GCP: Control Permissions
This page describe the permissions required for Google Cloud Platform (GCP) controls. Enable these permissions to ensure you can view these controls in the policy tab.
Mandatory Permissions
Below are the mandatory permissions required for each control.
| Description | Permissions |
|---|---|
| Mandatory Permission to list the folders | resourcemanager.folders.get resourcemanager.folders.list |
| Mandatory Permission to list the Projects | resourcemanager.projects.get resourcemanager.projects.list |
| Mandatory Permissions to list the Organization | resourcemanager.organizations.get |
Control Permissions
| CID | Control Name | Permissions |
|---|---|---|
| 52000 | Ensure that corporate login credentials are used instead of Gmail accounts | iam.serviceAccounts.list, resourcemanager.projects.get |
| 52001 | Ensure that there are only GCP-managed service account keys for each service account | iam.serviceAccounts.list |
| 52002 | Ensure Project has no Service Account with Admin Privileges | iam.serviceAccounts.list, resourcemanager.projects.get |
| 52003 | Ensure that IAM users are not assigned Service Account User role at project level | iam.serviceAccounts.list, resourcemanager.projects.get |
| 52004 | Ensure user-managed/external keys for service accounts are rotated every 90 days or less | iam.serviceAccounts.list |
| 52005 | Ensure KMS encryption keys are rotated within a period of 90 days | cloudkms.keyRings.list cloudkms.cryptoKeys.list |
| 52006 | Ensure that Separation of duties is enforced while assigning KMS related roles | iam.serviceAccounts.list, resourcemanager.projects.get |
| 52007 | Ensure that IAM users are not assigned Service Account Token Creator role at project level | iam.serviceAccounts.list, resourcemanager.projects.get |
| 52008 | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | iam.serviceAccounts.list, resourcemanager.projects.get |
| 52009 | Ensure that sinks are configured for all log entries | logging.sinks.list |
| 52010 | Ensure that object versioning is enabled on buckets | storage.buckets.get |
| 52011 | Ensure log metric filter and alerts exists for Project Ownership assignments/changes | logging.logMetrics.list monitoring.alertPolicies.list |
| 52012 | Ensure log metric filter and alerts exists for Audit Configuration Changes | logging.logMetrics.list monitoring.alertPolicies.list |
| 52013 | Ensure log metric filter and alerts exists for Custom Role changes | logging.logMetrics.list monitoring.alertPolicies.list |
| 52014 | Ensure log metric filter and alerts exists for VPC Network Firewall rule changes | logging.logMetrics.list monitoring.alertPolicies.list |
| 52015 | Ensure log metric filter and alerts exists for VPC network route changes | logging.logMetrics.list monitoring.alertPolicies.list |
| 52016 | Ensure log metric filter and alerts exists for VPC network changes | logging.logMetrics.list monitoring.alertPolicies.list |
| 52017 | Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes | logging.logMetrics.list monitoring.alertPolicies.list |
| 52018 | Ensure log metric filter and alerts exists for SQL instance configuration changes | cloudsql.instances.list logging.logMetrics.list monitoring.alertPolicies.list |
| 52019 | Ensure the default network does not exist in a project | compute.networks.list |
| 52020 | Ensure that IP forwarding is not enabled on Instances | compute.zones.list compute.instances.get |
| 52021 | Ensure that SSH access is restricted from the internet | compute.firewalls.list |
| 52022 | Ensure that RDP access is restricted from the internet | compute.firewalls.list |
| 52023 | Ensure Private Google Access is enabled for all subnetwork in VPC Network | compute.subnetworks.list |
| 52024 | Ensure VPC Flow logs is enabled for every subnet in VPC Network | compute.subnetworks.list |
| 52025 | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | compute.zones.list compute.instances.list |
| 52026 | Ensure Block Project-wide SSH keys enabled for VM instances | compute.zones.list compute.instances.list |
| 52027 | Ensure oslogin is enabled for a Project | compute.projects.get |
| 52028 | Ensure connecting to serial ports is not enabled for VM Instance | compute.zones.list compute.instances.list |
| 52029 | Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) | compute.zones.list compute.disks.list |
| 52030 | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | storage.buckets.list storage.buckets.getIamPolicy |
