24 Google Cloud Platform (GCP) security best practices
- Check your IAM policies for personal email accounts π¨
- Ensure that MFA is enabled for all user accounts π₯
- Ensure Security Key enforcement for admin accounts π₯
- Prevent the use of user-managed service account keys π¨
- Check for anonymously or publicly accessible Cloud KMS keys π₯
- Ensure that KMS encryption keys are rotated within a period of 90 days or less π©
- Ensure that Cloud Storage buckets are not anonymously or publicly accessible π₯
- Ensure that Cloud Storage buckets have uniform bucket-level access enabled π¨
- Enable VPC Flow Logs for VPC Subnets π¨
- Ensure βBlock Project-wide SSH keysβ is enabled for VM instances π¨
- Ensure βEnable connecting to serial portsβ is not enabled for VM Instance π¨
- Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) π₯
- Enable application-layer secrets encryption for GKE clusters π₯
- Enable GKE cluster node encryption with customer-managed keys π₯
- Restrict network access to GKE clusters π₯
- Ensure that Cloud Audit Logging is configured properly across all services and all users from a project π₯
- Ensure that sinks are configured for all log entries π¨
- Ensure that retention policies on log buckets are configured using Bucket Lock π¨
- Enable logs router encryption with customer-managed keys π₯
- Ensure that the Cloud SQL database instance requires all incoming connections to use SSL π¨
- Ensure that Cloud SQL database instances are not open to the world π₯
- Ensure that Cloud SQL database instances do not have public IPs π¨
- Ensure that Cloud SQL database instances are configured with automated backups π¨
- Ensure that BigQuery datasets are not anonymously or publicly accessible π₯
π Source
This post is licensed under CC BY 4.0 by the author.