Skip to main content
  1. Docs
  2. Reference
  3. Pre-built Policy Packs
  4. NIST
  5. Google Cloud

NIST SP 800-53 - Google Cloud

    This page lists all 140 policies in the NIST SP 800-53 pack for Google Cloud.

    Policy NameDescriptionFramework ReferenceFramework Specification
    firewall-restrict-rdp-ingressEnsures VPC firewall rules do not allow RDP (port 3389) from broad sourcesAC-17 Remote AccessThe organization establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.
    firewall-restrict-ssh-ingressEnsures VPC firewall rules do not allow SSH (port 22) from broad sourcesAC-17 Remote AccessThe organization establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.
    compute-engine-instance-service-account-attachedEnsure Compute Engine instances have service accounts attachedAC-2 Account ManagementThe organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts.
    iam-user-no-direct-policies-checkPrevent IAM users from having direct policy attachments for better access management.AC-2 Account ManagementThe organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts.
    service-account-restricted-namesRestrict default service account creation with prohibited namesAC-2 Account ManagementThe organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts.
    ai-platform-notebook-no-direct-internet-accessEnsure AI Platform notebook has no direct internet accessAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    bigquery-dataset-public-access-checkEnsure BigQuery datasets are not publicly accessibleAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    bucket-dlp-accessRequire Cloud Storage buckets to have appropriate access for data classification services like Cloud DLPAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    bucket-public-access-preventionEnsures Cloud Storage buckets have public access prevention enforcedAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    bucket-public-read-prohibitedEnsure Cloud Storage bucket public read is prohibitedAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    bucket-uniform-bucket-level-accessEnsures Cloud Storage buckets enable uniform bucket-level accessAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    cloudfunctions-iam-no-publicRequire Cloud Functions IAM bindings to not grant public accessAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    cloud-sql-instance-not-publicly-accessibleRestrict public access for Cloud SQL instancesAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    cloud-storage-bucket-iam-policy-grantee-checkEnsure Cloud Storage bucket IAM policy grantee checkAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    cloud-storage-bucket-public-write-prohibitedEnsure Cloud Storage bucket public write is prohibitedAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    database-migration-service-not-publicly-accessiblePrevent public accessibility of Database Migration Service instancesAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    dataproc-cluster-master-nodes-no-public-ipRestrict public access for Dataproc clusters by ensuring master nodes use internal IP addresses onlyAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    persistent-disk-snapshot-not-publicly-restorableRestrict public access to Persistent Disk snapshotsAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    subnet-auto-assign-external-ip-disabledEnsure subnet auto-assign external IP is disabledAC-3 Access EnforcementThe information system enforces approved authorizations for logical access to information and system resources.
    compute-engine-instance-not-publicly-accessibleEnsure Compute Engine instances are not publicly accessibleAC-3 Access Enforcement; SC-7 Boundary ProtectionThe information system enforces approved authorizations for logical access to information and system resources.; The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    gke-nodes-privateEnsures GKE clusters enable private nodesAC-3 Access Enforcement; SC-7 Boundary ProtectionThe information system enforces approved authorizations for logical access to information and system resources.; The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    managed-instance-group-launch-template-public-ip-disabledEnsure Managed Instance Group launch templates have public IP addresses disabledAC-3 Access Enforcement; SC-7 Boundary ProtectionThe information system enforces approved authorizations for logical access to information and system resources.; The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    vpc-external-ip-associatedEnsure VPC external IP addresses are associatedAC-3 Access Enforcement; SC-7 Boundary ProtectionThe information system enforces approved authorizations for logical access to information and system resources.; The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    bucket-iam-least-privilegeEnforce least privilege access for Cloud Storage bucket IAM policiesAC-6 Least PrivilegeThe organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks.
    iam-no-broad-rolesProhibit overly broad IAM roles on projects, organizations, folders, and service accountsAC-6 Least PrivilegeThe organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks.
    iam-no-custom-role-excessive-permissionsPrevent IAM custom roles with excessive permissions for enhanced data access control.AC-6 Least PrivilegeThe organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks.
    iam-policy-no-statements-with-admin-accessPrevent IAM policy bindings with administrative access permissions for secure configuration.AC-6 Least PrivilegeThe organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks.
    iam-policy-no-wildcard-permissionsPrevent IAM custom roles with wildcard permissions to enforce least privilege access control.AC-6 Least PrivilegeThe organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks.
