---
title: Google Cloud
url: /docs/reference/pre-built-policy-packs/nist/google-cloud/
---
This page lists all 140 policies in the **NIST SP 800-53** pack for **Google Cloud**.

| Policy Name | Description | Framework Reference | Framework Specification |
| ----- | ----- | ----- | ----- |
| firewall-restrict-rdp-ingress | Ensures VPC firewall rules do not allow RDP (port 3389) from broad sources | AC-17 Remote Access | The organization establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. |
| firewall-restrict-ssh-ingress | Ensures VPC firewall rules do not allow SSH (port 22) from broad sources | AC-17 Remote Access | The organization establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. |
| compute-engine-instance-service-account-attached | Ensure Compute Engine instances have service accounts attached | AC-2 Account Management | The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. |
| iam-user-no-direct-policies-check | Prevent IAM users from having direct policy attachments for better access management. | AC-2 Account Management | The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. |
| service-account-restricted-names | Restrict default service account creation with prohibited names | AC-2 Account Management | The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. |
| ai-platform-notebook-no-direct-internet-access | Ensure AI Platform notebook has no direct internet access | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| bigquery-dataset-public-access-check | Ensure BigQuery datasets are not publicly accessible | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| bucket-dlp-access | Require Cloud Storage buckets to have appropriate access for data classification services like Cloud DLP | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| bucket-public-access-prevention | Ensures Cloud Storage buckets have public access prevention enforced | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| bucket-public-read-prohibited | Ensure Cloud Storage bucket public read is prohibited | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| bucket-uniform-bucket-level-access | Ensures Cloud Storage buckets enable uniform bucket-level access | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| cloudfunctions-iam-no-public | Require Cloud Functions IAM bindings to not grant public access | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| cloud-sql-instance-not-publicly-accessible | Restrict public access for Cloud SQL instances | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| cloud-storage-bucket-iam-policy-grantee-check | Ensure Cloud Storage bucket IAM policy grantee check | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| cloud-storage-bucket-public-write-prohibited | Ensure Cloud Storage bucket public write is prohibited | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| database-migration-service-not-publicly-accessible | Prevent public accessibility of Database Migration Service instances | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| dataproc-cluster-master-nodes-no-public-ip | Restrict public access for Dataproc clusters by ensuring master nodes use internal IP addresses only | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| persistent-disk-snapshot-not-publicly-restorable | Restrict public access to Persistent Disk snapshots | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| subnet-auto-assign-external-ip-disabled | Ensure subnet auto-assign external IP is disabled | AC-3 Access Enforcement | The information system enforces approved authorizations for logical access to information and system resources. |
| compute-engine-instance-not-publicly-accessible | Ensure Compute Engine instances are not publicly accessible | AC-3 Access Enforcement; SC-7 Boundary Protection | The information system enforces approved authorizations for logical access to information and system resources.; The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| gke-nodes-private | Ensures GKE clusters enable private nodes | AC-3 Access Enforcement; SC-7 Boundary Protection | The information system enforces approved authorizations for logical access to information and system resources.; The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| managed-instance-group-launch-template-public-ip-disabled | Ensure Managed Instance Group launch templates have public IP addresses disabled | AC-3 Access Enforcement; SC-7 Boundary Protection | The information system enforces approved authorizations for logical access to information and system resources.; The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| vpc-external-ip-associated | Ensure VPC external IP addresses are associated | AC-3 Access Enforcement; SC-7 Boundary Protection | The information system enforces approved authorizations for logical access to information and system resources.; The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| bucket-iam-least-privilege | Enforce least privilege access for Cloud Storage bucket IAM policies | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| iam-no-broad-roles | Prohibit overly broad IAM roles on projects, organizations, folders, and service accounts | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| iam-no-custom-role-excessive-permissions | Prevent IAM custom roles with excessive permissions for enhanced data access control. | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| iam-policy-no-statements-with-admin-access | Prevent IAM policy bindings with administrative access permissions for secure configuration. | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| iam-policy-no-wildcard-permissions | Prevent IAM custom roles with wildcard permissions to enforce least privilege access control. | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| kms-key-iam | Require proper access controls for Cloud KMS key IAM policies | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| pubsub-subscription-iam-least-privilege | Enforce least privilege IAM policies for Pub/Sub subscriptions | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| pubsub-topic-iam-least-privilege | Enforce least privilege IAM policies for Pub/Sub topics | AC-6 Least Privilege | The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. |
