Best practice rules for Google Cloud Platform

Ensure that API Gateway uses an authentication method to secure access to your API backend.

Ensure that Data Access audit logs are enabled for Google Cloud API Gateway APIs.

Ensure that associated backend services are configured to communicate with API Gateway using HTTPS.

Ensure that IAM roles with administrative permissions are not used for API access control.

Ensure that API Gateway leverages Cloud Armor as a network security service.

Ensure that API Gateway is configured to use rate limiting with quotas for your APIs.

Ensure that all Google Cloud API Gateway APIs are labeled for better resource management.

Ensure there are no publicly accessible Artifact Registry repositories available in your GCP account.

Ensure that vulnerability scanning for Artifact Registry repositories is enabled to enhance security and mitigate potential risks.

Use Customer-Managed Encryption Keys (CMEKs) to protect Artifact Registry repositories and related data at rest.

Ensure that Google Cloud BigQuery datasets are not publicly accessible.

Ensure that BigQuery datasets are encrypted using Customer-Managed Encryption Keys (CMEKs).

Ensure that BigQuery dataset tables are encrypted using Customer-Managed Keys (CMKs).

Ensure that SSL certificates are renewed within the appropriate validity period.

Ensure there are no API keys in use within your Google Cloud projects.

Ensure that API keys are restricted to only those APIs that your application needs access to.

Ensure there are no unrestricted API keys available within your Google Cloud Platform (GCP) project.

Ensure that Google Cloud Asset Inventory is enabled for your GCP projects.

Ensure that Google Cloud Security Command Center API is enabled.

Ensure that critical service APIs are enabled for your GCP projects.

Ensure that your Google Cloud virtual machine (VM) instances are using the latest operating system updates.

Ensure that all the API keys created for your Google Cloud Platform (GCP) projects are regularly rotated.

Ensure that your backend buckets are using active storage buckets to store content.

Ensure that Cloud CDN origins are authenticating access to the cached content.

Ensure that your Cloud CDN origin points to a backend bucket.

Ensure that Cloud CDN backend bucket origins are using SSL/TLS certificates.

Ensure that Cloud CDN backend service origins are using SSL/TLS certificates.

Ensure that RSASHA1 signature algorithm is not used for DNSSEC key signing.

Ensure that DNSSEC key signing is not using RSASHA1 as a signature algorithm.

Cloud DNS configuration changes have been detected within your Google Cloud Platform (GCP) account.

Ensure that DNSSEC is enabled for your Domain Name System (DNS) managed zones.

Ensure that dangling DNS records are removed from your Cloud DNS zones to avoid domain/subdomain takeover.

Ensure no Google Cloud functions allow unrestricted outbound network access.

Ensure that Cloud Logging API has appropriate permissions to write function logs.

Ensure that Dead-Letter Topics (DLTs) are configured for Pub/Sub-triggered functions.

Configuring a maximum number of instances for your Google Cloud functions helps control costs by preventing uncontrolled scaling.

To improve performance, ensure that the minimum number of function instances is greater than 0 (zero).

Ensure that automatic runtime security updates are enabled for your Google Cloud functions.

Ensure that Serverless VPC Access is enabled for your Google Cloud functions.

Ensure that your Google Cloud functions are using active service accounts.

Ensure that your Google Cloud functions are using the latest execution runtime environment.

Ensure that your GCP functions are using the latest language runtime version available.

Ensure that your Google Cloud functions are not using the default service account.

Ensure that your Google Cloud functions are not using basic roles for permissions.

Ensure that your Google Cloud functions are not configured with admin privileges.

Ensure there are no publicly accessible Google Cloud functions available within your GCP account.

Use Customer-Managed Encryption Keys (CMEKs) to protect Google Cloud functions and related data at rest.

Ensure that all Google Cloud functions are labeled for better resource management.

Manage secrets using Secrets Manager service instead of Cloud Functions environment variables.

Ensure there are no IAM members with Service Account User and Service Account Token Creator roles at the project level.