| 52031 | Ensure that logging is enabled for Cloud storage buckets | storage.buckets.get storage.buckets.list |
| 52032 | Ensure that Cloud SQL - Mysql database instance requires all incoming connections to use SSL | cloudsql.instances.list |
| 52033 | Ensure that Cloud SQL - Mysql database Instances are not open to the world | cloudsql.instances.list |
| 52034 | Ensure legacy networks do not exist for a project | dns.policies.list compute.networks.list |
| 52035 | Ensure that MySQL Database Instance does not allows root login from any Host | cloudsql.instances.list cloudsql.users.list |
| 52036 | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | storage.buckets.list storage.buckets.get |
| 52037 | Ensure that GCP Kubernetes cluster intra-node visibility is enabled | cloud.locations.list, container.clusters.get |
| 52038 | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | cloud.locations.list, container.clusters.get |
| 52039 | Ensure Kubernetes web UI / Dashboard is disabled | cloud.locations.list, container.clusters.get |
| 52040 | Ensure Automatic node repair is enabled for Kubernetes Clusters | cloud.locations.list, container.clusters.get |
| 52041 | Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes | cloud.locations.list, container.clusters.get |
| 52042 | Ensure that GCP Kubernetes Engine Clusters have HTTP load balancing enabled | cloud.locations.list, container.clusters.get |
| 52043 | Ensure Network policy is enabled on Kubernetes Engine Clusters | cloud.locations.list, container.clusters.get |
| 52044 | Ensure that GCP Kubernetes Engine Clusters have Alpha cluster feature disabled | cloud.locations.list, container.clusters.get |
| 52045 | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | container.clusters.get |
| 52047 | Ensure Kubernetes Cluster is created with Private cluster enabled | container.clusters.get |
| 52048 | Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets | container.clusters.get |
| 52049 | Ensure default Service account is not used for Project access in Kubernetes Clusters | container.clusters.get |
| 52050 | Ensure Kubernetes Clusters created with limited service account Access scopes for Project access | container.clusters.get |
| 52051 | Ensure Stackdriver Kubernetes Engine Monitoring is set to Enabled on Kubernetes Engine Clusters | container.clusters.get |
| 52052 | Ensure that Application-Layer secret encryption is enabled for Kubernetes cluster | container.clusters.get |
| 52053 | Ensure that Master authorized network is enabled for Kubernetes cluster | container.clusters.get |
| 52054 | Ensure that Default service account is not used for the cloud function | cloudfunctions.functions.get |
| 52055 | Ensure that Runtime used in cloud function is not deprecated or decommissioned | cloudfunctions.functions.get |
| 52056 | Ensure that Cloud function is not anonymously or publicly accessible | cloudfunctions.functions.get |
| 52057 | Ensure that there are no harmful object life cycle rules are created on Storage Buckets | storage.buckets.list |
| 52058 | Ensure that object retention policy is set on storage buckets | storage.buckets.list |
| 52059 | Ensure log_connections database flag for Cloud SQL - PostgreSQL instance is set to on | cloudsql.instances.list |
| 52060 | Ensure log_disconnections database flag for Cloud SQL - PostgreSQL instance is set to on | cloudsql.instances.list |
| 52061 | Ensure log_duration database flag for Cloud SQL - PostgreSQL instance is set to on | cloudsql.instances.list |
| 52062 | Ensure log_error_verbosity database flag for Cloud SQL - PostgreSQL instance is set to DEFAULT or stricter | cloudsql.instances.list |
| 52063 | Ensure log_statement database flag for Cloud SQL - PostgreSQL instance is set to ddl or stricter | cloudsql.instances.list |
| 52064 | Ensure log_hostname database flag for Cloud SQL - PostgreSQL instance is set to off | cloudsql.instances.list |
| 52065 | Ensure that Cloud SQL - PostgreSQL database instance requires all incoming connections to use SSL | cloudsql.instances.list |
| 52066 | Ensure that Cloud SQL - PostgreSQL database Instances are not open to the world | cloudsql.instances.list |
| 52067 | Ensure that Cloud SQL - SQL Server database instance requires all incoming connections to use SSL | cloudsql.instances.list |
| 52068 | Ensure that Cloud SQL - SQL Server database Instances are not open to the world | cloudsql.instances.list |