| cloud-logging-retention-period-365 | Ensure Cloud Logging log retention is 365 days or more | AU-11 Audit Record Retention | The organization retains audit records for a defined time period consistent with records retention policy. |
| pubsub-message-retention | Require Pub/Sub subscriptions to have appropriate message retention policies | AU-11 Audit Record Retention | The organization retains audit records for a defined time period consistent with records retention policy. |
| audit-logs-sink-enabled | Enable Cloud Audit Logs Cloud Logging integration for monitoring | AU-12 Audit Generation | The information system provides audit record generation capability for the auditable events defined in AU-2 at organization-defined information system components. |
| cloud-audit-logs-multi-region-trail-enabled | Ensure Cloud Audit Logs multi-region trail is enabled | AU-12 Audit Generation | The information system provides audit record generation capability for the auditable events defined in AU-2 at organization-defined information system components. |
| api-gateway-logging-configuration | Ensure API Gateway has proper logging configuration with service accounts and audit logs | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| bigquery-audit-logging-enabled | Enable BigQuery audit logging for monitoring | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| bigtable-change-streams | Require Bigtable tables to have change streams enabled for change tracking | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| bucket-access-logging | Ensures Cloud Storage buckets have access logging enabled with logBucket and logObjectPrefix configured | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| cloud-armor-logging | Ensure Cloud Armor security policies are attached to backend services with logging enabled | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| cloud-audit-logs-data-access-events-enabled | Enable Cloud Audit Logs data access events for monitoring | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| cloud-build-logging | Require Cloud Build triggers to have secure logging configurations | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| cloud-cdn-logging-enabled | Ensure Cloud CDN has logging enabled for audit and monitoring | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| cloudfunctions-logging | Require Cloud Functions to have logging configuration enabled | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| cloud-sql-logging-enabled | Enable Cloud SQL logging for monitoring | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| elasticsearch-logs-to-cloud-logging | Ensure instances have proper Cloud Logging configuration | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| load-balancer-logging-enabled | Enable Load Balancer logging for monitoring | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| vpc-flow-logs-enabled | Ensure VPC subnets have Flow Logs enabled for audit and monitoring | AU-2 Audit Events | The organization determines that the information system is capable of auditing events and coordinates the security audit function with other organizational entities requiring audit-related information. |
| pubsub-dead-letter-queue | Require Pub/Sub subscriptions to have dead letter queue configuration | AU-5 Response to Audit Processing Failures | The information system alerts designated organizational officials in the event of an audit processing failure and takes additional actions. |
| artifactregistry-immutable-images | Require Artifact Registry repositories to disallow mutable images for security and compliance | AU-9 Protection of Audit Information | The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| cloud-audit-logs-integrity-monitoring-enabled | Ensure Cloud Audit Logs integrity monitoring is enabled | AU-9 Protection of Audit Information | The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| cloud-logging-encrypted | Ensure Cloud Logging is encrypted | AU-9 Protection of Audit Information | The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| load-balancer-health-checks | Require Cloud Load Balancers to enable health checks for monitoring backend instance health | CA-7 Continuous Monitoring | The organization develops a continuous monitoring strategy and implements a continuous monitoring program. |
| managed-instance-group-load-balancer-healthcheck-required | Ensure Managed Instance Groups have Load Balancer health check required | CA-7 Continuous Monitoring | The organization develops a continuous monitoring strategy and implements a continuous monitoring program. |
| security-command-center-enabled | Ensure Security Command Center is enabled | CA-7 Continuous Monitoring | The organization develops a continuous monitoring strategy and implements a continuous monitoring program. |
| cloud-run-service-configuration-check | Ensure Cloud Run service configuration check | CM-2 Baseline Configuration | The organization develops, documents, and maintains a current baseline configuration of the information system. |
