| 1.3 Ensure that Security Key Enforcement is Enabled for All Admin Accounts | IDENTIFICATION AND AUTHENTICATION |
| 1.8 Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | ACCESS CONTROL, MEDIA PROTECTION |
| 1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | ACCESS CONTROL, MEDIA PROTECTION |
| 1.12 Ensure API Keys Are Not Created for a Project | ACCESS CONTROL |
| 1.17 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | ACCESS CONTROL, MEDIA PROTECTION |
| 2.13 Ensure Cloud Asset Inventory Is Enabled | CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT |
| 2.15 Ensure 'Access Approval' is 'Enabled' | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1 Ensure That the Default Network Does Not Exist in a Project | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.6 Ensure That SSH Access Is Restricted From the Internet | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.7 Ensure That RDP Access Is Restricted From the Internet | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' | ACCESS CONTROL |
| 4.7 Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.8 Ensure Compute Instances Are Launched With Shielded VM Enabled | CONFIGURATION MANAGEMENT |
| 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses | ACCESS CONTROL, MEDIA PROTECTION |
| 4.10 Ensure That App Engine Applications Enforce HTTPS Connections | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11 Ensure That Compute Instances Have Confidential Computing Enabled | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects | SYSTEM AND SERVICES ACQUISITION |
| 5.2 Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled | ACCESS CONTROL, MEDIA PROTECTION |
| 6.2.1 Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter | AUDIT AND ACCOUNTABILITY |
| 6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs | ACCESS CONTROL, MEDIA PROTECTION |
| 7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
