the connections are *unlimited*.

sqladmin.googleapis.com/Instance

Checks if the 'user options' database flag is configured on Cloud SQL for SQL Server instances. The 'user options' flag specifies server-wide default settings for query processing behavior for all users. It's generally recommended to *avoid* setting global user options and instead allow individual users or applications to configure their own session-level settings as needed. Relying on global user options can lead to unexpected behavior or compatibility issues if different applications require different settings. This rule flags instances where 'user options' is set (i.e., not its default, unconfigured state, typically represented by 0 or an empty string).

sqladmin.googleapis.com/Instance

Checks if a Cloud SQL instance is configured for high availability (HA). This rule focuses on zonal instances (non-regional) and verifies whether a failover replica is available. For zonal instances, having a failover replica is *critical* for resilience. If `failoverReplicaAvailable` is `false` for a zonal instance, it means that the instance is a single point of failure and is vulnerable to outages within that zone. A zonal instance *without* a failover replica does not meet the requirements for high availability. This is considered a *high* severity issue because it directly impacts the reliability and uptime of the database.

compute.googleapis.com/Network

compute.googleapis.com/Network

Checks if a Compute Engine VPC network has the 'autoCreateSubnetworks' feature enabled. Auto-mode VPC networks automatically create a subnet in each Google Cloud region, which might not align with desired network segmentation or IP address management strategies. While convenient for setup, custom-mode VPCs offer more granular control. This rule identifies networks where `autoCreateSubnetworks` is explicitly set to `true`. It is often recommended to use custom-mode VPC networks for better control and security posture.

compute.googleapis.com/BackendService

Checks if logging is enabled for a Compute Engine Backend Service. Backend service logging records requests processed by the load balancer, providing essential visibility for monitoring traffic, troubleshooting errors, security analysis, and auditing. This rule examines the `logConfig` field within the backend service's configuration. A violation is generated if `logConfig` is missing, or if `logConfig.enable` is missing or if it's set to `false`.

compute.googleapis.com/BackendBucket

Checks if Cloud CDN is enabled for a Compute Engine backend bucket. Cloud CDN caches content closer to users, improving performance and reducing origin server load. This rule examines the `enableCDN` field within the backend bucket's configuration. If `enableCDN` is `false` or missing, it indicates that Cloud CDN is *not* enabled, and a violation is generated.

compute.googleapis.com/BackendBucket

Checks if an Edge Security Policy is associated with a Compute Engine backend bucket. Edge Security Policies (part of Cloud Armor) provide advanced security features, such as DDoS protection and WAF, for globally distributed applications. For backend buckets serving content through an external load balancer, associating an Edge Security Policy is a security best practice. This rule checks for the presence of the `edgeSecurityPolicy` field within the backend bucket's configuration. If `edgeSecurityPolicy` is missing or null, it indicates that no Edge Security Policy is associated, and a violation is generated.

compute.googleapis.com/BackendService

Checks if Cloud CDN is enabled for a Compute Engine backend service. Cloud CDN caches content closer to users, improving performance and reducing origin server load. This rule examines the `enableCDN` field within the backend service's configuration. If `enableCDN` is `false` or missing, it indicates that Cloud CDN is *not* enabled, and a violation is generated.

compute.googleapis.com/BackendService

Checks if an *external* Compute Engine backend service has a security policy configured. For external load balancers, it's crucial to have a Security Policy to protect against threats. This rule checks the following

compute.googleapis.com/BackendService

Checks if a Compute Engine Backend Service has Identity-Aware Proxy (IAP) enabled while using the unencrypted HTTP protocol. Enabling IAP adds authentication and authorization, but if the connection between the load balancer and the backend service uses plain HTTP, the traffic (including potentially sensitive application data or session information) is unencrypted on the internal network. This poses a security risk. This rule checks if `iap.enabled` is true AND `protocol` is 'HTTP'. It is strongly recommended to use HTTPS for backend services when IAP is enabled to ensure end-to-end encryption.

compute.googleapis.com/BackendService

Checks if a Compute Engine Backend Service is configured to use the unencrypted HTTP or TCP protocols. Using plain HTTP or TCP for backend connections can expose application traffic, including potentially sensitive data, on the internal network. It is strongly recommended to use secure protocols like HTTPS, SSL, or HTTP/2, or appropriate proxy protocols (such as TCP_PROXY) to ensure data confidentiality and integrity. This rule flags backend services where the `protocol` field is set to 'HTTP' or 'TCP'.

compute.googleapis.com/BackendService

Checks if an *external* Compute Engine backend service has a security policy configured. For external load balancers, it's crucial to have either an Edge Security Policy (for global external HTTP(S) load balancers) or a Security Policy (for classic external HTTP(S) load balancers, regional external HTTP(S) load balancers, external TCP proxy load balancers, and external SSL proxy load balancers) to protect against threats. This rule checks the following

compute.googleapis.com/Instance

Detects Compute Engine instances that are using the default Compute Engine service account. The default service account is automatically created and has broad permissions (Editor role) by default, which violates the principle of least privilege. It's a security best practice to create and use *custom* service accounts with the minimum necessary permissions for each instance. Using the default service account increases the risk of unauthorized access and privilege escalation if an instance is compromised.

compute.googleapis.com/Disk

Checks if a Compute Engine disk is encrypted using Customer-Supplied Encryption Keys (CSEK). With CSEK, you provide your own encryption key, and Google Cloud uses that key, represented by its SHA256 hash, to protect your data. This rule examines the `diskEncryptionKey` field and, specifically, the `sha256` field *within* it. If `diskEncryptionKey` is missing, or if `sha256` is missing, empty, or null, it signifies that CSEK is *not* in use, triggering a violation.

compute.googleapis.com/Firewall

A firewall rule permitting internet traffic on all protocols significantly broadens the network attack surface, increasing the risk of unauthorized access, potential service disruptions, and costly security incidents.

compute.googleapis.com/Firewall

Checks if logging is enabled for a VPC Firewall rule. Firewall Rules Logging records connections that match the rule, providing valuable insights for security auditing, troubleshooting network connectivity, and understanding traffic patterns. This rule examines the `logConfig` field within the firewall rule's configuration. A violation is generated if `logConfig` is missing, or if `logConfig.enable` is missing or if it's set to `false`.

compute.googleapis.com/FirewallPolicy

This rule identifies overly permissive firewall configurations that allow unrestricted internet ingress on all protocols, helping you reduce your network's attack surface and safeguard against unauthorized access.

compute.googleapis.com/FirewallPolicy

Checks if a Compute Engine Firewall Policy contains any *enabled* rules that do *not* have logging enabled. Firewall logging records connections matching rules, essential for auditing and troubleshooting. This policy iterates through the 'rules' array embedded within the FirewallPolicy resource. A violation is generated if the Firewall Policy contains at least one rule where `disabled` is not true (i.e., the rule is enabled) AND `enableLogging` is not true (i.e., logging is disabled), considering that missing boolean fields often default to false. Rules with the highest priority (typically default rules) are excluded.