| single-environment-stack | Ensure all resources in a stack belong to the same environment | CM-2 Baseline Configuration | The organization develops, documents, and maintains a current baseline configuration of the information system. |
| bigquery-maintenance-settings-check | Ensure BigQuery maintenance settings are configured | CM-3 Configuration Change Control | The organization determines the types of changes to the information system that are configuration-controlled. |
| cloud-build-trigger-source-repo-url-check | Ensure Cloud Build trigger source repository URLs use secure protocols | CM-5 Access Restrictions for Change | The organization defines, documents, approves, and enforces logical access restrictions associated with changes to the information system. |
| cloudfunctions-documentation | Require Cloud Functions to have adequate documentation | CM-8 Information System Component Inventory | The organization develops and documents an inventory of information system components that accurately reflects the current information system. |
| compute-engine-instance-os-config-managed | Ensure Compute Engine instances are managed with OS Config | CM-8 Information System Component Inventory | The organization develops and documents an inventory of information system components that accurately reflects the current information system. |
| compute-engine-instance-proper-configuration | Ensure Compute Engine instances have proper configuration for lifecycle management | CM-8 Information System Component Inventory | The organization develops and documents an inventory of information system components that accurately reflects the current information system. |
| environment-label | Require all labelable resources to have an environment label | CM-8 Information System Component Inventory | The organization develops and documents an inventory of information system components that accurately reflects the current information system. |
| persistent-disk-unused | Ensure Persistent Disks are not unused | CM-8 Information System Component Inventory | The organization develops and documents an inventory of information system components that accurately reflects the current information system. |
| project-part-of-organization | Ensure project is part of GCP Organization | CM-8 Information System Component Inventory | The organization develops and documents an inventory of information system components that accurately reflects the current information system. |
| resource-labeling | Require all GCP resources to have proper labeling for change tracking | CM-8 Information System Component Inventory | The organization develops and documents an inventory of information system components that accurately reflects the current information system. |
| vpc-firewall-rule-associated-to-network | Ensure VPC firewall rules are associated to networks | CM-8 Information System Component Inventory | The organization develops and documents an inventory of information system components that accurately reflects the current information system. |
| vpc-firewall-rule-unused | Ensure VPC firewall rules are not unused | CM-8 Information System Component Inventory | The organization develops and documents an inventory of information system components that accurately reflects the current information system. |
| cloud-sql-high-availability | Ensure Cloud SQL instances have regional high availability enabled | CP-2 Contingency Plan | The organization develops a contingency plan for the information system that identifies essential missions and business functions. |
| cloud-sql-instance-deletion-protection-enabled | Ensure Cloud SQL instance deletion protection is enabled | CP-2 Contingency Plan | The organization develops a contingency plan for the information system that identifies essential missions and business functions. |
| compute-engine-optimized-instance | Ensure Compute Engine instances are optimized for backup and maintain isolated recovery data | CP-2 Contingency Plan | The organization develops a contingency plan for the information system that identifies essential missions and business functions. |
| load-balancer-multi-zone | Require Cloud Load Balancers to be configured across multiple zones for high availability | CP-2 Contingency Plan | The organization develops a contingency plan for the information system that identifies essential missions and business functions. |
| bucket-soft-delete-retention | Ensures Cloud Storage buckets have soft delete retention configured for at least 7 days | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| cloud-firestore-in-backup-plan | Perform automated backups for Cloud Firestore databases and maintain isolated recovery data | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| cloudsql-backup | Perform automated backups for Cloud SQL instances | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| cloud-storage-bucket-versioning-enabled | Ensure Cloud Storage bucket versioning is enabled | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| firestore-pitr | Firestore databases must have Point-In-Time Recovery (PITR) enabled for business continuity | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| bucket-multi-region | Require Cloud Storage buckets to have multi-region replication for business continuity | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| persistent-disk-in-backup-plan | Perform automated backups for Persistent Disks and maintain isolated recovery data | CP-9 Information System Backup | The organization conducts backups of user-level information contained in the information system, system-level information, and information system documentation. |
