GCP Misconfigurations
IAM Audit
Checks performed
- Users Should Use Work Email For Access
- KMS Admin Roles Should Not Have CryptoKey Role
- User Managed Service Account Should Not Have Admin Priviledges
- Service Account Keys Should Be Rotated
- Keys Should Be Managed By Google
- Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time
- Service Account User Should Not Have Service Account Token Creator Role
- KMS Cryptokeys Should Not Be Public
- KMS Encryption Keys Should Be Rotated
- Cryptographic Keys Should Be Rotated
- Ensure API Keys Are Not Created For A Project
- Ensure API Keys Are Restricted To Specific Hosts And Apps
- Ensure API Keys Are Restricted To Necessary APIs
- Ensure API Keys Are Rotated Periodically
- Ensure Essential Contacts Configured For Organization
- Ensure Dataproc Clusters Encrypted Using CMEK
- Define Allowed External IPs for VM Instances
- Disable Automatic IAM Role Grants for Default Service Accounts
- Disable Guest Attributes of Compute Engine Metadata
- Disable Serial Port Access Support at Organization Level
- Disable Service Account Key Upload
- Disable User-Managed Key Creation for Service Accounts
- Disable Workload Identity at Cluster Creation
- Enforce Detailed Audit Logging Mode
- Enforce Uniform Bucket-Level Access at Organization Level
- Prevent Service Account Creation for Google Cloud Organizations
- Require OS Login
- Restrict Allowed Google Cloud APIs and Services
- Restrict Authorized Networks on Cloud SQL instances
- Restrict Default Google-Managed Encryption for Cloud SQL Instances
- Restrict Load Balancer Creation Based on Load Balancer Types
- Restrict Public IP Access for Cloud SQL Instances at Organization Level
- Restrict Shared VPC Subnetworks
- Restrict VPC Peering Usage
- Restrict VPN Peer IPs
- Restrict Virtual Machine IP Forwarding
- Restrict the Creation of Cloud Resources to Specific Locations
- Restricting the Use of Images
- Skip Default VPC Network Creation