    kms-key-iamRequire proper access controls for Cloud KMS key IAM policiesAC-6 Least PrivilegeThe organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks.
    pubsub-subscription-iam-least-privilegeEnforce least privilege IAM policies for Pub/Sub subscriptionsAC-6 Least PrivilegeThe organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks.
    pubsub-topic-iam-least-privilegeEnforce least privilege IAM policies for Pub/Sub topicsAC-6 Least PrivilegeThe organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks.
    cloud-logging-retention-period-365Ensure Cloud Logging log retention is 365 days or moreAU-11 Audit Record RetentionThe organization retains audit records for a defined time period consistent with records retention policy.
    pubsub-message-retentionRequire Pub/Sub subscriptions to have appropriate message retention policiesAU-11 Audit Record RetentionThe organization retains audit records for a defined time period consistent with records retention policy.
    audit-logs-sink-enabledEnable Cloud Audit Logs Cloud Logging integration for monitoringAU-12 Audit GenerationThe information system provides audit record generation capability for the auditable events defined in AU-2 at organization-defined information system components.
    cloud-audit-logs-multi-region-trail-enabledEnsure Cloud Audit Logs multi-region trail is enabledAU-12 Audit GenerationThe information system provides audit record generation capability for the auditable events defined in AU-2 at organization-defined information system components.
    api-gateway-logging-configurationEnsure API Gateway has proper logging configuration with service accounts and audit logsAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    bigquery-audit-logging-enabledEnable BigQuery audit logging for monitoringAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    bigtable-change-streamsRequire Bigtable tables to have change streams enabled for change trackingAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    bucket-access-loggingEnsures Cloud Storage buckets have access logging enabled with logBucket and logObjectPrefix configuredAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    cloud-armor-loggingEnsure Cloud Armor security policies are attached to backend services with logging enabledAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    cloud-audit-logs-data-access-events-enabledEnable Cloud Audit Logs data access events for monitoringAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    cloud-build-loggingRequire Cloud Build triggers to have secure logging configurationsAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    cloud-cdn-logging-enabledEnsure Cloud CDN has logging enabled for audit and monitoringAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    cloudfunctions-loggingRequire Cloud Functions to have logging configuration enabledAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    cloud-sql-logging-enabledEnable Cloud SQL logging for monitoringAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    elasticsearch-logs-to-cloud-loggingEnsure instances have proper Cloud Logging configurationAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    load-balancer-logging-enabledEnable Load Balancer logging for monitoringAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    vpc-flow-logs-enabledEnsure VPC subnets have Flow Logs enabled for audit and monitoringAU-2 Audit EventsThe organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information.
    pubsub-dead-letter-queueRequire Pub/Sub subscriptions to have dead letter queue configurationAU-5 Response to Audit Processing FailuresThe information system alerts designated organizational officials in the event of an audit processing failure and takes additional actions.
    artifactregistry-immutable-imagesRequire Artifact Registry repositories to disallow mutable images for security and complianceAU-9 Protection of Audit InformationThe information system protects audit information and audit tools from unauthorized access, modification, and deletion.
    cloud-audit-logs-integrity-monitoring-enabledEnsure Cloud Audit Logs integrity monitoring is enabledAU-9 Protection of Audit InformationThe information system protects audit information and audit tools from unauthorized access, modification, and deletion.
    cloud-logging-encryptedEnsure Cloud Logging is encryptedAU-9 Protection of Audit InformationThe information system protects audit information and audit tools from unauthorized access, modification, and deletion.
    load-balancer-health-checksRequire Cloud Load Balancers to enable health checks for monitoring backend instance healthCA-7 Continuous MonitoringThe organization develops a continuous monitoring strategy and implements a continuous monitoring program.
    managed-instance-group-load-balancer-healthcheck-requiredEnsure Managed Instance Groups have Load Balancer health check requiredCA-7 Continuous MonitoringThe organization develops a continuous monitoring strategy and implements a continuous monitoring program.
    security-command-center-enabledEnsure Security Command Center is enabledCA-7 Continuous MonitoringThe organization develops a continuous monitoring strategy and implements a continuous monitoring program.
    cloud-run-service-configuration-checkEnsure Cloud Run service configuration checkCM-2 Baseline ConfigurationThe organization develops, documents, and maintains a current baseline configuration of the information system.
    single-environment-stackEnsure all resources in a stack belong to the same environmentCM-2 Baseline ConfigurationThe organization develops, documents, and maintains a current baseline configuration of the information system.