| compute-engine-instance-uses-os-login | Ensure Compute Engine instances enforce OS Login | IA-2 Identification and Authentication (Organizational Users) | The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| dataproc-kerberos-enabled | Ensure Dataproc Kerberos is enabled | IA-2 Identification and Authentication (Organizational Users) | The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| cloud-build-trigger-envvar-gcpcred-check | Ensure Cloud Build trigger environment variables do not contain GCP credentials | IA-5 Authenticator Management | The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
| cloudsql-secure-credentials | Require Cloud SQL instances to use secure master credentials management | IA-5 Authenticator Management | The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
| hardcoded-secrets | Prohibit hardcoded secrets in code and configuration | IA-5 Authenticator Management | The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
| service-account-key | Ensure proper service account key usage and prohibit insecure authentication methods | IA-5 Authenticator Management | The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
| bucket-lifecycle | Require Cloud Storage buckets to have lifecycle management policies configured | MP-6 Media Sanitization | The organization sanitizes information system media, both paper and digital, prior to disposal, release out of organizational control, or release for reuse. |
| cloud-security-scanner-enabled | Ensure Cloud Security Scanner is enabled for vulnerability management | RA-5 Vulnerability Monitoring and Scanning | The organization monitors and scans for vulnerabilities in the information system and hosted applications and remediates legitimate vulnerabilities. |
| compute-osconfig-vulnerability | Require OS Config agent for vulnerability management on compute instances | RA-5 Vulnerability Monitoring and Scanning | The organization monitors and scans for vulnerabilities in the information system and hosted applications and remediates legitimate vulnerabilities. |
| certificate-manager-certificate-lifecycle-management | Ensure proper certificate lifecycle management to prevent expiration | SC-12 Cryptographic Key Establishment and Management | The organization establishes and manages cryptographic keys for required cryptography employed within the information system. |
| kms-key-configuration | Require proper Cloud KMS key creation and configuration | SC-12 Cryptographic Key Establishment and Management | The organization establishes and manages cryptographic keys for required cryptography employed within the information system. |
| kms-key-lifecycle | Require proper Cloud KMS key deletion and lifecycle management | SC-12 Cryptographic Key Establishment and Management | The organization establishes and manages cryptographic keys for required cryptography employed within the information system. |
| kms-key-rotation | Ensure Cloud KMS key rotation is enabled | SC-12 Cryptographic Key Establishment and Management | The organization establishes and manages cryptographic keys for required cryptography employed within the information system. |
| ai-platform-endpoint-configuration-kms-key-configured | Ensure AI Platform endpoint configuration uses Cloud KMS | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| ai-platform-notebook-instance-kms-key-configured | Ensure AI Platform notebook instance uses Cloud KMS | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| artifactregistry-customer-kms | Require Artifact Registry repositories to use customer-managed Cloud KMS keys for encryption | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| bigquery-dataset-cmek | Ensures BigQuery datasets are encrypted with customer-managed keys (CMEK) | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| bigquery-table-cmek | Ensures BigQuery tables are encrypted with customer-managed keys (CMEK) | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| bucket-cmek | Ensures Cloud Storage buckets use customer-managed KMS keys for encryption | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| cloudfunctions-kms-env-vars | Require Cloud Functions environment variables to be encrypted with Cloud KMS | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| cloud-sql-storage-encrypted | Ensure Cloud SQL storage is encrypted | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| dataflow-kms | Require Dataflow jobs and pipelines to use customer-managed Cloud KMS keys | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| elasticsearch-encrypted-at-rest | Ensure Elasticsearch is encrypted at rest | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| filestore-cmek | Ensure Cloud Filestore is encrypted | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| compute-instance-encrypted-attached-disk | Require Compute Engine instances to have encrypted attached disks | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| compute-instance-encrypted-boot-disk | Require Compute Engine instances to have encrypted boot disks | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| gke-secrets-encryption | Require GKE clusters to have Application-layer Secrets Encryption enabled | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| instance-template-disk-cmek | Require instance template disks to have customer-managed (CMEK) or customer-supplied (CSEK) encryption keys | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| persistent-disk-cmek | Ensures persistent disks have customer-managed (CMEK) or customer-supplied (CSEK) encryption keys | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| pubsub-encrypted-kms | Ensure Pub/Sub is encrypted with Cloud KMS | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| secretmanager-secret-cmek | Require Secret Manager secrets to use customer-managed Cloud KMS keys | SC-28 Protection of Information at Rest | The information system protects the confidentiality and integrity of information at rest. |