compute.googleapis.com/FirewallPolicy

Checks if a Compute Engine Firewall Policy contains any enabled ingress rules allowing traffic from any source IP address (0.0.0.0/0 for IPv4 or

compute.googleapis.com/FirewallPolicy

Identifies firewall rules exposing unusual internet-facing protocols, enabling proactive attack surface reduction to enhance security and prevent costly system compromises.

compute.googleapis.com/FirewallPolicy

Enhances security by identifying firewall rules granting unrestricted public internet access to commonly targeted TCP ports (e.g., 20, 21, 22, 25, 53, 80, 110, 143, 443), enabling proactive attack surface reduction and defense against unauthorized exploitation.

compute.googleapis.com/FirewallPolicy

Identifies firewall policies that expose typically TCP-associated or other sensitive UDP ports to the internet, enabling you to reduce your attack surface and enhance service reliability by preventing potential misconfigurations or exploits.

compute.googleapis.com/Firewall

Detects Compute Engine firewall rules that are publicly exposed. A firewall rule is considered publicly exposed if it allows traffic from any IP address (0.0.0.0/0 for IPv4 or

compute.googleapis.com/Firewall

Reduces your attack surface by identifying active ingress firewall rules that expose uncommon network protocols (not TCP, UDP, or ICMP) to the internet, preventing potential breaches through unmonitored services.

compute.googleapis.com/Firewall

Reduce your system's internet attack surface by identifying and reviewing firewall rules that expose a curated list of potentially vulnerable TCP ports [20,21,22,25,53,80,110,143,443,587,989,990,995,1194] to public access.

compute.googleapis.com/Firewall

This rule enhances your network security by identifying publicly exposed firewall rules allowing unusual UDP ports [20,21,22,25,53,80,110,143,443,587,989,990,995,1194], thereby minimizing your attack surface and preventing potential service exploitation that could impact reliability, performance, or lead to unexpected costs.

compute.googleapis.com/Subnetwork

Checks if Private Google Access (PGA) is disabled for a Compute Engine Subnetwork. PGA allows VM instances in the subnet without external IP addresses to reach Google APIs and services using Google's internal network, enhancing security and potentially reducing egress costs. If PGA is disabled, VMs without external IPs cannot access these services directly. This rule examines the `privateIpGoogleAccess` field within the Subnetwork configuration. A violation is generated if `privateIpGoogleAccess` is missing or set to `false`.

compute.googleapis.com/TargetHttpProxy

This rule identifies HTTP load balancers, which transmit unencrypted data, critically exposing sensitive information, eroding customer trust, and often violating compliance mandates, thereby underscoring the necessity of HTTPS for secure, private, and trustworthy communications.

compute.googleapis.com/Image

Detects Compute Engine images that are older than 90 days and are *not* in a deprecated state. Old, unused images can accumulate, increasing storage costs and potentially posing security risks if they contain outdated software or vulnerabilities. It's a best practice to regularly review and deprecate or delete old images that are no longer needed. This rule flags images older than 90 days that haven't been deprecated, prompting a review of their status and potential removal.

compute.googleapis.com/InterconnectAttachment

Checks if a Cloud Interconnect Attachment (VLAN attachment) is configured to use IPsec encryption. IPsec provides end-to-end encryption for traffic traversing the attachment, adding a layer of security often used with Partner Interconnect or as an alternative/addition to MACsec. This rule examines the `encryption` field within the Interconnect Attachment configuration. A violation is generated if the `encryption` field is missing, or if its `type` is not set to 'IPSEC'.

compute.googleapis.com/Interconnect

Checks if MACsec (Media Access Control Security) is enabled for a Cloud Interconnect (Dedicated Interconnect). MACsec provides Layer 2 encryption and integrity protection for traffic traversing the physical connection, enhancing security. This rule examines the `macsecEnabled` field within the Interconnect configuration. A violation is generated if the `macsecEnabled` field is missing or set to `false`. Enabling MACsec is a best practice for securing sensitive traffic over Dedicated Cloud Interconnect. Note

compute.googleapis.com/Instance

Ensures Compute Engine instances have labels applied for better resource organization, cost allocation, and filtering capabilities.

compute.googleapis.com/Instance

Ensures Compute Engine instances have Resource Manager tags applied via the 'params.resourceManagerTags' field for consistent governance, policy enforcement, and cost analysis.

compute.googleapis.com/Instance

Ensures Compute Engine instances have network tags applied for effective firewall rule targeting and network segmentation.

compute.googleapis.com/Router

Enabling Cloud NAT logging provides critical telemetry for rapid troubleshooting and security analysis, enhancing network reliability and operational visibility.

compute.googleapis.com/Router

Enable comprehensive Cloud NAT logging for both translations and errors to significantly improve troubleshooting capabilities and operational visibility, as error-only logging limits crucial diagnostic insights for network reliability and security analysis.

compute.googleapis.com/Router

Checks if logging is disabled for Cloud NAT configurations on a Compute Engine Router. Cloud NAT logging provides visibility into NAT translations and errors, crucial for monitoring, troubleshooting, and security analysis. This rule iterates through all NAT configurations (`nats` array) associated with a router. If *any* NAT configuration is found where the `logConfig.enable` field is missing or set to `false`, a violation is generated for the router.

compute.googleapis.com/Network

compute.googleapis.com/Network

Checks for the existence of the default Compute Engine network. The 'default' network is automatically created in new projects (unless disabled) and comes with permissive firewall rules (e.g., allow-internal, allow-rdp, allow-ssh from anywhere). While convenient for initial setup, using the default network for production workloads is discouraged due to its flat structure and overly broad default permissions. It's recommended to create custom VPC networks with more restrictive, purpose-built firewall rules. This rule identifies networks named 'default'.

compute.googleapis.com/ResourcePolicy

Detects Compute Engine snapshot schedules (within resource policies) that have both a retention period exceeding 365 days *and* are configured to keep automatic snapshots even after the source disk is deleted ('onSourceDiskDelete' set to 'KEEP_AUTO_SNAPSHOTS'). While long retention periods and keeping snapshots after source disk deletion might be valid in specific scenarios, this combination can lead to significant storage costs and potentially retain data longer than necessary. This rule flags such configurations for review to ensure that they align with data retention policies and cost optimization goals.

compute.googleapis.com/ResourcePolicy

Detects Compute Engine snapshot schedules (within resource policies) that do *not* have application-consistent snapshots enabled (i.e., 'guestFlush' is not set to 'true'). Application-consistent snapshots ensure that the data on the disk is in a consistent state at the time of the snapshot, which is crucial for reliable backups and recovery, especially for applications like databases. Without 'guestFlush', the snapshot might capture data in an inconsistent state, potentially leading to data corruption or unrecoverable backups. This rule flags snapshot schedules lacking application consistency.

