Build GCP Expertise

Run our secure GCP scan to receive a report with custom recommendations from our cloud security experts.

Start Free ScanLearn More

Unlock Free GCP Resources

Sign up to download the 20 policies you need for GCP compliance and start your cloud security journey today.

Download Now
Configuration Management

Configuration Management

Learn about configuration standards from industry leaders such as the Center for Internet Security, NIST, SANS, AWS, and Microsoft.

View all
Authenticate and Authorize Users with Client Certificates
Avoid Using Default Service Account When Configuring Instances
Best Practices for Secret Management
Create a Minimal Audit Policy for Logging
Do Not Enable Serial Ports for VM Instance
Do Not Use Project-Wide SSH Keys When Authenticating Instances
Enable DNSSEC to Protect DNS Protocols
Enable HTTPS Connections on App Engine Applications
Enable Shielded VM to Ensure Operating System is Trustworthy
Encrypt BigQuery Datasets with Customer Managed Encryption Key (CMEK)
Ensure BigQuery Datasets Are Not Publicly Accessible
Ensure Cloud Storage Buckets Are Not Publicly Accessible
Ensure Container Network Interfaces Support Network Policies
Ensure GKE Nodes are Configured Properly
Ensure Kubernetes Idle Timeout Parameter is Appropriately Set
Ensure No Weak SSL Cipher Suites Are Permitted
Ensure to Restrict SSH Access from the Internet
GKE Cluster Configuration Security Benchmarks
General Policies for Cluster Management
Harden Cloud SQL Database with Logging
How To Configure Your Cluster Networks
How to Configure Kubelet Within Your Environment
IP Forwarding Should Not Be Enabled for Instances
Image Registry and Scanning Best Practices
Leverage CIS Benchmarks for Cloud Security
Leverage Confidential Computing to Protect Data
Manage Access Securely Using Uniform Bucket-Level Access
Migrate Away from RSASHA1 for DNSSEC Zone-Signing Keys
Migrate Legacy Networks to VPC Networks
Minimize Public IP Address on Compute Instances
Minimize Root and SA Account Access in Cloud SQL
Networking Configurations in Kubernetes Environment
Node MetaData Recommendations in GKE
Pods Security Policies Benchmarks
Protect Against Threats With Extensible Admission Control
Protect Kernel Defaults Through Configuration Settings
Remove Default Networks from All Projects
Restrict API Permissions If Using Default Service Accounts
Restrict RDP Authorized Access from the Internet
Restrict Unnecessary External Access in Cloud SQL
Specify Customer-Managed Encryption Key (CMEK) as Default in BigQuery Datasets
The Importance of Patch Management in Virtual Machines
Use Customer Supplied Encyryption Keys (CSEK) for Critical VM Disks
Use Identity Aware Proxy (IAP) to Restrict Access to Network
Use TLS to Encrypt All Connections in Cloud SQL
What is the Google Kubernetes Shared Responsibility Model
Data Security

Data Security

Learn about practices to safeguard data using encryption, transport layer security, and effective key management during transmission, processing, and storage.

View all
Cloud Security Posture Management
Do Not Use RSASHA1 for DNSSEC Key-Signing Keys
Don't Face Cloud Security Alone
Encrypt Kubernetes Secrets Using Keys
Enforce Separation of Duties When Assigning KMS Related Roles
Ensure KMS Cryptokeys Are Not Publicly Accessible
Rotate KMS Encryption Keys Regularly
Use CMEK To Secure GKE Storage
Logical Access

Logical Access

Learn about identity and access management to protect assets against unauthorized use.

View all
5 Benchmarks of Role-Based Access Control Service Accounts
Assign Appropriate Contacts to Essential Roles
Consistently Manage User Accounts with OS Login
Do Not Use API Keys at the Project Level
Enable Multi-Factor Authentication for Non-Service Accounts
Encrypt Dataproc Cluster Using Customer Managed Encryption Key
Enforce Separation of Duties When Assigning Service Account Roles
Ensure Corporate Login Credentials are Used
Ensure Service Accounts Can't Access Admin Privileges
Exclusively Use GCP-Managed Service Account Keys
GKE Authentication and Authorization Best Practices
Identity and Access Management Benchmarks in GKE
Practice Regular Key Rotation for Service Accounts
Protect Admin Accounts with Security Key Enforcement
Regularly Rotate API Keys
Restrict API Key Use to Specified Hosts and Apps
Restrict API Keys to Applications That Need Access
Securely Store and Access Secrets in Secrets Manager
Use Least Privilege For Users at Project Level Roles
Network Monitoring

Network Monitoring

Learn about the tools and techniques to monitor the performance and security of your environment.

View all
Enable Access Transparency to Monitor Google Cloud Engineer Access
Enable Alerting for Cloud Storage IAM Permission Changes
Enable Bucket Lock to Protect Sink Destinations from Modification
Enable Cloud Audit Logging Across Your Project
Enable Cloud DNS Logging for VPC Networks
Enable VPC Flow Logs for Every Subnet
Ensure Alerts Exist for Project Ownership Changes
Ensure Alerts are Received for VPC Network Changes
Establish a Log Metric Alert for Configuration Changes in SQL Instances
Generate Log Metric Alerts for Custom Role Changes
Historically View Project Resources in Asset Inventory
Leverage Google Cloud Engineers by Granting Access Approval
Receive Alerts for Audit Configuration Changes
Receive Alerts for VPC Network Firewall Rule Changes
Use Cloud Logging Sinks to Retain Logs
VPC Network Route Changes Should Trigger Alerts