Ensure that Essential Contacts are defined for your Google Cloud organization.

Ensure that the Audit Logs feature is configured to record all service and user activities.

Use corporate login credentials instead of personal accounts such as Gmail accounts.

Ensure there are no API keys associated with your Google Cloud Platform (GCP) projects.

Ensure there are no user-managed keys associated with your GCP service accounts.

IAM configuration changes have been detected within your Google Cloud Platform (GCP) account.

Ensure that Access Approval is enabled for your Google Cloud account.

Ensure that Access Transparency is enabled within your Google Cloud organization.

Ensure that Multi-Factor Authentication (MFA) feature is enabled for all GCP user accounts.

Enforce the use of security keys to help prevent Google Cloud account hijacking.

Ensure that separation of duties is implemented for all Google Cloud KMS-related roles.

Ensure that separation of duties is implemented for all Google Cloud service account roles.

Ensure that the use of Cloud Identity and Access Management (IAM) primitive roles is limited within your Google Cloud projects.

Ensure that user-managed service accounts are not using administrator-based roles.

Ensure that your user-managed service account keys are rotated periodically.

Ensure there are no publicly accessible KMS cryptographic keys available within your Google Cloud account.

Cloud KMS configuration changes have been detected within your Google Cloud Platform (GCP) account.

Ensure that all KMS cryptographic keys available within your Google Cloud account are regularly rotated.

Ensure that only approved external load balancers are used for load-balanced websites and applications.

Ensure there are no HTTPS/SSL Proxy load balancers configured with insecure SSL policies.

Ensure that load balancer backend services are protected with edge security policies.

Load Balancing configuration changes have been detected within your Google Cloud Platform (GCP) account.

Ensure that Google Cloud load balancers enforce HTTPS to handle encrypted web traffic.

Ensure that logging is enabled for your Google Cloud HTTP(S) load balancers.

Ensure that external Application Load Balancers are using Google-managed SSL certificates.

Ensure that the retention period configured for your logging buckets is 365 days or greater.

Ensure that the log bucket retention policies are using the Bucket Lock feature.

Ensure that the location of your Cloud Logging buckets is global.

Ensure that Google Cloud Logs Router data is encrypted using Customer-Managed Keys (CMKs).

Ensure that GCP project audit configuration changes are being monitored using alerting policies.

Ensure that Cloud Storage bucket permission changes are being monitored using alerting policies.

Ensure that custom IAM role changes are being monitored using alerting policies.

Ensure that VPC network firewall rule changes are being monitored using alerting policies.

Ensure that SQL instance configuration changes are being monitored using alerting policies.

Ensure that GCP project ownership changes are being monitored using alerting policies.

Ensure that Google Cloud VPC network changes are being monitored using log metrics and alerting policies.

Ensure that VPC network route changes are being monitored using alerting policies.

Ensure that data access audit logs are enabled for all critical service APIs within your GCP project.

Ensure that all the log entries generated for your Google Cloud projects are exported using sinks.

Ensure that Cloud NAT is enabled for VPC private subnets.

Ensure that logging is enabled for Cloud NAT gateways.

Ensure that IAM roles with administrative permissions are not used for Cloud NAT management.

Avoid misconfiguration by limiting Cloud NAT gateways to specific subnets only.

Ensure that Private Google Access is enabled for the VPC subnets associated with your Cloud NAT gateways.

sEnsure that your Cloud NAT gateways are using reserved external IPs.

Ensure there are no publicly accessible Pub/Sub topics available within your cloud account.

Pub/Sub configuration changes have been detected within your Google Cloud Platform (GCP) account.

Ensure there is a dead-letter topic configured for each Pub/Sub subscription.

Ensure that Pub/Sub topics are encrypted using Customer-Managed Encryption Keys (CMEKs).

Ensure that Pub/Sub subscriptions are not configured to allow unknown cross-project access.

Ensure that Pub/Sub topics don't allow unknown cross-project access.