compute.googleapis.com/Snapshot

Detects Compute Engine snapshots that are older than 365 days. Old snapshots can consume significant storage space and increase costs. While some snapshots may need to be retained for long periods, it's a best practice to regularly review and delete snapshots that are no longer needed. This rule flags snapshots older than 365 days for review, allowing you to determine if they can be safely deleted or archived.

compute.googleapis.com/TargetSslProxy

Ensures that application traffic is served by modern HTTPS Load Balancers instead of legacy SSL Proxy Load Balancers. When an HTTPS Load Balancer is used, it provides layer 7 traffic management, including features like URL maps, integration with Google-managed certificates, and advanced security controls. This is valuable for enhancing security with features like SSL Policies and Cloud Armor integration, improving traffic management with content-based routing, and simplifying certificate lifecycle management. This is particularly helpful for standard web applications that can benefit from application-aware security and routing rules. However, the SSL Proxy Load Balancer may still be required for specific non-HTTP workloads that use SSL for transport layer encryption.

compute.googleapis.com/Subnetwork

Checks if VPC Flow Logs are enabled for a Compute Engine Subnetwork. VPC Flow Logs record a sample of network flows sent from and received by VM instances in the subnet. This provides crucial visibility for network monitoring, forensics, security analysis, and real-time troubleshooting. This rule examines the `enableFlowLogs` field within the Subnetwork configuration. A violation is generated if `enableFlowLogs` is missing or set to `false`.

compute.googleapis.com/TargetHttpsProxy

Checks if a Compute Engine TargetHttpsProxy resource has an SSL Policy defined. SSL Policies control the set of TLS features (such as TLS versions and cipher suites) that the proxy negotiates with clients. Associating a specific SSL Policy allows for enforcing stricter security standards than the default. This rule examines the `sslPolicy` field within the TargetHttpsProxy configuration. If `sslPolicy` is missing or null/empty, it indicates that no specific SSL Policy is assigned, and a violation is generated. Relying on default SSL settings might not meet specific security or compliance requirements.

compute.googleapis.com/TargetSslProxy

Validates SSL Proxy Load Balancer usage, guiding towards HTTPS Load Balancers for web traffic to enhance security, performance, and operational efficiency.

compute.googleapis.com/Address

Checks for Compute Engine external IP addresses that are reserved but not currently in use by any resource. Reserved but unused public IP addresses incur costs and may indicate orphaned resources or configuration oversights. This rule identifies addresses where the `addressType` is 'EXTERNAL' and the `status` is 'RESERVED'. It is recommended to either assign unused addresses to a resource or release them to avoid unnecessary charges.

compute.googleapis.com/Instance

Checks if Confidential Computing is enabled for Compute Engine VM instances. Confidential Computing uses hardware-based encryption to protect data in use, even from the cloud provider. This provides a higher level of security and privacy for sensitive workloads. This rule flags instances where Confidential Computing is *not* enabled. Enabling Confidential Computing may be a requirement for compliance or to meet specific security needs.

compute.googleapis.com/Instance

Checks if deletion protection is enabled for Compute Engine VM instances. Deletion protection prevents accidental deletion of critical VMs. When enabled, any attempt to delete the instance through the API, CLI, or console will fail unless deletion protection is first explicitly disabled. This provides an important safeguard against human error or malicious actions. This rule flags instances *without* deletion protection enabled.

compute.googleapis.com/Instance

Checks if all disks attached to a Compute Engine VM instance are encrypted using a Customer-Managed Encryption Key (CMEK). Encrypting disks protects data at rest, preventing unauthorized access to the data if the physical storage is compromised. Using CMEKs gives you control over the encryption keys, including key rotation and access management. This rule flags instances where *any* attached disk is *not* encrypted with a CMEK.

compute.googleapis.com/Instance

Checks if IP forwarding is enabled for Compute Engine VM instances. Enabling IP forwarding allows a VM to route traffic between different networks, effectively acting as a router. While this capability is necessary for some use cases (e.g., NAT gateways, VPN servers), it should only be enabled when explicitly required. Enabling IP forwarding on instances that don't need it increases the attack surface and can potentially be exploited to bypass network security controls. This rule flags instances *with* IP forwarding enabled.

compute.googleapis.com/Instance

Checks if OS Login is enabled for Compute Engine VM instances *without* enabling two-factor authentication (2FA). While OS Login itself enhances security by using IAM for access control, requiring 2FA adds a crucial extra layer of protection against compromised credentials. Without 2FA, an attacker who obtains a user's password could gain access to the VM. This rule flags instances where OS Login is enabled, but 2FA is *not* enabled.

compute.googleapis.com/Instance

Checks if OS Login is enabled for Compute Engine VM instances. OS Login provides centralized and granular access control to VMs using IAM roles, rather than relying on individual SSH keys managed at the instance or project level. OS Login improves security, simplifies key management, and enhances auditability. This rule flags instances where OS Login is *not* enabled.

compute.googleapis.com/Instance

Checks if a Compute Engine VM instance allows the use of project-wide SSH keys. Project-wide SSH keys can be added to a project's metadata and automatically grant access to all instances within that project *unless* explicitly blocked or OS Login is enabled. Relying solely on project-wide SSH keys violates the principle of least privilege and increases the risk of unauthorized access if a key is compromised. It's generally recommended to either use OS Login (which provides more granular control) or explicitly block project-wide SSH keys and use instance-specific keys instead. This rule flags instances that *do not* block project-wide SSH keys *and* do *not* have OS Login enabled.

compute.googleapis.com/Instance

Checks if serial port access is enabled for Compute Engine VM instances. The serial port provides a text-based console for interacting with the VM, primarily for debugging and troubleshooting. While useful in specific situations, enabling the serial port increases the attack surface, as it can potentially be used to gain unauthorized access if not properly secured. It is generally recommended to *disable* serial port access unless explicitly needed and with appropriate security measures (e.g., strong authentication, firewall rules). This rule flags instances *with* serial port access enabled.

compute.googleapis.com/Instance

Checks if all Shielded VM features (Integrity Monitoring, vTPM, and Secure Boot) are enabled for Compute Engine VM instances. Shielded VM provides verifiable integrity of your VM instances, helping to protect against advanced threats like rootkits and bootkits. Integrity Monitoring allows you to monitor the boot integrity of your instances. vTPM provides a virtualized Trusted Platform Module. Secure Boot helps ensure that the system only runs authentic software. This rule flags instances where *any* of these features are *not* enabled.

compute.googleapis.com/VpnTunnel

Checks if a Compute Engine VPN Tunnel is configured to use the IKEv1 protocol. IKEv1 (Internet Key Exchange version 1) is an older VPN protocol with known security weaknesses compared to the more modern IKEv2. Using IKEv1 increases the risk of security vulnerabilities. This rule examines the `ikeVersion` field within the VPN Tunnel configuration. A violation is generated if `ikeVersion` is set to 1. It is strongly recommended to use IKEv2 (version 2) for enhanced security and reliability.