    bigquery-maintenance-settings-checkEnsure BigQuery maintenance settings are configuredCM-3 Configuration Change ControlThe organization determines the types of changes to the information system that are configuration-controlled.
    cloud-build-trigger-source-repo-url-checkEnsure Cloud Build trigger source repository URLs use secure protocolsCM-5 Access Restrictions for ChangeThe organization defines, documents, approves, and enforces logical access restrictions associated with changes to the information system.
    cloudfunctions-documentationRequire Cloud Functions to have adequate documentationCM-8 Information System Component InventoryThe organization develops and documents an inventory of information system components that accurately reflects the current information system.
    compute-engine-instance-os-config-managedEnsure Compute Engine instances are managed with OS ConfigCM-8 Information System Component InventoryThe organization develops and documents an inventory of information system components that accurately reflects the current information system.
    compute-engine-instance-proper-configurationEnsure Compute Engine instances have proper configuration for lifecycle managementCM-8 Information System Component InventoryThe organization develops and documents an inventory of information system components that accurately reflects the current information system.
    environment-labelRequire all labelable resources to have an environment labelCM-8 Information System Component InventoryThe organization develops and documents an inventory of information system components that accurately reflects the current information system.
    persistent-disk-unusedEnsure Persistent Disks are not unusedCM-8 Information System Component InventoryThe organization develops and documents an inventory of information system components that accurately reflects the current information system.
    project-part-of-organizationEnsure project is part of GCP OrganizationCM-8 Information System Component InventoryThe organization develops and documents an inventory of information system components that accurately reflects the current information system.
    resource-labelingRequire all GCP resources to have proper labeling for change trackingCM-8 Information System Component InventoryThe organization develops and documents an inventory of information system components that accurately reflects the current information system.
    vpc-firewall-rule-associated-to-networkEnsure VPC firewall rules are associated to networksCM-8 Information System Component InventoryThe organization develops and documents an inventory of information system components that accurately reflects the current information system.
    vpc-firewall-rule-unusedEnsure VPC firewall rules are not unusedCM-8 Information System Component InventoryThe organization develops and documents an inventory of information system components that accurately reflects the current information system.
    cloud-sql-high-availabilityEnsure Cloud SQL instances have regional high availability enabledCP-2 Contingency PlanThe organization develops a contingency plan for the information system that identifies essential missions and business functions.
    cloud-sql-instance-deletion-protection-enabledEnsure Cloud SQL instance deletion protection is enabledCP-2 Contingency PlanThe organization develops a contingency plan for the information system that identifies essential missions and business functions.
    compute-engine-optimized-instanceEnsure Compute Engine instances are optimized for backup and maintain isolated recovery dataCP-2 Contingency PlanThe organization develops a contingency plan for the information system that identifies essential missions and business functions.
    load-balancer-multi-zoneRequire Cloud Load Balancers to be configured across multiple zones for high availabilityCP-2 Contingency PlanThe organization develops a contingency plan for the information system that identifies essential missions and business functions.
    bucket-soft-delete-retentionEnsures Cloud Storage buckets have soft delete retention configured for at least 7 daysCP-9 Information System BackupThe organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation.
    cloud-firestore-in-backup-planPerform automated backups for Cloud Firestore databases and maintain isolated recovery dataCP-9 Information System BackupThe organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation.
    cloudsql-backupPerform automated backups for Cloud SQL instancesCP-9 Information System BackupThe organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation.
    cloud-storage-bucket-versioning-enabledEnsure Cloud Storage bucket versioning is enabledCP-9 Information System BackupThe organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation.
    firestore-pitrFirestore databases must have Point-In-Time Recovery (PITR) enabled for business continuityCP-9 Information System BackupThe organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation.
    bucket-multi-regionRequire Cloud Storage buckets to have multi-region replication for business continuityCP-9 Information System BackupThe organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation.
    persistent-disk-in-backup-planPerform automated backups for Persistent Disks and maintain isolated recovery dataCP-9 Information System BackupThe organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation.
    compute-engine-instance-uses-os-loginEnsure Compute Engine instances enforce OS LoginIA-2 Identification and Authentication (Organizational Users)The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
    dataproc-kerberos-enabledEnsure Dataproc Kerberos is enabledIA-2 Identification and Authentication (Organizational Users)The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
    cloud-build-trigger-envvar-gcpcred-checkEnsure Cloud Build trigger environment variables do not contain GCP credentialsIA-5 Authenticator ManagementThe organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator.