Ensure there are no publicly accessible Google Cloud services available within your GCP account.

Ensure no Google Cloud Run service allows unrestricted outbound network access.

Configuring a maximum number of instances for your Cloud Run services helps control costs by preventing uncontrolled scaling.

To improve performance, ensure that the minimum number of container instances is greater than 0 (zero).

Configure maximum concurrent requests per instance for Google Cloud Run services.

Ensure that Cloud Run services are using the latest language runtime version available.

Ensure that your Cloud Run services are using active service accounts.

Ensure that Dead-Letter Topics (DLTs) are configured for Pub/Sub-triggered services.

Ensure that automatic runtime security updates are enabled for your Cloud Run services.

Ensure that Binary Authorization is enabled for Google Cloud Run services.

Ensure that end-to-end HTTP/2 support is enabled for Cloud Run services.

Use Customer-Managed Encryption Keys (CMEKs) to protect Cloud Run services and related data at rest.

Ensure that all Cloud Run services are labeled for better resource management.

Ensure that Cloud SQL database instances require SSL/TLS for incoming connections.

Ensure that Cloud SQL database instances don't have public IP addresses assigned.

Identify idle Cloud SQL database instances and stop them in order to optimize your cloud costs.

Ensure that MySQL database servers are using the latest major version of MySQL database.

Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database.

Ensure that your Google Cloud SQL database instances are configured to accept connections from trusted networks and IP addresses only.

Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_error_verbosity" flag.

Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_min_error_statement" flag.

Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_min_messages" flag.

Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_statement" flag.

Ensure that PostgreSQL database instances have the appropriate configuration set for the "max_connections" flag.

Ensure that SQL Server database instances have the appropriate configuration set for the "user connections" flag.

Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances.

Ensure that MySQL databases can't be accessed with administrative privileges only (i.e. without using passwords).

Cloud SQL configuration changes have been detected within your Google Cloud Platform (GCP) account.

Ensure that SQL Server database instances have "contained database authentication" flag set to Off.

Ensure that SQL Server database instances have "cross db ownership chaining" flag set to Off.

Ensure that MySQL database instances have the "local_infile" flag set to Off (disabled).

Ensure that PostgreSQL database instances have "log_min_duration_statement" flag set to -1 (Off).

Ensure that the "log_planner_stats" PostgreSQL database flag is set to "off".

Ensure that the "3625" trace flag for SQL database servers is set to "off".

Ensure that the "external scripts enabled" SQL Server flag is set to "off".

Ensure that the "log_executor_stats" PostgreSQL database flag is set to "off".

Ensure that the "log_parser_stats" PostgreSQL database flag is set to "off".

Ensure that the "log_statement_stats" PostgreSQL database flag is set to "off".

Ensure that the "remote access" SQL Server flag is set to "off".

Ensure that the "user options" SQL Server flag is not configured.

Ensure that PostgreSQL database instances have "log_checkpoints" flag set to On.

Ensure that "log_checkpoints" flag is enabled within your PostgreSQL database servers configuration.

Ensure that PostgreSQL database instances have the "log_connections" configuration flag set to On.

Ensure that PostgreSQL database instances have the "log_disconnections" flag set to On (enabled).

Ensure that PostgreSQL database instances have the "log_lock_waits" flag set to On.

Ensure that PostgreSQL database instances have the "log_temp_files" flag set to 0 (On).

Ensure that the "skip_show_database" MySQL database flag is set to "on".

Ensure that MySQL database instances have the "slow_query_log" flag set to On (enabled).

Ensure that the "cloudsql.enable_pgaudit" PostgreSQL database flag is set to "on" and that "pgaudit.log" is configured appropriately.

Ensure that the "log_hostname" PostgreSQL database flag is set to "on".

Ensure that Cloud SQL database instances are configured with automated backups.

Ensure that automatic storage increase is enabled for your Cloud SQL database instances.

Ensure that Cloud SQL instances are encrypted with Customer-Managed Keys (CMKs).