dns.googleapis.com/Policy

Checks if logging is enabled for a Cloud DNS Policy. DNS policies define rules for DNS resolution behavior, often used for outbound forwarding or private DNS lookups. Enabling logging records the queries processed by the policy, which is essential for security auditing and troubleshooting DNS resolution issues within your VPC networks. This rule examines the `enableLogging` field within the DNS Policy configuration. A violation is generated if `enableLogging` is missing or if it's `false`.

dns.googleapis.com/ManagedZone

Checks if DNSSEC (Domain Name System Security Extensions) is enabled for a *public* managed zone in Cloud DNS. DNSSEC adds a layer of security by digitally signing DNS records, preventing DNS spoofing and cache poisoning attacks. This rule examines the `dnssecConfig` field within the managed zone's configuration. If `dnssecConfig` is missing, or if its `state` is 'off' or missing, it indicates that DNSSEC is *not* enabled. A violation is generated if DNSSEC is not enabled for public zones. This rule filters to affect *only* managed zones where `visibility` is set to 'public'.

dns.googleapis.com/ManagedZone

Checks if logging is enabled for a *public* Cloud DNS managed zone. Enabling DNS logging records the queries received by the zone's name servers, which is essential for security auditing, troubleshooting, and compliance. This rule examines the `loggingConfig` field within the managed zone's configuration. A violation is generated if the zone's `visibility` is 'public' *and* either `loggingConfig` is missing, or `loggingConfig.enableLogging` is missing or `false`.

file.googleapis.com/Instance

Ensures Filestore instances have labels applied for resource organization, filtering, and potentially aiding in cost allocation analysis.

file.googleapis.com/Instance

Ensures Filestore instances have Resource Manager tags applied for consistent governance, policy enforcement, and cost analysis across cloud resources.

cloudresourcemanager.googleapis.com/Project

Prevents unauthorized access and potential data exfiltration by detecting if a project's IAM policy grants public access (`allUsers` or `allAuthenticatedUsers`), which would expose all contained Compute Engine images.

compute_Instance_RESOURCE_4

Enhances operational stability by verifying that critical, standalone Compute Engine instances have the `deletionProtection` flag enabled to prevent accidental deletion and ensure service continuity.

container.googleapis.com/Cluster

Improves cluster resilience and reduces operational overhead by verifying GKE Standard node pools have auto-repair enabled, ensuring automatic recovery from node failures to maintain application availability.

container.googleapis.com/Cluster

Strengthens cluster security and reduces maintenance overhead by verifying GKE Standard node pools have auto-upgrade enabled, ensuring they receive timely security patches and stability fixes.

container_Cluster_RESOURCE_2

Enhances security by verifying Private Google Access is enabled on the cluster's subnetwork, allowing private GKE nodes to pull images and access Google APIs without requiring public IP addresses.

container.googleapis.com/Cluster

Enhances cluster security and stability by verifying all GKE node pools use Google's Container-Optimized OS (COS), a purpose-built, hardened operating system.

container_Cluster_RESOURCE_IAM_POLICY_1

Mitigates a critical container-to-project privilege escalation risk by ensuring GKE node pools do not use the default service account when it has project-level Admin permissions, preventing a compromised pod from gaining control over all project resources.

container_Cluster_RESOURCE_IAM_POLICY_1

Enforce least privilege on GKE nodes by disallowing default service accounts with editor roles, critically reducing security vulnerabilities to protect workloads and enhance cluster reliability.

container_Cluster_RESOURCE_IAM_POLICY_1

Ensures GKE nodes do not use the default Compute Engine service account with the highly privileged Owner role, enforcing least privilege to significantly reduce security risks and the potential impact of a node compromise.

container_Cluster_RESOURCE_IAM_POLICY_1

Enhance GKE security by ensuring default service accounts do not possess broad 'writer' permissions, significantly reducing the risk of unauthorized cluster modifications and upholding the principle of least privilege.

container_Cluster_RESOURCE_IAM_POLICY_1

Verify GKE node pools use dedicated, minimally-permissioned service accounts instead of the default Compute Engine service account to enhance cluster security posture by strictly adhering to the principle of least privilege.

cloudresourcemanager_Project_RESOURCE_1

cloudresourcemanager.googleapis.com/Folder

This rule identifies groups assigned overly broad basic roles (e.g., Owner, Editor) at the folder level, enabling customers to enforce the principle of least privilege, which significantly reduces security risks from excessive permissions and simplifies access governance.

cloudresourcemanager.googleapis.com/Organization

This rule identifies groups that are assigned the highly permissive basic roles (such as Owner or Editor) at the organization level. It's a critical check to prevent widespread security vulnerabilities and ensures adherence to the principle of least privilege across all your cloud resources.

cloudresourcemanager.googleapis.com/Project

Reduce security risks and prevent unintended project alterations by identifying groups with overly broad basic roles (such as Owner or Editor), thereby enforcing least privilege for enhanced operational stability.

cloudresourcemanager.googleapis.com/Folder

Identifies service accounts granted overly permissive basic roles (such as Owner or Editor) at the folder level, crucial for enforcing the principle of least privilege to bolster security, maintain operational reliability, and control costs.

cloudresourcemanager.googleapis.com/Organization

Ensure service accounts at the organization level do not possess broad basic roles, a critical step to uphold the principle of least privilege, prevent widespread security breaches, and maintain operational reliability.

cloudresourcemanager.googleapis.com/Project

This rule identifies service accounts that are granted overly permissive basic roles (such as Owner or Editor) at the project level. This rule enables proactive enforcement of the principle of least privilege to significantly reduce security risks and limit the potential impact of compromised credentials.

cloudresourcemanager.googleapis.com/Folder

Identifying users with overly permissive basic roles (e.g., Owner, Editor) at the folder level is crucial for enforcing least privilege, which directly enhances your security posture, improves operational stability by preventing unintended changes.

cloudresourcemanager.googleapis.com/Organization

Identifying individual users with broad basic roles at the organization level is critical to mitigate risks of widespread unauthorized access or accidental changes, safeguarding your cloud environment's security, reliability, and cost-efficiency.

cloudresourcemanager.googleapis.com/Project

Flagging direct assignment of broad basic roles to individual users at the project level enhances security and simplifies access management by encouraging adherence to the principle of least privilege via group-based permissions.

cloudbilling.googleapis.com/BillingAccount

This rule enhances financial security by identifying principals with broad billing administrator privileges at the billing account level, and helps you prevent unauthorized spending and ensure robust cost governance.

cloudresourcemanager.googleapis.com/Organization

Strengthen financial governance and security by identifying principals with direct organization-level billing administrator privileges, crucial for preventing unauthorized widespread billing modifications and enforcing the principle of least privilege.

