| 1.3 Ensure that Security Key Enforcement is Enabled for All Admin Accounts | IDENTIFICATION AND AUTHENTICATION |
| 1.8 Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | ACCESS CONTROL, MEDIA PROTECTION |
| 1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | ACCESS CONTROL, MEDIA PROTECTION |
| 1.12 Ensure API Keys Only Exist for Active Services | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 1.13 Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 1.14 Ensure API Keys Are Restricted to Only APIs That Application Needs Access | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 1.15 Ensure API Keys Are Rotated Every 90 Days | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | ACCESS CONTROL, MEDIA PROTECTION |
| 2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes | AUDIT AND ACCOUNTABILITY |
| 2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes | AUDIT AND ACCOUNTABILITY |
| 2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes | AUDIT AND ACCOUNTABILITY |
| 2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | AUDIT AND ACCOUNTABILITY |
| 2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes | AUDIT AND ACCOUNTABILITY |
| 2.14 Ensure 'Access Transparency' is 'Enabled' | AUDIT AND ACCOUNTABILITY |
| 2.15 Ensure 'Access Approval' is 'Enabled' | ACCESS CONTROL, MEDIA PROTECTION |
| 2.16 Ensure Logging is enabled for HTTP(S) Load Balancer | AUDIT AND ACCOUNTABILITY |
| 3.1 Ensure That the Default Network Does Not Exist in a Project | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.6 Ensure That SSH Access Is Restricted From the Internet | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.7 Ensure That RDP Access Is Restricted From the Internet | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' | ACCESS CONTROL |
| 4.7 Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.8 Ensure Compute Instances Are Launched With Shielded VM Enabled | CONFIGURATION MANAGEMENT |
| 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses | ACCESS CONTROL, MEDIA PROTECTION |
| 4.10 Ensure That App Engine Applications Enforce HTTPS Connections | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11 Ensure That Compute Instances Have Confidential Computing Enabled | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects | SYSTEM AND SERVICES ACQUISITION |
| 5.2 Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled | ACCESS CONTROL, MEDIA PROTECTION |
| 6.2.1 Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter | AUDIT AND ACCOUNTABILITY |
| 6.2.4 Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately | AUDIT AND ACCOUNTABILITY |
| 6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs | ACCESS CONTROL, MEDIA PROTECTION |
| 7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure all data in BigQuery has been classified | AUDIT AND ACCOUNTABILITY, RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 8.1 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