    cloudsql-secure-credentialsRequire Cloud SQL instances to use secure master credentials managementIA-5 Authenticator ManagementThe organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator.
    hardcoded-secretsProhibit hardcoded secrets in code and configurationIA-5 Authenticator ManagementThe organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator.
    service-account-keyEnsure proper service account key usage and prohibit insecure authentication methodsIA-5 Authenticator ManagementThe organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator.
    bucket-lifecycleRequire Cloud Storage buckets to have lifecycle management policies configuredMP-6 Media SanitizationThe organization sanitizes information system media, both paper and digital, prior to disposal, release out of organizational control, or release for reuse.
    cloud-security-scanner-enabledEnsure Cloud Security Scanner is enabled for vulnerability managementRA-5 Vulnerability Monitoring and ScanningThe organization monitors and scans for vulnerabilities in the information system and hosted applications and remediates legitimate vulnerabilities.
    compute-osconfig-vulnerabilityRequire OS Config agent for vulnerability management on compute instancesRA-5 Vulnerability Monitoring and ScanningThe organization monitors and scans for vulnerabilities in the information system and hosted applications and remediates legitimate vulnerabilities.
    certificate-manager-certificate-lifecycle-managementEnsure proper certificate lifecycle management to prevent expirationSC-12 Cryptographic Key Establishment and ManagementThe organization establishes and manages cryptographic keys for required cryptography employed within the information system.
    kms-key-configurationRequire proper Cloud KMS key creation and configurationSC-12 Cryptographic Key Establishment and ManagementThe organization establishes and manages cryptographic keys for required cryptography employed within the information system.
    kms-key-lifecycleRequire proper Cloud KMS key deletion and lifecycle managementSC-12 Cryptographic Key Establishment and ManagementThe organization establishes and manages cryptographic keys for required cryptography employed within the information system.
    kms-key-rotationEnsure Cloud KMS key rotation is enabledSC-12 Cryptographic Key Establishment and ManagementThe organization establishes and manages cryptographic keys for required cryptography employed within the information system.
    ai-platform-endpoint-configuration-kms-key-configuredEnsure AI Platform endpoint configuration uses Cloud KMSSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    ai-platform-notebook-instance-kms-key-configuredEnsure AI Platform notebook instance uses Cloud KMSSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    artifactregistry-customer-kmsRequire Artifact Registry repositories to use customer-managed Cloud KMS keys for encryptionSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    bigquery-dataset-cmekEnsures BigQuery datasets are encrypted with customer-managed keys (CMEK)SC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    bigquery-table-cmekEnsures BigQuery tables are encrypted with customer-managed keys (CMEK)SC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    bucket-cmekEnsures Cloud Storage buckets use customer-managed KMS keys for encryptionSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    cloudfunctions-kms-env-varsRequire Cloud Functions environment variables to be encrypted with Cloud KMSSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    cloud-sql-storage-encryptedEnsure Cloud SQL storage is encryptedSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    dataflow-kmsRequire Dataflow jobs and pipelines to use customer-managed Cloud KMS keysSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    elasticsearch-encrypted-at-restEnsure Elasticsearch is encrypted at restSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    filestore-cmekEnsure Cloud Filestore is encryptedSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    compute-instance-encrypted-attached-diskRequire Compute Engine instances to have encrypted attached disksSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    compute-instance-encrypted-boot-diskRequire Compute Engine instances to have encrypted boot disksSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    gke-secrets-encryptionRequire GKE clusters to have Application-layer Secrets Encryption enabledSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    instance-template-disk-cmekRequire instance template disks to have customer-managed (CMEK) or customer-supplied (CSEK) encryption keysSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    persistent-disk-cmekEnsures persistent disks have customer-managed (CMEK) or customer-supplied (CSEK) encryption keysSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    pubsub-encrypted-kmsEnsure Pub/Sub is encrypted with Cloud KMSSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    secretmanager-secret-cmekRequire Secret Manager secrets to use customer-managed Cloud KMS keysSC-28 Protection of Information at RestThe information system protects the confidentiality and integrity of information at rest.
    cloud-firestore-autoscaling-enabledEnsure Cloud Firestore autoscaling is enabledSC-5 Denial of Service ProtectionThe information system protects against or limits the effects of denial of service attacks.