| 52069 | Ensure log_lock_waits database flag for Cloud SQL - PostgreSQL instance is set to on | cloudsql.instances.list |
| 52070 | Ensure log_temp_files database flag for Cloud SQL - PostgreSQL instance is set to 0 (on) | cloudsql.instances.list |
| 52071 | Ensure log_min_error_statement database flag for Cloud SQL - PostgreSQL instance is set to Error or stricter | cloudsql.instances.list |
| 52072 | Ensure log_min_messages database flag for Cloud SQL - PostgreSQL instance is set to Error or stricter | cloudsql.instances.list |
| 52073 | Ensure log_min_duration_statement database flag for Cloud SQL - PostgreSQL instance is set to -1(disabled) | cloudsql.instances.list |
| 52074 | Ensure log_checkpoints database flag for Cloud SQL - PostgreSQL instance is set to on | cloudsql.instances.list |
| 52075 | Ensure skip_show_database database flag for Cloud SQL - Mysql instance is set to on | cloudsql.instances.list |
| 52076 | Ensure local_infile database flag for Cloud SQL - Mysql instance is set to off | cloudsql.instances.list |
| 52077 | Ensure external scripts enabled database flag for Cloud SQL - SQL Server instance is set to off | cloudsql.instances.list |
| 52078 | Ensure cross db ownership chaining database flag for Cloud SQL - SQL Server instance is set to off | cloudsql.instances.list |
| 52079 | Ensure that Google Kubernetes Engine (GKE) clusters have workload identity enabled | container.clusters.get container.clusters.list |
| 52080 | Ensure user options database flag for Cloud SQL - SQL Server instance is not configured | cloudsql.instances.list |
| 52081 | Ensure access database flag for Cloud SQL - SQL Server instance is set to off | cloudsql.instances.list |
| 52082 | Ensure 3625 (trace flag) database flag for Cloud SQL - SQL Server instance is set to off | cloudsql.instances.list |
| 52083 | Ensure contained database authentication database flag for Cloud SQL - SQL Server instance is set to off | cloudsql.instances.list |
| 52084 | Ensure Cloud SQL - MySql Instance do not have public IP addresses | cloudsql.instances.list |
| 52085 | Ensure Cloud SQL - SQL server Instance do not have public IP addresses | cloudsql.instances.list |
| 52086 | Ensure Cloud SQL - PostgreSQL Instance do not have public IP addresses | cloudsql.instances.list |
| 52087 | Ensure Cloud SQL - MySql instance is configured with automated backups | cloudsql.instances.list |
| 52088 | Ensure Cloud SQL - SQL server is configured with automated backups | cloudsql.instances.list |
| 52089 | Ensure Cloud SQL - PostgreSQL instance is configured with automated backups | cloudsql.instances.list |
| 52090 | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | cloudasset.assets.searchAllResources cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.keyRings.list |
| 52091 | Ensure Compute instances are launched with Shielded VM enabled | compute.zones.list compute.instances.list |
| 52092 | Ensure oslogin is enabled for VM instance | compute.zones.list compute.instances.list |
| 52093 | Ensure that instances are not configured to use default service account | compute.zones.list compute.instances.list |
| 52094 | Ensure that Compute instances do not have public IP addresses | compute.zones.list compute.instances.list |
| 52095 | Ensure that BigQuery Dataset is encrypted with Customer-managed key | bigquery.datasets.get |
| 52096 | Ensure that BigQuery Table is encrypted with Customer-managed key | bigquery.datasets.get bigquery.tables.list |
| 52097 | Ensure default trace enabled database flag for Cloud SQL - SQL Server instance is set to on | cloudsql.instances.list |
| 52098 | Ensure that BigQuery datasets are not anonymously or publicly accessible | bigquery.datasets.get |
| 52099 | Ensure that retention policies on Log Buckets are configured using bucket lock | storage.buckets.list logging.sinks.get |
| 52100 | Ensure that DNSSEC is enabled for Cloud DNS | dns.managedZones.list |
| 52101 | Ensure Binary Authorization is set to Enabled on Kubernetes Engine Clusters | container.clusters.get |
| 52102 | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | container.clusters.get |
| 52103 | Ensure GCP Kubernetes Engine Clusters are not using the default network | container.clusters.get |
| 52104 | Ensure that network traffic egress metering is enabled on Kubernetes Engine Clusters | container.clusters.get |