cloudbilling.googleapis.com/BillingAccount

Detecting individual users with direct Billing Account Administrator privileges is crucial for mitigating financial risks and preventing service disruptions by enforcing the principle of least privilege.

cloudresourcemanager.googleapis.com/Organization

Enhance security, reliability, and cost control by restricting broad billing administrator permissions for individual user accounts at the organization level, thereby minimizing risks of unauthorized changes, service disruptions, and financial impact.

cloudbilling.googleapis.com/BillingAccount

Ensures only authorized individuals can view and export billing account cost data, safeguarding sensitive financial information and supporting stringent cost governance.

cloudresourcemanager.googleapis.com/Organization

Identifies principals with organization-level billing cost manager roles, helping you enforce the principle of least privilege to safeguard sensitive, comprehensive billing data and maintain appropriate cost visibility controls.

cloudbilling.googleapis.com/BillingAccount

Ensure robust cost governance by restricting the 'Billing Costs Manager' role for individual users at the billing account level, preventing potential budget misconfigurations and maintaining clear accountability for financial operations.

cloudresourcemanager.googleapis.com/Organization

Enhances financial security and cost control by identifying individual user accounts with organization-wide billing cost management permissions, thereby promoting least privilege and reducing risk.

cloudresourcemanager.googleapis.com/Organization

Detects domains assigned the 'Billing Account Creator' role at the organization level, a crucial check to prevent unauthorized billing account proliferation and maintain robust financial oversight.

cloudresourcemanager.googleapis.com/Organization

This rule identifies principals with organization-level billing creator privileges, crucial for preventing uncontrolled cloud spending and ensuring stringent financial governance over new billing account creation.

cloudresourcemanager.googleapis.com/Organization

This rule identifies users with organization-level billing creation rights to prevent uncontrolled cloud spending and enforce critical financial governance.

cloudbilling.googleapis.com/BillingAccount

Preventing the assignment of the 'Billing Account User' role to the overly broad `principal

cloudresourcemanager.googleapis.com/Organization

Ensures least privilege by identifying principals with the 'Billing Account User' role at the organization level, crucial for safeguarding sensitive financial data and strengthening cost governance.

cloudbilling.googleapis.com/BillingAccount

Identifies individual user accounts directly assigned billing user roles, promoting group-based permissions for enhanced security, simplified administration, and robust cost control.

cloudresourcemanager.googleapis.com/Organization

This rule enhances security by identifying `roles/billing.user` assignments at the organization level, which prevents overly broad access to sensitive financial data and enforces the principle of least privilege.

cloudbilling.googleapis.com/BillingAccount

This rule enhances security by identifying principals with direct billing account viewer roles, ensuring adherence to least privilege to prevent unintended broad access to sensitive billing information.

cloudresourcemanager.googleapis.com/Organization

Secure sensitive financial data and enforce least privilege by identifying principals with organization-level billing viewer access, thereby minimizing risks of unauthorized information exposure.

cloudbilling.googleapis.com/BillingAccount

Pinpoints users directly assigned billing viewer roles at the billing account level, enabling enforcement of least privilege to safeguard sensitive financial data and prevent unauthorized cost exposure.

cloudresourcemanager.googleapis.com/Organization

This rule enhances financial data security by identifying individual users with organization-wide Billing Viewer access, crucial for enforcing least privilege and minimizing sensitive cost exposure.

cloudresourcemanager.googleapis.com/Folder

Detects if groups possess project creator roles at the folder level, enabling proactive governance to prevent resource sprawl, enforce security baselines, and control costs.

cloudresourcemanager.googleapis.com/Organization

This rule identifies groups with organization-wide project creation capabilities, helping you prevent uncontrolled project sprawl and associated costs while strengthening security and governance over resource provisioning.

cloudresourcemanager.googleapis.com/Organization

Identifying highly privileged Organization Administrator assignments enables you to secure your entire cloud environment by strictly controlling ultimate access, thereby preventing widespread security vulnerabilities and operational disruptions.

cloudresourcemanager.googleapis.com/Folder

This rule flags groups holding Owner permissions on folders, a critical check to prevent widespread security vulnerabilities and accidental operational disruptions by enforcing tighter access control.

cloudresourcemanager.googleapis.com/Organization

Identifies groups with organization-level 'owner' permissions, crucial for preventing catastrophic security breaches and operational failures stemming from indirect, hard-to-audit privilege escalations through group membership changes.

cloudresourcemanager.googleapis.com/Project

This rule identifies Google Groups assigned the powerful 'owner' role at the project level, which is crucial for mitigating security vulnerabilities from excessive permissions, preventing operational disruptions, and controlling unintended cloud expenditures.

cloudresourcemanager.googleapis.com/Folder

This rule critically enhances security by identifying service accounts with highly permissive 'Owner' roles at the folder level, essential for mitigating risks from excessive privileges and enforcing the principle of least privilege for robust resource control.

cloudresourcemanager.googleapis.com/Organization

Safeguard your organization against critical security threats by detecting service accounts with excessive owner privileges at the organization level, preventing widespread unauthorized control and manipulation of all cloud resources.

cloudresourcemanager.googleapis.com/Project

This rule identifies service accounts with project-level owner roles, a critical security risk. This rule help enforce the principle of least privilege, which is crucial for enhancing security, ensuring operational reliability, and preventing uncontrolled cloud spend.

cloudresourcemanager.googleapis.com/Folder

This check identifies user-assigned Owner roles at the folder level, enabling proactive mitigation of security risks from excessive permissions and prevention of unintended, potentially costly or disruptive, resource modifications.

cloudresourcemanager.googleapis.com/Organization

Detects users assigned the organization-level 'owner' role, a critical check to prevent broad, unintended changes that could compromise security, disrupt service reliability, impair performance, and lead to uncontrolled costs.

cloudresourcemanager.googleapis.com/Project

Prevents unintended costs by identifying users assigned the 'owner' role, thereby mitigating risks from excessive privileges.

cloudresourcemanager.googleapis.com/Folder

Strengthen security by preventing broad, group-based impersonation of service accounts at the folder level, thus reducing the risk of privilege escalation and unauthorized resource access.

cloudresourcemanager.googleapis.com/Organization

This rule identifies groups that are assigned organization-level Service Account User or Token Creator roles, and helps you mitigate critical security risks such as privilege escalation and broad resource compromise by enforcing least privilege principles.

cloudresourcemanager.googleapis.com/Project

Enhances project security by identifying groups with Service Account User or Token Creator roles, enabling proactive risk mitigation from overly broad impersonation capabilities and simplifying access audit trails.

cloudresourcemanager.googleapis.com/Folder

Check to detect service account user and token creator on principals at folder level

cloudresourcemanager.googleapis.com/Organization

This rule identifies principals with organization-level service account user or token creator roles, enabling proactive enforcement of least privilege to prevent widespread system compromise and significantly reduce security risk.

