🔷

CIS Google Cloud Platform Benchmark v2.0

Center for Internet Security benchmark for Google Cloud Platform. 130+ controls covering IAM, networking, logging, storage, databases, and compute security.

6 critical9 high9 medium

1.1GCP-IAM-001high

Ensure corporate login credentials are used

Verify that all users use corporate Google Workspace or Cloud Identity accounts, not personal Gmail accounts.

→

1.2GCP-IAM-002critical

Ensure MFA is enabled for all users

Multi-factor authentication must be enforced for all Google Cloud users.

→

1.3GCP-IAM-003high

Ensure service account keys are rotated within 90 days

Service account keys must be rotated regularly to limit the window of exposure from compromised credentials.

→

1.4GCP-IAM-004critical

Ensure no service accounts have admin privileges

Service accounts should not be granted Owner, Editor, or broad admin roles.

→

1.5GCP-IAM-005medium

Ensure user-managed service account keys are eliminated

Prefer Workload Identity Federation or attached service accounts over user-managed keys.

→

1.6GCP-IAM-006high

Ensure IAM roles do not include cross-project permissions

Service accounts should not have IAM bindings in other projects unless explicitly required.

→

3.1GCP-NET-001medium

Ensure default VPC network is deleted

The default VPC network has overly permissive firewall rules and should be deleted.

→

3.2GCP-NET-002medium

Ensure VPC Flow Logs are enabled

VPC Flow Logs capture network flow data for monitoring and forensics.

→

3.6GCP-FW-001critical

Ensure SSH access is restricted from the internet

Firewall rules should not allow SSH (port 22) access from 0.0.0.0/0.

→

3.7GCP-FW-002critical

Ensure RDP access is restricted from the internet

Firewall rules should not allow RDP (port 3389) access from 0.0.0.0/0.

→

5.1GCP-STG-001critical

Ensure Cloud Storage buckets are not publicly accessible

Cloud Storage buckets should not grant access to allUsers or allAuthenticatedUsers.

→

5.2GCP-STG-002medium

Ensure Cloud Storage buckets have versioning enabled

Object versioning protects against accidental deletion and overwrites.

→

6.1GCP-SQL-001critical

Ensure Cloud SQL instances are not publicly accessible

Cloud SQL instances should not have public IP addresses enabled.

→

6.2GCP-SQL-002high

Ensure Cloud SQL backups are configured

Automated backups must be enabled for all Cloud SQL instances.

→

6.3GCP-SQL-003high

Ensure Cloud SQL requires SSL/TLS connections

All Cloud SQL connections must use SSL/TLS encryption.

→

4.1GCP-CMP-001high

Ensure instances do not use default service accounts

Compute Engine instances should use custom service accounts, not the default compute service account.

→

4.2GCP-CMP-002medium

Ensure instances do not have public IP addresses

Compute instances should use private IP addresses and access the internet through Cloud NAT.

→

2.1GCP-LOG-001high

Ensure Cloud Audit Logging is enabled for all services

Admin Activity and Data Access audit logs must be enabled across all services.

→

2.2GCP-LOG-002medium

Ensure log metric filters and alerts exist for critical changes

Create log-based metrics and alerts for project ownership changes, audit config changes, and custom role modifications.

→

7.1GCP-KMS-001medium

Ensure KMS encryption keys are rotated within 90 days

Customer-managed encryption keys (CMEK) should be rotated at least every 90 days.

→

8.1GCP-RUN-001high

Ensure Cloud Run services restrict ingress

Cloud Run services should not allow all traffic from the internet unless required.

→

8.2GCP-RUN-002medium

Ensure Cloud Run services use custom service accounts

Cloud Run services should not use the default compute service account.

→

9.1GCP-GKE-001medium

Ensure GKE clusters have Shielded Nodes enabled

Shielded GKE nodes provide verifiable integrity through Secure Boot, vTPM, and Integrity Monitoring.

→

9.2GCP-GKE-002high

Ensure GKE clusters have Network Policy enabled

Kubernetes Network Policies control pod-to-pod communication and should be enforced.

→