| 52105 | Ensure that legacy compute engine metadata endpoint for GCP Kubernetes Engine Cluster Node is disabled | container.clusters.get container.clusters.list |
| 52106 | Ensure that Cloud SQL - Mysql database instance Binary logs configuration is enabled | cloudsql.instances.list |
| 52107 | Ensure that Cloud SQL - PostgreSQL database instance Point-in-time recovery is enabled | cloudsql.instances.list |
| 52108 | Ensure that GCP Storage bucket is encrypted using customer-managed key | storage.buckets.list |
| 52109 | Ensure that GCP Cloud DNS zones is not using RSASHA1 algorithm for DNSSEC key-signing | dns.managedZones.list dns.managedZones.get |
| 52110 | Ensure that GCP Cloud DNS zones is not using RSASHA1 algorithm for DNSSEC zone-signing | dns.managedZones.list dns.managedZones.get |
| 52111 | Ensure that Compute instances have Confidential Computing enabled | compute.zones.list compute.instances.list |
| 52112 | Ensure log_parser_stats database flag for Cloud SQL - PostgreSQL instance is set to off | cloudsql.instances.list |
| 52113 | Ensure log_planner_stats database flag for Cloud SQL - PostgreSQL instance is set to off | cloudsql.instances.list |
| 52114 | Ensure log_executor_stats database flag for Cloud SQL - PostgreSQL instance is set to off | cloudsql.instances.list |
| 52115 | Ensure log_statement_stats database flag for Cloud SQL - PostgreSQL instance is set to off | cloudsql.instances.list |
| 52116 | Ensure that Cloud DNS logging is enabled for all VPC networks | compute.networks.list compute.networks.get |
| 52117 | Ensure that data at rest available on your GKE clusters is encrypted with Customer-Managed Keys | container.clusters.get |
| 52118 | Ensure that Pub/Sub topics are encrypted using Customer-Managed Keys (CMKs) | pubsub.topics.get |
| 52119 | Ensure that MySQL database instances have the slow_query_log flag set to On | cloudsql.instances.list |
| 52120 | Ensure that On Host Maintenance configuration setting is set to Migrate for all VM instances | compute.zones.list compute.instances.list |
| 52121 | Ensure that production MySQL database instances are configured to automatically fail over to another zone within the selected cloud region | cloudsql.instances.list |
| 52122 | Ensure that MySQL database servers are using the latest major version of MySQL database | cloudsql.instances.list |
| 52127 | Ensure Kubernetes Clusters are configured with Labels | container.clusters.get |
| 52128 | Ensure that PostgreSQL database instances have the appropriate configuration set for the max_connections flag | cloudsql.instances.list |
| 52129 | Ensure that your GKE clusters nodes are shielded to protect against impersonation attacks | container.clusters.get |
| 52130 | Ensure that Integrity Monitoring is enabled for your Google Kubernetes Engine (GKE) cluster nodes | container.clusters.get |
| 52131 | Ensure that Google Kubernetes Engine (GKE) clusters have sandbox enabled | container.clusters.get |
| 52132 | Ensure there are no API keys associated with your Google Cloud Platform (GCP) project | apikeys.keys.list |
| 52135 | Ensure Default Service account is not used at a project level | iam.serviceAccounts.list |
| 52138 | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | iam.serviceAccounts.list |
| 52139 | Ensure Dataproc Clusters are not using Default VPC | dataproc.clusters.list |
| 52140 | Ensure that Bucket should not log to itself | storage.buckets.list |
| 52142 | Ensure that the Secure Boot feature is enabled for your Google Kubernetes Engine (GKE) cluster nodes | container.clusters.get |
| 52143 | Ensure the GKE Metadata Server is Enabled | container.clusters.get container.clusters.list |
| 52144 | Ensure the GKE Release Channel is set | container.clusters.get container.clusters.list |
| 52146 | Ensure that MySQL instances are encrypted with Customer-Managed Keys (CMKs) | cloudsql.databases.get cloudsql.databases.list cloudsql.instances.get cloudsql.instances.list |
| 52147 | Ensure Image Vulnerability Scanning using GCR Container Analysis or a third-party provider | serviceusage.services.list |
| 52148 | Ensure user connections database flag for Cloud SQL - SQL Server instance is set to appropriate value | cloudsql.databases.get cloudsql.databases.list cloudsql.instances.get cloudsql.instances.list |
| 52149 | Ensure that Cloud SQL PostgreSQL instance certificates are rotated (renewed) before their expiration | cloudsql.databases.get cloudsql.databases.list cloudsql.instances.get cloudsql.instances.list |
