| 1.1 Ensure that Corporate Login Credentials are Used | ACCESS CONTROL |
| 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts | IDENTIFICATION AND AUTHENTICATION |
| 1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account | IDENTIFICATION AND AUTHENTICATION |
| 1.5 Ensure That Service Account Has No Admin Privileges | ACCESS CONTROL |
| 1.6 Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level | ACCESS CONTROL, MEDIA PROTECTION |
| 1.7 Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer | IDENTIFICATION AND AUTHENTICATION |
| 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible | ACCESS CONTROL, MEDIA PROTECTION |
| 1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.13 Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps | ACCESS CONTROL |
| 1.14 Ensure API Keys Are Restricted to Only APIs That Application Needs Access | ACCESS CONTROL |
| 1.15 Ensure API Keys Are Rotated Every 90 Days | ACCESS CONTROL |
| 1.16 Ensure Essential Contacts is Configured for Organization | INCIDENT RESPONSE |
| 1.18 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project - allServices | AUDIT AND ACCOUNTABILITY |
| 2.1 Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project - exemptedMembers | AUDIT AND ACCOUNTABILITY |
| 2.2 Ensure That Sinks Are Configured for All Log Entries | AUDIT AND ACCOUNTABILITY |
| 2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - alert | AUDIT AND ACCOUNTABILITY |
| 2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - metric | AUDIT AND ACCOUNTABILITY |
| 2.5 Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - alert | AUDIT AND ACCOUNTABILITY |
| 2.5 Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes - metric | AUDIT AND ACCOUNTABILITY |
| 2.6 Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - alert | AUDIT AND ACCOUNTABILITY |
| 2.6 Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes - metric | AUDIT AND ACCOUNTABILITY |
| 2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - alert | AUDIT AND ACCOUNTABILITY |
| 2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - metric | AUDIT AND ACCOUNTABILITY |
| 2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - alert | AUDIT AND ACCOUNTABILITY |
| 2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - metric | AUDIT AND ACCOUNTABILITY |
| 2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - alert | AUDIT AND ACCOUNTABILITY |
| 2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - metric | AUDIT AND ACCOUNTABILITY |
| 2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - alert | AUDIT AND ACCOUNTABILITY |
| 2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - metric | AUDIT AND ACCOUNTABILITY |
| 2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - alert | AUDIT AND ACCOUNTABILITY |
| 2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - metric | AUDIT AND ACCOUNTABILITY |
| 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - dns policies | AUDIT AND ACCOUNTABILITY |
| 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - vpc networks | AUDIT AND ACCOUNTABILITY |
| 2.13 Ensure Cloud Asset Inventory Is Enabled | CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT |
| 2.14 Ensure 'Access Transparency' is 'Enabled' | AUDIT AND ACCOUNTABILITY |
| 3.2 Ensure Legacy Networks Do Not Exist for Older Projects | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.3 Ensure That DNSSEC Is Enabled for Cloud DNS | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.5 Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1 Ensure That Instances Are Not Configured To Use the Default Service Account | IDENTIFICATION AND AUTHENTICATION |
| 4.2 Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | IDENTIFICATION AND AUTHENTICATION |
| 4.3 Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4 Ensure Oslogin Is Enabled for a Project - instances | ACCESS CONTROL |
| 4.4 Ensure Oslogin Is Enabled for a Project - project | ACCESS CONTROL |
| 4.5 Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance | CONFIGURATION MANAGEMENT |
| 4.6 Ensure That IP Forwarding Is Not Enabled on Instances | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible | ACCESS CONTROL, MEDIA PROTECTION |