cloudresourcemanager.googleapis.com/Project

This rule detects principals with project-level Service Account User or Token Creator roles, which grant sweeping and high-risk impersonation capabilities over *any* service account. This role detection helps you enforce the principle of least privilege and drastically reduce the security risks.

cloudresourcemanager.googleapis.com/Folder

Identifies `principalSet` assignments with Service Account User or Token Creator roles at the folder level, preventing excessive service account impersonation privileges to enhance security and enforce least privilege.

cloudresourcemanager.googleapis.com/Organization

Reduces organizational risk by identifying `principalSet`s with overly broad service account impersonation or token creation privileges at the organization level, preventing potential widespread security breaches and unauthorized resource access.

cloudresourcemanager.googleapis.com/Project

Restricting service account user/token creator roles for broad principalSets (such as groups or domains) at the project level mitigates widespread privilege escalation risks and unauthorized impersonation, enhancing overall project security posture.

cloudresourcemanager.googleapis.com/Folder

Check to detect service account user and token creator on users at folder level

cloudresourcemanager.googleapis.com/Organization

Check to detect service account user and token creator on users at organization level

cloudresourcemanager.googleapis.com/Project

This rule identifies users with extensive project-level service account impersonation or token creation privileges, and helps preemptively neutralize major security vulnerabilities, such as privilege escalation via compromised accounts, thereby protecting vital assets and curtailing potential financial losses from breaches.

cloudresourcemanager.googleapis.com/Folder

Strengthen data protection and helps you enforce the principle of least privilege by identifying and rectifying overly broad folder-level permissions that grant widespread access to secrets, minimizing the risk of unauthorized exposure.

cloudresourcemanager.googleapis.com/Organization

This rule identifies organization-level IAM roles granting broad secret access (such as Owner, Secret Manager Admin/Accessor), crucial for enforcing the principle of least privilege and minimizing the risk of widespread sensitive data exposure.

cloudresourcemanager.googleapis.com/Project

This rule identifies project-level IAM bindings granting overly permissive roles (such as 'roles/owner', 'roles/secretmanager.admin', or 'roles/secretmanager.secretAccessor') with broad access to all secrets. This rule helps you enforce the principle of least privilege, thereby safeguarding sensitive data and reducing the risk of costly security incidents.

iam.googleapis.com/ServiceAccountKey

Enforcing a 90-day rotation for user-managed service account keys significantly reduces the risk of prolonged unauthorized access from compromised credentials, safeguarding your critical services and preventing costly security incidents.

iam.googleapis.com/ServiceAccountKey

Identifying active user-managed service account keys older than 90 days enables proactive rotation, significantly reducing the attack surface and minimizing risks of unauthorized access or credential compromise.

iam.googleapis.com/ServiceAccountKey

User-managed service account keys lack automatic rotation, increasing security vulnerabilities and operational burden; migrating to Google-managed keys enhances security and simplifies key management.

iam.googleapis.com/ServiceAccountKey

Define expiration dates for user-managed service account keys to limit their active lifespan, which is crucial for minimizing security risks and protecting your resources from unauthorized access if a key is compromised.

cloudresourcemanager.googleapis.com/Folder

This rule enhances security by detecting principals on a folder who can both use and fully manage service accounts, a critical over-permissioning that, if compromised, dramatically increases the risk of widespread unauthorized access and resource manipulation.

cloudresourcemanager.googleapis.com/Organization

This rule identifies principals possessing both Service Account User and Admin roles at the organization level, a critical check to prevent significant privilege escalation and enforce least privilege, thereby safeguarding your resources and maintaining operational reliability.

cloudresourcemanager.googleapis.com/Project

Identifies principals with redundant Service Account User and Admin roles on a project to help you enforce the principle of least privilege, simplifying IAM and bolstering security.

iam.googleapis.com/ServiceAccount

This rule identifies principals holding both Service Account User and Admin roles at the organization level, a critical check for enforcing least privilege to reduce the attack surface and minimize risks from excessive permissions.

iam_ServiceAccount_RESOURCE_1

This rule identifies service accounts employing user-managed keys, which necessitate manual rotation and pose a heightened security risk. This rule helps you strengthen the security posture by transitioning to Google-managed keys or implementing rigorous key lifecycle controls.

cloudresourcemanager.googleapis.com/Folder

This rule identifies users with direct project creation privileges at the folder level, critical for preventing uncontrolled resource sprawl to safeguard budgets, enforce security policies, and maintain operational stability.

cloudresourcemanager.googleapis.com/Organization

Validating that project creation rights are not granted to users directly at the organization level helps enforce least privilege, preventing uncontrolled resource sprawl to improve cost management, security, and overall governance.

cloudresourcemanager_Project_RESOURCE_2

Enable automated container scanning to proactively detect vulnerabilities, thereby bolstering application security, enhancing operational reliability, maintaining performance integrity, and mitigating costly breach risks.

cloudresourcemanager_Project_RESOURCE_2

Enable container on-demand scanning to proactively detect vulnerabilities in your container images, thereby safeguarding your applications, ensuring operational reliability, and preventing costly security incidents.

cloudkms.googleapis.com/CryptoKey

Checks if a Cloud KMS CryptoKey's protection level is set to HSM. The `protectionLevel` determines where cryptographic operations are performed. `HSM` means they occur within a Hardware Security Module. HSM provides a higher level of security. This rule checks the `versionTemplate.protectionLevel` field. A violation is generated if the `protectionLevel` is `HSM`. While `SOFTWARE` protection level is acceptable for some use cases, `HSM` is generally recommended for higher security requirements.

cloudkms.googleapis.com/CryptoKey

Checks if a Cloud KMS CryptoKey's protection level is set to SOFTWARE. The `protectionLevel` determines where cryptographic operations are performed. `SOFTWARE` means operations occur in software, while `HSM` means they occur within a Hardware Security Module. HSM provides a higher level of security. This rule checks the `versionTemplate.protectionLevel` field. A violation is generated if the `protectionLevel` is `SOFTWARE`. While `SOFTWARE` protection level is acceptable for some use cases, `HSM` is generally recommended for higher security requirements.

cloudkms.googleapis.com/CryptoKey

Checks if a Cloud KMS CryptoKey with the `GOOGLE_SYMMETRIC_ENCRYPTION` algorithm and an 'ENABLED' state has key rotation configured. Regular key rotation is a critical security best practice. This rule verifies the following

cloudresourcemanager.googleapis.com/Folder

Detects publicly exposed KMS keys within a folder for preventing unauthorized access and decryption of sensitive data, thereby safeguarding your critical information assets and mitigating breach risks.

cloudresourcemanager.googleapis.com/Organization

Ensure your organization's KMS encryption keys are not publicly exposed through IAM policies, safeguarding sensitive data from unauthorized access and preventing costly data breaches.