| 52150 | Ensure that Cloud SQL MySQL instance certificates are rotated (renewed) before their expiration | cloudsql.databases.get cloudsql.databases.list cloudsql.instances.get cloudsql.instances.list |
| 52151 | Ensure that Cloud SQL SQL Server instance certificates are rotated (renewed) before their expiration | cloudsql.instances.list |
| 52152 | Ensure that production PostgreSQL database instances are configured to automatically fail over to another zone within the selected cloud region | cloudsql.instances.list |
| 52153 | Ensure that production SQL Server database instances are configured to automatically fail over to another zone within the selected cloud region | cloudsql.instances.list |
| 52154 | Ensure that PostgreSQL instances are encrypted with Customer-Managed Keys (CMKs) | cloudsql.instances.list |
| 52155 | Ensure that SQL Server instances are encrypted with Customer-Managed Keys (CMKs) | cloudsql.instances.list |
| 52156 | Ensure that Google Cloud Storage objects are using a lifecycle configuration for cost management | storage.buckets.list |
| 52157 | Ensure that the Auto-Delete feature is disabled for the disks attached to your VM instances | compute.zones.list compute.instances.list |
| 52158 | Ensure that your production Google Cloud virtual machine instances are not preemptible | compute.zones.list compute.instances.list |
| 52159 | Ensure that deletion protection is enabled for your Google Cloud virtual machine (VM) instances | compute.zones.list compute.instances.list |
| 52160 | Ensure that your virtual machine (VM) instance disks are encrypted using Customer-Managed Keys (CMKs) | compute.disks.list compute.zones.list |
| 52161 | Ensure that your Dataproc clusters are encrypted using Customer-Managed Keys (CMKs) | dataproc.clusters.list |
| 52162 | Ensure that automatic restart is enabled for VM instances | compute.zones.list compute.instances.list |
| 52168 | Ensure that Cloud Armor prevents message lookup in Log4j2 | compute.securityPolicies.list |
| 52169 | Ensure that automatic storage increase is enabled for your Cloud SQL database instances | cloudsql.databases.list cloudsql.instances.list |
| 52170 | Ensure there is a dead-letter topic configured for each Pub/Sub subscription | pubsub.subscriptions.list |
| 52171 | Ensure that your Google Cloud instance groups are using autohealing to proactively replace failing instances | compute.instanceGroupManagers.list compute.zones.list |
| 52172 | Ensure that API keys are restricted to only those APIs that application needs access to | apikeys.keys.list |
| 52173 | Ensure there are no unrestricted API keys available within your Google Cloud Platform (GCP) project | apikeys.keys.list |
| 52174 | Ensure that logging is enabled for Google Cloud global load balancing backend services | compute.urlMaps.list |
| 52175 | Ensure Cloud Asset Inventory Is Enabled | serviceusage.services.list |
| 52176 | Ensure that cloudsql.enable_pgaudit database flag for each Cloud Sql Postgresql Instance is set to on for Centralized Logging | cloudsql.databases.list cloudsql.instances.list |
| 52177 | Ensure API Keys are rotated every 90 days | apikeys.keys.list |
| 52178 | Ensure Cloud SQL - PostgreSQL Instance IP assignment is set to private | cloudsql.databases.list cloudsql.instances.list |
| 52179 | Ensure that Separation of duties is enforced while assigning Service Account Related Roles | resourcemanager.projects.get |
| 52180 | Ensure Big Table Instance Clusters are encrypted with Customer Managed Encryption Keys | bigtable.instances.list |
| 52181 | Ensure Spanner Instance Databases are encrypted with Customer Managed Encryption Keys | spanner.databases.list spanner.instances.list |
| 52182 | Ensure that IP forwarding is not enabled on Instance Templates | compute.instanceTemplates.get |
| 52183 | Ensure to Remove Persistent Disk Snapshots older than 90 Days to incur less charges | compute.snapshots.get |
| 52184 | Ensure No Custom Disk Images are Publicly Accessible | compute.images.list |
| 52185 | Ensure GCP Artifact Registry Repositories are not Publicly Accessible | artifactregistry.repositories.get artifactregistry.repositories.getIamPolicy |
| 52186 | Ensure No Cloud Run Service is Publicly Accessible | run.services.get |
| 52187 | Ensure KMS encryption keys are rotated within a period of 90 days | cloudkms.keyRings.list cloudkms.cryptoKeys.list |