1.3 Ensure that Security Key Enforcement is Enabled for All Admin Accounts | IDENTIFICATION AND AUTHENTICATION |
1.8 Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | ACCESS CONTROL, MEDIA PROTECTION |
1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - Decrypter | ACCESS CONTROL, MEDIA PROTECTION |
1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - Encrypter | ACCESS CONTROL, MEDIA PROTECTION |
1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users - Encrypter/Decrypter | ACCESS CONTROL, MEDIA PROTECTION |
1.12 Ensure API Keys Only Exist for Active Services | PLANNING, SYSTEM AND SERVICES ACQUISITION |
1.13 Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps | PLANNING, SYSTEM AND SERVICES ACQUISITION |
1.14 Ensure API Keys Are Restricted to Only APIs That Application Needs Access | PLANNING, SYSTEM AND SERVICES ACQUISITION |
1.15 Ensure API Keys Are Rotated Every 90 Days | PLANNING, SYSTEM AND SERVICES ACQUISITION |
1.17 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | ACCESS CONTROL, MEDIA PROTECTION |
2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - alert | AUDIT AND ACCOUNTABILITY |
2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - metric | AUDIT AND ACCOUNTABILITY |
2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - alert | AUDIT AND ACCOUNTABILITY |
2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes - metric | AUDIT AND ACCOUNTABILITY |
2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - alert | AUDIT AND ACCOUNTABILITY |
2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes - metric | AUDIT AND ACCOUNTABILITY |
2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - alert | AUDIT AND ACCOUNTABILITY |
2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - metric | AUDIT AND ACCOUNTABILITY |
2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - alert | AUDIT AND ACCOUNTABILITY |
2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes - metric | AUDIT AND ACCOUNTABILITY |
2.14 Ensure 'Access Transparency' is 'Enabled' | AUDIT AND ACCOUNTABILITY |
2.15 Ensure 'Access Approval' is 'Enabled' | ACCESS CONTROL, MEDIA PROTECTION |
2.16 Ensure Logging is enabled for HTTP(S) Load Balancer | AUDIT AND ACCOUNTABILITY |
3.1 Ensure That the Default Network Does Not Exist in a Project | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
3.6 Ensure That SSH Access Is Restricted From the Internet | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.7 Ensure That RDP Access Is Restricted From the Internet | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' | ACCESS CONTROL |
4.7 Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.8 Ensure Compute Instances Are Launched With Shielded VM Enabled | CONFIGURATION MANAGEMENT |
4.9 Ensure That Compute Instances Do Not Have Public IP Addresses | ACCESS CONTROL, MEDIA PROTECTION |
4.10 Ensure That App Engine Applications Enforce HTTPS Connections | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.11 Ensure That Compute Instances Have Confidential Computing Enabled | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects | SYSTEM AND SERVICES ACQUISITION |
5.2 Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled | ACCESS CONTROL, MEDIA PROTECTION |
6.2.1 Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter | AUDIT AND ACCOUNTABILITY |
6.2.4 Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately | AUDIT AND ACCOUNTABILITY |
6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs | ACCESS CONTROL, MEDIA PROTECTION |
7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.3 Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |