| 💼 1 Identity and Access Management | 15 | | | |
| 💼 1.1 Ensure that corporate login credentials are used | | 1 | 1 | |
| 💼 1.2 Ensure that multi-factor authentication is enabled for all non-service accounts | | | | |
| 💼 1.3 Ensure that Security Key Enforcement is enabled for all admin accounts | | | | |
| 💼 1.4 Ensure that there are only GCP-managed service account keys for each service account | | | | |
| 💼 1.5 Ensure that Service Account has no Admin privileges | | | | |
| 💼 1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | | | | |
| 💼 1.7 Ensure user-managed/external keys for service accounts are rotated every 90 days or less | | | | |
| 💼 1.8 Ensure that Separation of duties is enforced while assigning service account related roles to users | | | | |
| 💼 1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | | | | |
| 💼 1.10 Ensure KMS encryption keys are rotated within a period of 90 days | | | | |
| 💼 1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users | | | | |
| 💼 1.12 Ensure API keys are not created for a project | | | | |
| 💼 1.13 Ensure API keys are restricted to use by only specified Hosts and Apps | | | | |
| 💼 1.14 Ensure API keys are restricted to only APIs that application needs access | | | | |
| 💼 1.15 Ensure API keys are rotated every 90 days | | | | |
| 💼 2 Logging and Monitoring | 11 | | | |
| 💼 2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | | | | |
| 💼 2.2 Ensure that sinks are configured for all log entries | | | | |
| 💼 2.3 Ensure that retention policies on log buckets are configured using Bucket Lock | | | | |
| 💼 2.4 Ensure log metric filter and alerts exist for project ownership assignments/changes | | | | |
| 💼 2.5 Ensure that the log metric filter and alerts exist for Audit Configuration changes | | | | |
| 💼 2.6 Ensure that the log metric filter and alerts exist for Custom Role changes | | | | |
| 💼 2.7 Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes | | | | |
| 💼 2.8 Ensure that the log metric filter and alerts exist for VPC network route changes | | | | |
| 💼 2.9 Ensure that the log metric filter and alerts exist for VPC network changes | | | | |
| 💼 2.10 Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes | | | | |
| 💼 2.11 Ensure that the log metric filter and alerts exist for SQL instance configuration changes | | | | |
| 💼 3 Networking | 9 | | | |
| 💼 3.1 Ensure that the default network does not exist in a project | | | | |
| 💼 3.2 Ensure legacy networks do not exist for a project | | | | |
| 💼 3.3 Ensure that DNSSEC is enabled for Cloud DNS | | | | |
| 💼 3.4 Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC | | | | |
| 💼 3.5 Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC | | | | |
| 💼 3.6 Ensure that SSH access is restricted from the internet | | | | |
| 💼 3.7 Ensure that RDP access is restricted from the Internet | | | | |
| 💼 3.8 Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | | | | |
| 💼 3.9 Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | | | | |
| 💼 4 Virtual Machines | 10 | | | |
| 💼 4.1 Ensure that instances are not configured to use the default service account | | | | |
| 💼 4.2 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | | | | |
| 💼 4.3 Ensure 'Block Project-wide SSH keys' is enabled for VM instances | | | | |
| 💼 4.4 Ensure oslogin is enabled for a Project | | | | |
| 💼 4.5 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | | | | |
| 💼 4.6 Ensure that IP forwarding is not enabled on Instances | | | | |
| 💼 4.7 Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) | | | | |
| 💼 4.8 Ensure Compute instances are launched with Shielded VM enabled | | | | |
| 💼 4.9 Ensure that Compute instances do not have public IP addresses | | | | |
| 💼 4.10 Ensure that App Engine applications enforce HTTPS connections | | | | |
| 💼 5 Storage | 2 | | | |
| 💼 5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible | | | | |
| 💼 5.2 Ensure that Cloud Storage buckets have uniform bucket-level access enabled | | | | |
| 💼 6 Cloud SQL Database Services | 7 | | | |
| 💼 6.1 MySQL Database | 2 | | | |
| 💼 6.1.1 Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | | | | |
| 💼 6.1.2 Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off' | | | | |
| 💼 6.2 PostgreSQL Database | 7 | | | |
| 💼 6.2.1 Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on' | | | | |
| 💼 6.2.2 Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on' | | | | |
| 💼 6.2.3 Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on' | | | | |
| 💼 6.2.4 Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on' | | | | |
| 💼 6.2.5 Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately | | | | |
| 💼 6.2.6 Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on) | | | | |
| 💼 6.2.7 Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled) | | | | |
| 💼 6.3 SQL Server | 2 | | | |
| 💼 6.3.1 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' | | | | |
| 💼 6.3.2 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' | | | | |
| 💼 6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL | | | | |
| 💼 6.5 Ensure that Cloud SQL database instances are not open to the world | | | | |
| 💼 6.6 Ensure that Cloud SQL database instances do not have public IPs | | | | |
| 💼 6.7 Ensure that Cloud SQL database instances are configured with automated backups | | | | |
| 💼 7 BigQuery | 1 | | | |
| 💼 7.1 Ensure that BigQuery datasets are not anonymously or publicly accessible | | | | |