| cloud-firestore-autoscaling-enabled | Ensure Cloud Firestore autoscaling is enabled | SC-5 Denial of Service Protection | The information system protects against or limits the effects of denial of service attacks. |
| cloud-functions-concurrency-check | Configure Cloud Functions concurrency for monitoring | SC-5 Denial of Service Protection | The information system protects against or limits the effects of denial of service attacks. |
| cloudfunctions-execution-time | Limit Cloud Functions execution time to prevent extended access | SC-5 Denial of Service Protection | The information system protects against or limits the effects of denial of service attacks. |
| cloud-tasks-retry-configuration | Require Cloud Tasks queues to have proper retry configuration for business continuity | SC-5 Denial of Service Protection | The information system protects against or limits the effects of denial of service attacks. |
| lb-connection-draining | Ensures backend services have connection draining configured for graceful shutdown | SC-5 Denial of Service Protection | The information system protects against or limits the effects of denial of service attacks. |
| load-balancer-cross-region-load-balancing-enabled | Ensure Load Balancer cross-region load balancing is enabled | SC-5 Denial of Service Protection | The information system protects against or limits the effects of denial of service attacks. |
| cloud-cdn-armor | Require Cloud CDN to have Cloud Armor configuration for DDoS protection | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| cloud-functions-inside-vpc | Ensure Cloud Functions are inside VPC | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| cloudsql-authorized-networks-restricted | Ensures Cloud SQL instances do not allow overly broad authorized networks | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| compute-engine-instance-in-vpc | Ensure Compute Engine instances are deployed in VPC networks | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| elasticsearch-in-vpc-only | Ensure Elasticsearch is in VPC only | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| firewall-no-http-ingress | Require firewall rules to disallow inbound HTTP traffic from unauthorized sources | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| firewall-no-public-ingress | Require firewall rules to disallow public internet ingress unless specifically authorized | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| firewall-strict | Enforce strict firewall rules with explicit allow/deny configuration | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| gke-private-endpoint | Restrict public access for GKE clusters by enabling private endpoint or configuring master authorized networks | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| lb-cloud-armor-attached | Ensures external backend services have Cloud Armor security policy attached | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| no-unrestricted-route-to-internet-gateway | Ensure no unrestricted route to Internet Gateway for monitoring | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| private-service-connect | Require Private Service Connect endpoints to have restrictive security policies | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| securitypolicy-has-custom-rules | Ensures Cloud Armor security policies have custom protection rules | SC-7 Boundary Protection | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| cloud-cdn-origin-tls | Require Cloud CDN to use secure TLS to origin | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| cloudsql-ssl | Require Cloud SQL connections to use SSL/TLS encryption | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| lb-managed-ssl-certificate | Ensure Application Load Balancer uses managed SSL certificates with proper configuration | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| load-balancer-http-to-https-redirection | Ensure Load Balancer HTTP to HTTPS redirection is configured | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| load-balancer-tls-https-listeners-only | Ensure Load Balancer uses TLS/HTTPS listeners only | SC-8 Transmission Confidentiality and Integrity | The information system protects the confidentiality and integrity of transmitted information. |
| app-engine-managed-updates-enabled | Ensure App Engine managed updates are enabled | SI-2 Flaw Remediation | The organization identifies, reports, and corrects information system flaws. |
| cloudfunctions-runtime-versions | Restrict Cloud Functions to approved runtime versions only | SI-2 Flaw Remediation | The organization identifies, reports, and corrects information system flaws. |
| compute-engine-os-config-compliance-association-compliant | Ensure OS Config managed instances have compliance association | SI-2 Flaw Remediation | The organization identifies, reports, and corrects information system flaws. |
| compute-engine-os-config-compliance-patch-compliant | Ensure OS Config managed instances have patch compliance | SI-2 Flaw Remediation | The organization identifies, reports, and corrects information system flaws. |
| cloudsql-patching | Require Cloud SQL instances to use managed service patching | SI-2 Flaw Remediation | The organization identifies, reports, and corrects information system flaws. |
| compute-engine-instance-detailed-monitoring-enabled | Enable Compute Engine instance detailed monitoring | SI-4 Information System Monitoring | The organization monitors the information system to detect attacks and indicators of potential attacks. |