Ensure that production SQL database instances are configured to automatically fail over to another zone within the selected cloud region.

Ensure that your MySQL database instances have Point-in-Time Recovery feature enabled.

Ensure that Cloud SQL database instances require all incoming connections to use SSL/TLS.

Ensure that Cloud SQL server certificates are rotated (renewed) before their expiration.

Ensure that your Google Cloud Storage buckets are not configured with admin permissions.

Ensure there are no publicly accessible Cloud Storage buckets available within your Google Cloud Platform (GCP) account.

Ensure there is a sufficient retention period configured for Google Cloud Storage objects.

Ensure that the log bucket retention policies are using the Bucket Lock feature.

Ensure that bucket website configuration includes main page suffix and error page.

Cloud Storage configuration changes have been detected within your Google Cloud Platform (GCP) account.

Ensure that Data Access audit logs are enabled for your Google Cloud Storage buckets.

Ensure that Google Cloud Storage objects are using a lifecycle configuration for cost management.

Ensure that your Cloud Storage objects are encrypted using Customer-Managed Keys (CMKs).

Ensure that object versioning is enabled for your Google Cloud Storage buckets.

Ensure that Google Cloud Storage buckets have uniform bucket-level access enabled.

Ensure that usage and storage logs are enabled for your Google Cloud Storage buckets.

Ensure that Public Access Prevention is enabled for your Google Cloud Storage buckets.

Ensure that CORS configuration for your Google Cloud Storage buckets is compliant.

Ensure that VPC Service Controls are used to protect your Google Cloud Storage buckets from data exfiltration.

Ensure that legacy networks are not being used anymore within your GCP projects.

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP and UDP port 53 (DNS).

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP).

Ensure that no VPC firewall rules allow unrestricted inbound access using Internet Control Message Protocol (ICMP).

Ensure that no VPC firewall rules allow unrestricted ingress access to uncommon TCP/UDP ports.

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database).

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database).

Ensure that VPC network firewall rules do not allow unrestricted outbound/egress access.

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server).

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP).

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC).

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP).

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server).

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH).

Ensure there are no VPC network firewall rules with range of ports opened to allow incoming traffic.

Ensure that the default VPC network is not being used within your GCP projects.

Ensure that Cloud DNS logging is enabled for all VPC networks.

Ensure that logging is enabled for your Virtual Private Cloud (VPC) firewall rules.

Ensure that VPC Flow Logs feature is enabled for all VPC network subnets.

Ensure that logging metadata is not included within your VPC firewall log files.

Ensure that all your virtual machine instances are launched from approved images only.

Ensure that your virtual machine (VM) instances are of a given type (e.g. c2-standard-4).

Ensure that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs.

Ensure that your VM instances are not associated with the default GCP service account.

Ensure that your virtual machine disk images are not accessible to all GCP accounts.

Ensure that Google Cloud VM instances are not using public IP addresses.

Ensure that virtual machine (VM) instances are not using multiple network interfaces.

Ensure that "On Host Maintenance" configuration setting is set to "Migrate" for all VM instances.

Ensure that Managed Instance Groups (MIGs) are associated with load balancers.

Ensure that Managed Instance Groups are configured to run instances across multiple zones.

Compute Engine configuration changes have been detected within your Google Cloud Platform (GCP) account.

Ensure that the Auto-Delete feature is disabled for the disks attached to your VM instances.

Ensure that IP Forwarding is not enabled for your Google Cloud virtual machine (VM) instances.

Ensure that interactive serial console support is not enabled for your Google Cloud instances.

Ensure that your production Google Cloud virtual machine instances are not preemptible.

Ensure that project-wide SSH keys are not used to access your Google Cloud VM instances.

Ensure that Shielded VM feature is enabled for your virtual machine (VM) instances.

Ensure that automatic restart is enabled for your Google Cloud virtual machine (VM) instances.

Ensure that Confidential Computing is enabled for virtual machine (VM) instances.