cloudresourcemanager.googleapis.com/Project

Safeguard critical data and maintain compliance by preventing public KMS key exposure, which restricts cryptographic operations to authorized identities only and mitigates risks of unauthorized access and data breaches.

cloudkms.googleapis.com/CryptoKey

This rule identifies publicly exposed KMS keys, preventing unauthorized data decryption to safeguard sensitive information, ensure data integrity, and avert costly breaches.

cloudkms.googleapis.com/KeyRing

Prevent unauthorized access to sensitive encrypted data by ensuring KMS key ring IAM policies do not grant public permissions, thereby safeguarding data confidentiality and integrity.

cloudkms.googleapis.com/CryptoKey

Checks if Google Cloud Key Management Service (KMS) keys have automatic key rotation enabled and if the rotation period is within an acceptable limit (not greater than 365 days). Regular key rotation is a critical security best practice to limit the potential impact of a compromised key. If a key is compromised, rotation limits the time an attacker can use it. This rule flags KMS keys that either *do not have rotation enabled* or have a *rotation period exceeding 365 days*. Shorter rotation periods are generally preferred for enhanced security.

cloudkms_CryptoKey_RESOURCE_IAM_POLICY_1

Restricting the highly permissive 'Owner' role on KMS projects safeguards cryptographic keys from accidental or malicious actions, enhancing data security and operational stability.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'appengine.disableCodeDownload' organization policy is configured on the project or its parents to prevent unauthorized code downloads and protect against potential security risks.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'compute.disableGuestAttributesAccess' organization policy is enforced on the project or any parent, preventing potential unauthorized access to guest attributes.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.disableInternetNetworkEndpointGroup organization policy is enforced on the project or its parents, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.disableNestedVirtualization is configured on the project or any parent, preventing unauthorized use of nested virtualization.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'compute.disableSerialPortLogging' organization policy is enforced on the project or any parent, preventing potential security risks from unauthorized serial port access.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'compute.disableSerialPortAccess' organization policy is enforced on the project or its parents, preventing unauthorized access to serial ports.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'compute.requireOsLogin' organization policy is enforced to ensure OS Login is enabled on the project or its parents, preventing unauthorized access to virtual machines.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.requireShieldedVm is enforced on the project or its parents, ensuring that only shielded VMs are created, thus enhancing security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'compute.restrictDedicatedInterconnectUsage' organization policy is enforced on the project or any parent, preventing potential risks associated with unrestricted dedicated interconnect usage.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.restrictLoadBalancerCreationForTypes organization policy is enforced to prevent the creation of insecure load balancers on the project or its parents.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.restrictProtocolForwardingCreationForTypes is configured on the project or any parent, to prevent potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.restrictSharedVpcHostProjects is configured on the project or any parent, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the compute.restrictSharedVpcSubnetworks organization policy is enforced on the project or its parents, ensuring only approved subnets are used, thereby enhancing network security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.restrictVpcPeering is enforced on the project or its parents, preventing potential unauthorized VPC peering.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.restrictVpnPeerIPs is configured on the project or any parent, preventing unauthorized VPN peer IP access.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'compute.restrictXpnProjectLienRemoval' organization policy is enforced on the project or its parents, preventing unauthorized removal of project liens.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'compute.skipDefaultNetworkCreation' organization policy is enforced on the project or its parents, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy `compute.storageResourceUseRestrictions` is enforced to ensure that storage resource use restrictions are configured on the project or its parents, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.trustedImageProjects is configured on the project or any parent, preventing the use of untrusted images.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'compute.vmCanIpForward' organization policy is configured on the project or its parents to allow VMs to forward IP traffic, ensuring proper network functionality.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'compute.vmExternalIpAccess' organization policy is enforced on the project or its parents, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the cloudfunctions.allowedVpcConnectorEgressSettings organization policy is enforced on the project or its parents, preventing unauthorized egress settings for Cloud Functions, thereby enhancing security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the cloudfunctions.requireVPCConnector organization policy is enforced to ensure Cloud Functions use VPC connectors, enhancing network security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.disablePrivateServiceConnectCreationForConsumers is configured to prevent unauthorized Private Service Connect creation.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy gcp.detailedAuditLoggingMode is configured on the project or any parent to enable detailed audit logging, aiding in comprehensive security monitoring and compliance.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy gcp.disableCloudLogging is configured on the project or any parent to ensure that Cloud Logging is properly enforced.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'gcp.resourceLocations' organization policy is enforced on the project or any parent, ensuring resources are created in the designated geographic locations, thereby meeting compliance requirements.

cloudresourcemanager_Project_RESOURCE_3

Reduces your attack surface by identifying active ingress firewall rules that expose uncommon network protocols (not TCP, UDP, or ICMP) to the internet, preventing potential breaches through unmonitored services.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy iam.allowServiceAccountCredentialLifetimeExtension is configured on the project or any parent, ensuring that service account credential lifetime extensions are managed to maintain security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'iam.allowedPolicyMemberDomains' organization policy is enforced on the project or its parents, ensuring only approved domains can be added as policy members, enhancing security by preventing unauthorized access.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'iam.automaticIamGrantsForDefaultServiceAccounts' organization policy is enforced on the project or any parent to ensure that the default service accounts are not automatically granted IAM roles, improving security.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'iam.disableServiceAccountCreation' organization policy is enforced to prevent the creation of service accounts, reducing the risk of unauthorized access and potential security breaches.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'iam.disableServiceAccountKeyUpload' organization policy is enforced on the project or any parent, preventing potential security risks associated with unauthorized service account key uploads.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'iam.disableWorkloadIdentityClusterCreation' organization policy is enforced on the project or any parent, preventing the creation of workload identity clusters if the policy is not configured.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'iam.workloadIdentityPoolProviders' organization policy is enforced on the project or any parent, ensuring that workload identity pool providers are correctly configured to prevent unauthorized access.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy compute.restrictNonConfidentialComputing is configured on the project or its parents, preventing the use of non-confidential computing resources that could lead to data exposure.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'compute.restrictPartnerInterconnectUsage' organization policy is enforced on the project or any parent, preventing potential unauthorized usage of Partner Interconnect.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the organization policy serviceuser.services is configured on the project or its parents, preventing potential security vulnerabilities.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'sql.restrictAuthorizedNetworks' organization policy is enforced on the project or its parents, preventing unauthorized access to Cloud SQL instances from unapproved networks.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'sql.restrictPublicIp' organization policy is enforced on the project or its parents, preventing potential security vulnerabilities by restricting public IP access to Cloud SQL instances.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'storage.retentionPolicySeconds' organization policy is enforced on the project or its parents to ensure data is protected from accidental or malicious deletion.

cloudresourcemanager_Project_RESOURCE_3

Verifies that the 'storage.uniformBucketLevelAccess' organization policy is enforced on the project or any parent, ensuring consistent access control for all objects within a bucket and preventing potential data breaches.