    cloud-functions-concurrency-checkConfigure Cloud Functions concurrency for monitoringSC-5 Denial of Service ProtectionThe information system protects against or limits the effects of denial of service attacks.
    cloudfunctions-execution-timeLimit Cloud Functions execution time to prevent extended accessSC-5 Denial of Service ProtectionThe information system protects against or limits the effects of denial of service attacks.
    cloud-tasks-retry-configurationRequire Cloud Tasks queues to have proper retry configuration for business continuitySC-5 Denial of Service ProtectionThe information system protects against or limits the effects of denial of service attacks.
    lb-connection-drainingEnsures backend services have connection draining configured for graceful shutdownSC-5 Denial of Service ProtectionThe information system protects against or limits the effects of denial of service attacks.
    load-balancer-cross-region-load-balancing-enabledEnsure Load Balancer cross-region load balancing is enabledSC-5 Denial of Service ProtectionThe information system protects against or limits the effects of denial of service attacks.
    cloud-cdn-armorRequire Cloud CDN to have Cloud Armor configuration for DDoS protectionSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    cloud-functions-inside-vpcEnsure Cloud Functions are inside VPCSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    cloudsql-authorized-networks-restrictedEnsures Cloud SQL instances do not allow overly broad authorized networksSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    compute-engine-instance-in-vpcEnsure Compute Engine instances are deployed in VPC networksSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    elasticsearch-in-vpc-onlyEnsure Elasticsearch is in VPC onlySC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    firewall-no-http-ingressRequire firewall rules to disallow inbound HTTP traffic from unauthorized sourcesSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    firewall-no-public-ingressRequire firewall rules to disallow public internet ingress unless specifically authorizedSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    firewall-strictEnforce strict firewall rules with explicit allow/deny configurationSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    gke-private-endpointRestrict public access for GKE clusters by enabling private endpoint or configuring master authorized networksSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    lb-cloud-armor-attachedEnsures external backend services have Cloud Armor security policy attachedSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    no-unrestricted-route-to-internet-gatewayEnsure no unrestricted route to Internet Gateway for monitoringSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    private-service-connectRequire Private Service Connect endpoints to have restrictive security policiesSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    securitypolicy-has-custom-rulesEnsures Cloud Armor security policies have custom protection rulesSC-7 Boundary ProtectionThe information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
    cloud-cdn-origin-tlsRequire Cloud CDN to use secure TLS to originSC-8 Transmission Confidentiality and IntegrityThe information system protects the confidentiality and integrity of transmitted information.
    cloudsql-sslRequire Cloud SQL connections to use SSL/TLS encryptionSC-8 Transmission Confidentiality and IntegrityThe information system protects the confidentiality and integrity of transmitted information.
    lb-managed-ssl-certificateEnsure Application Load Balancer uses managed SSL certificates with proper configurationSC-8 Transmission Confidentiality and IntegrityThe information system protects the confidentiality and integrity of transmitted information.
    load-balancer-http-to-https-redirectionEnsure Load Balancer HTTP to HTTPS redirection is configuredSC-8 Transmission Confidentiality and IntegrityThe information system protects the confidentiality and integrity of transmitted information.
    load-balancer-tls-https-listeners-onlyEnsure Load Balancer uses TLS/HTTPS listeners onlySC-8 Transmission Confidentiality and IntegrityThe information system protects the confidentiality and integrity of transmitted information.
    app-engine-managed-updates-enabledEnsure App Engine managed updates are enabledSI-2 Flaw RemediationThe organization identifies, reports, and corrects information system flaws.
    cloudfunctions-runtime-versionsRestrict Cloud Functions to approved runtime versions onlySI-2 Flaw RemediationThe organization identifies, reports, and corrects information system flaws.
    compute-engine-os-config-compliance-association-compliantEnsure OS Config managed instances have compliance associationSI-2 Flaw RemediationThe organization identifies, reports, and corrects information system flaws.
    compute-engine-os-config-compliance-patch-compliantEnsure OS Config managed instances have patch complianceSI-2 Flaw RemediationThe organization identifies, reports, and corrects information system flaws.
    cloudsql-patchingRequire Cloud SQL instances to use managed service patchingSI-2 Flaw RemediationThe organization identifies, reports, and corrects information system flaws.
    compute-engine-instance-detailed-monitoring-enabledEnable Compute Engine instance detailed monitoringSI-4 Information System MonitoringThe organization monitors the information system to detect attacks and indicators of potential attacks.