Ensure that deletion protection is enabled for your Google Cloud virtual machine (VM) instances.

Ensure that your Google Cloud instance groups are using autohealing to proactively replace failing instances.

Ensure that the OS Login feature is enabled for your Google Cloud projects.

Ensure that your virtual machine (VM) instance disks are encrypted with CSEKs.

Ensure that your virtual machine (VM) instance disks are encrypted using Customer-Managed Keys (CMKs).

Ensure that Google App Engine applications enforce HTTPS connections.

Ensure that instance templates don't assign a public IP address to VM instances.

Identify persistent disks attached to suspended VM instances (i.e. unused persistent disks).

Remove old virtual machine disk snapshots in order to optimize Google Cloud monthly costs.

Ensure that OS Login is configured with Two-Factor Authentication (2FA) for production VM instances.

Ensure that your Dataproc clusters on Compute Engine are encrypted using Customer-Managed Keys (CMKs).

Ensure that your Dataproc cluster instances are not accessible from the Internet.

Ensure that Deletion Protection feature is enabled for Google Cloud Filestore instances.

Restrict Filestore client access to trusted IP addresses or IP address ranges only.

Use Customer-Managed Encryption Keys (CMEKs) to encrypt data at rest within your Filestore instances.

Ensure that on-demand backup and restore functionality is in use for Google Cloud Filestore instances.

Ensure that VPC Service Controls perimeters are used to protect your Filestore instances from data exfiltration.

Ensure that Google Kubernetes Engine (GKE) clusters can access Secret Manager secrets.

Automate version management for your Google Kubernetes Engine (GKE) clusters using Release Channels.

Ensure that Alpha GKE clusters are not used for production workloads.

GKE configuration changes have been detected within your Google Cloud Platform (GCP) account.

Ensure that authentication using client certificates is disabled.

Ensure that Kubernetes Dashboard is disabled for GKE clusters.

Disable legacy authorization for Google Kubernetes Engine (GKE) clusters.

Ensure that your Google Kubernetes Engine (GKE) clusters are using auto-repairing nodes.

Ensure that your Google Kubernetes Engine (GKE) cluster nodes are using automatic upgrades.

Ensure that Binary Authorization is enabled for Google Kubernetes Engine (GKE) clusters.

Enable and configure backups for Google Kubernetes Engine (GKE) clusters.

Enable cost allocation for Google Kubernetes Engine (GKE) clusters.

Enable critical notifications for Google Kubernetes Engine (GKE) clusters.

Ensure that encryption of Kubernetes secrets using Customer-Managed Keys is enabled for GKE clusters.

Ensure that boot disk encryption with Customer-Managed Encryption Keys is enabled for GKE cluster nodes.

Enable the GKE Metadata Server feature for Google Kubernetes Engine (GKE) clusters.

Ensure that Integrity Monitoring is enabled for your Google Kubernetes Engine (GKE) cluster nodes.

Ensure that inter-node transparent encryption is enabled for Google Kubernetes Engine (GKE) clusters.

Enable the Intranode Visibility feature for Google Kubernetes Engine (GKE) clusters.

Enable private nodes for Google Kubernetes Engine (GKE) clusters.

Ensure that Secure Boot is enabled for your Google Kubernetes Engine (GKE) cluster nodes.

Enable VPC-native traffic routing for Google Kubernetes Engine (GKE) clusters.

Enable Workload Identity Federation for Google Kubernetes Engine (GKE) clusters.

Enable workload vulnerability scanning for Google Kubernetes Engine (GKE) clusters.

Enable and configure logging for Google Kubernetes Engine (GKE) clusters.

Enable and configure Cloud Monitoring for Google Kubernetes Engine (GKE) clusters.

Enable the Security Posture dashboard for Google Kubernetes Engine (GKE) clusters.

Ensure that GKE clusters are not configured to use the default service account.

Ensure that Google Kubernetes Engine (GKE) cluster control plane is not exposed to the Internet.