osconfig.googleapis.com/VulnerabilityReport

Detects OS Config vulnerability reports that contain vulnerabilities with a 'CRITICAL' severity level. Vulnerability reports provide information about vulnerabilities found on Compute Engine VM instances. Critical vulnerabilities represent the highest level of risk and should be addressed immediately to prevent potential exploitation. This rule flags any vulnerability report containing at least one critical vulnerability.

cloudresourcemanager.googleapis.com/Project

Identifies projects created directly under an organization, which bypasses folder-level policy inheritance essential for consistent governance, security posture, and cost management.

pubsub.googleapis.com/Subscription

Checks if a Pub/Sub subscription has a dead-letter topic configured. A dead-letter topic (DLT) is essential for handling message delivery failures. When a message cannot be delivered to a subscriber after multiple attempts, it can be sent to a DLT, preventing message loss and allowing for analysis of delivery issues. This rule examines the `deadLetterPolicy` field within the subscription's configuration. If `deadLetterPolicy` is *missing* or if it exists but does not have a `deadLetterTopic` field, the rule generates a violation. Using a DLT is a best practice for reliable message processing.

redis.googleapis.com/Instance

Checks if Memorystore for Redis instances have Redis AUTH enabled. Redis AUTH requires clients to authenticate with a password before accessing the database. This is a fundamental security measure to prevent unauthorized access. This rule flags instances where 'authEnabled' is 'false'.

redis.googleapis.com/Instance

Checks if Memorystore for Redis instances have an authorized network configured. Restricting access to a specific VPC network limits the potential attack surface. While this rule doesn't validate the *specific* network, it checks that *some* network restriction is in place. A more robust check would compare against a list of allowed networks (using parameters).

redis.googleapis.com/Instance

Checks if Memorystore for Redis instances have a maintenance window configured. A defined maintenance window allows you to control when potentially disruptive maintenance operations occur. Without a defined window, updates can happen at any time, which could impact application availability. This rule flags instances that *do not* have a 'maintenancePolicy' defined.

redis.googleapis.com/Instance

Checks if Memorystore for Redis instances are using the 'BASIC' tier. The 'BASIC' tier provides a single Redis node and does not offer replication or automatic failover. This makes it unsuitable for production workloads that require high availability. This rule flags any instance using the 'BASIC' tier. Upgrading to 'STANDARD_HA' is strongly recommended for production environments.

redis.googleapis.com/Instance

Checks if Memorystore for Redis instances using the 'STANDARD_HA' tier have at least one replica. While 'STANDARD_HA' provides high availability features, a replica count of zero eliminates the redundancy benefits. This rule flags 'STANDARD_HA' instances with zero replicas. Increasing the replica count to at least 1 (and ideally 2 or more, up to 5) is recommended for true high availability.

compute.googleapis.com/Project

Checks if a Google Cloud project is configured as a Shared VPC Host Project. Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, hosted in a designated 'Host Project'. This allows for centralized network administration. This rule identifies host projects by checking the `xpnProjectStatus` field within the project's Compute Engine metadata. A status of 'HOST' indicates it's a Shared VPC Host Project. This policy is informational, identifying projects with this specific configuration.

cloudresourcemanager.googleapis.com/Organization

Activating Security Command Center (SCC) at the organization level provides essential, centralized visibility into security findings and compliance status, enabling proactive risk mitigation to safeguard your Google Cloud resources.

secretmanager.googleapis.com/SecretVersion

Checks if a Secret Manager secret is both enabled and older than 90 days since its creation time. Regularly rotating secrets is a security best practice to minimize the impact of potential compromise. This rule examines two fields - 1. `state`- Checks if the secret is in the 'ENABLED' state. 2. `createTime`- Checks if the secret's creation time is more than 90 days in the past. A violation is generated if *both* conditions are true

compute.googleapis.com/SslPolicy

Checks if a Compute Engine SSL Policy meets recommended security standards by having its profile set to 'MODERN' and its minimum TLS version set to 'TLS_1_2'. The 'MODERN' profile includes strong cipher suites and disables older, less secure TLS versions. Setting the minimum TLS version to 'TLS_1_2' further enhances security by disallowing TLS 1.0 and 1.1. This rule examines the `profile` and `minTlsVersion` fields. A violation is generated if the `profile` is not 'MODERN' OR the `minTlsVersion` is not 'TLS_1_2'.

storage.googleapis.com/Bucket

Identifies Cloud Storage buckets that have lifecycle rules defined, but where those rules are missing a specified 'action'. A lifecycle rule without an action is ineffective and serves no purpose. Lifecycle rules are designed to manage object lifecycle through actions like deletion or storage class transitions. An empty action indicates a configuration error that should be corrected. This could be a sign of an incomplete setup or a typo in the configuration.

storage.googleapis.com/Bucket

Checks if a Google Cloud Storage bucket is located outside of the European Union (EU) geographical boundaries. For organizations subject to GDPR or similar data residency regulations, storing data in compliant locations is critical. This rule identifies buckets where the `location` field does not correspond to an EU multi-region ('EU') or a specific EU region (typically starting with 'EUROPE-'). Buckets found outside the EU region might require review for compliance.

storage.googleapis.com/Bucket

Checks if a Cloud Storage bucket is encrypted using a Customer-Managed Encryption Key (CMEK). Using CMEKs provides *greater control* over your data encryption keys compared to Google-managed encryption. With CMEKs, you manage the key lifecycle, including rotation, access control, and auditing, within Cloud KMS. This is often a requirement for regulatory compliance or enhanced security postures where you need direct control over your encryption keys. If a bucket is *not* using a CMEK, it's using Google-managed encryption by default.

storage.googleapis.com/Bucket

Checks if object versioning is enabled for the Cloud Storage bucket. Object versioning preserves previous versions of an object when it's overwritten or deleted, providing a crucial safeguard against accidental data loss or corruption. With versioning enabled, you can restore earlier versions of objects if needed. Disabling versioning means that overwrites and deletions are permanent.

storage.googleapis.com/Bucket

Checks if a Google Cloud Storage bucket has a retention policy configured and if that policy is locked. A retention policy specifies a minimum duration that objects in the bucket must be retained. Locking the retention policy makes it *permanent* and *immutable*, preventing accidental or malicious deletion or modification of the policy. This rule checks for two conditions

storage.googleapis.com/Bucket

Checks if Uniform Bucket-Level Access (UBLA) is enabled for the Cloud Storage bucket. Enabling UBLA provides a simplified and consistent way to manage permissions using IAM roles at the bucket level, rather than managing individual object ACLs. This is generally recommended for improved security and manageability. With UBLA, you *only* use IAM to control access, making permissions easier to audit and understand. Disabling UBLA means you are relying on a combination of IAM and object ACLs, which can become complex and difficult to manage.