| 1.1 Ensure that Corporate Login Credentials are Used | ACCESS CONTROL |
| 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts | IDENTIFICATION AND AUTHENTICATION |
| 1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account | IDENTIFICATION AND AUTHENTICATION |
| 1.5 Ensure That Service Account Has No Admin Privileges | ACCESS CONTROL |
| 1.6 Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level | ACCESS CONTROL, MEDIA PROTECTION |
| 1.7 Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer | IDENTIFICATION AND AUTHENTICATION |
| 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible | ACCESS CONTROL, MEDIA PROTECTION |
| 1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.16 Ensure Essential Contacts is Configured for Organization | INCIDENT RESPONSE |
| 1.17 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Ensure That Cloud Audit Logging Is Configured Properly | AUDIT AND ACCOUNTABILITY |
| 2.2 Ensure That Sinks Are Configured for All Log Entries | AUDIT AND ACCOUNTABILITY |
| 2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes | AUDIT AND ACCOUNTABILITY |
| 2.5 Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes | AUDIT AND ACCOUNTABILITY |
| 2.6 Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes | AUDIT AND ACCOUNTABILITY |
| 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks | AUDIT AND ACCOUNTABILITY |
| 2.13 Ensure Cloud Asset Inventory Is Enabled | CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT |
| 3.2 Ensure Legacy Networks Do Not Exist for Older Projects | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.3 Ensure That DNSSEC Is Enabled for Cloud DNS | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.5 Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1 Ensure That Instances Are Not Configured To Use the Default Service Account | IDENTIFICATION AND AUTHENTICATION |
| 4.2 Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | IDENTIFICATION AND AUTHENTICATION |
| 4.3 Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4 Ensure Oslogin Is Enabled for a Project | ACCESS CONTROL |
| 4.5 Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance | CONFIGURATION MANAGEMENT |
| 4.6 Ensure That IP Forwarding Is Not Enabled on Instances | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges | IDENTIFICATION AND AUTHENTICATION |
| 6.1.2 Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.3 Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' | CONFIGURATION MANAGEMENT |
| 6.2.2 Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' | AUDIT AND ACCOUNTABILITY |
| 6.2.3 Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' | AUDIT AND ACCOUNTABILITY |
| 6.2.5 Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' | AUDIT AND ACCOUNTABILITY |
| 6.2.6 Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter | AUDIT AND ACCOUNTABILITY |
| 6.2.7 Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled) | AUDIT AND ACCOUNTABILITY |
| 6.2.8 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging | AUDIT AND ACCOUNTABILITY |
| 6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' | ACCESS CONTROL, MEDIA PROTECTION |
| 6.3.3 Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' | CONFIGURATION MANAGEMENT |
| 6.3.6 Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 6.3.7 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is not set to 'on' | ACCESS CONTROL, MEDIA PROTECTION |
| 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses | ACCESS CONTROL, MEDIA PROTECTION |
| 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups | CONTINGENCY PLANNING |
| 7.1 Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible | ACCESS CONTROL, MEDIA PROTECTION |