Enable confidential GKE nodes for Google Kubernetes Engine (GKE) clusters.

Enable Container-Optimized OS for Google Kubernetes Engine (GKE) cluster nodes.

Ensure that Google Kubernetes Engine (GKE) clusters are using private endpoints only for control plane access.

Ensure that all Google Kubernetes Engine (GKE) clusters are labeled for better resource management.

Enable GKE Sandbox with gVisor to protect from untrusted workloads.

Ensure that your GKE clusters nodes are shielded to protect against impersonation attacks.

Ensure that only approved identity providers (IdPs) are used for secure access to Google Cloud services.

Ensure that data decryption using all KMS keys is not allowed within your Google Cloud account.

Ensure that Multi-Factor Authentication (MFA) feature is enabled for all GCP user accounts.

Ensure that Organization Administrator role is not assigned to users within your organization.

Ensure that IAM members are not using roles with administrative permissions.

Ensure that "Define Allowed External IPs for VM Instances" policy is enforced at the GCP organization level.

Resource Manager configuration changes have been detected within your Google Cloud Platform (GCP) account.

Ensure that "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced.

Ensure that "Disable Guest Attributes of Compute Engine Metadata" policy is enabled at the GCP organization level.

Ensure that "Disable VM serial port access" policy is enforced at the GCP organization level.

Ensure that the key upload feature for Cloud IAM service accounts is disabled.

Ensure that the user-managed key creation for Cloud IAM service accounts is disabled.

Ensure that "Disable Workload Identity Cluster Creation" policy is enabled for your GCP organizations.

Ensure that "Google Cloud Platform - Detailed Audit Logging Mode" policy is enabled for your GCP organizations.

Ensure that "Enforce uniform bucket-level access" organization policy is enabled at the Google Cloud Platform (GCP) organization level, and that the project inherits the parent's policy.

Ensure that Cloud IAM service account creation is disabled at the organization level.

Ensure that "Require OS Login" policy is enabled for your GCP organizations.

Ensure that "Restrict allowed Google Cloud APIs and services" organization policy is enforced for your GCP organizations.

Ensure that "Restrict Authorized Networks on Cloud SQL instances" policy is enforced at GCP organization level.

Ensure that "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy is enforced at the GCP organization level.

Ensure that "Restrict Load Balancer Creation Based on Load Balancer Types" policy is enforced at the GCP organization level.

Ensure that "Restrict Public IP access on Cloud SQL instances" policy is enabled at the GCP organization level.

Ensure that "Restrict Shared VPC Subnetworks" policy is enforced for your GCP organizations.

Ensure that "Restrict VPC Peering Usage" policy is enforced for your GCP organizations.

Ensure that "Restrict VPN Peer IPs" constraint policy is enabled for your GCP organizations.

Ensure that "Restrict VM IP Forwarding" policy is enforced at the GCP organization level.

Ensure that "Google Cloud Platform - Resource Location Restriction" constraint policy is enforced for your GCP organizations.

Ensure that "Define Trusted Image Projects" policy is enforced for your GCP organizations.

Ensure that the creation of the default VPC network is disabled at the GCP organization level.

Release unattached static external IP addresses to optimize cloud costs.

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP/UDP port 11211 (Memcached).

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 6379 (Redis).

Ensure that Private Service Connect endpoints are configured for your VPC networks.

Ensure there are no VPC network firewall rules with high-risk ports opened to allow incoming traffic.

Ensure that unused network firewall rules are disabled or removed from your Google Cloud account.

Ensure that the default VPC network is not being used for your Vertex AI notebook instances.

Ensure root access is disabled for your Vertex AI notebook instances.

Ensure that automatic upgrades are enabled for your Vertex AI notebook instances.

Ensure that Cloud Monitoring feature is enabled for your Vertex AI notebook instances.

Ensure that the Idle Shutdown feature is enabled for your Vertex AI notebook instances.

Ensure that the Integrity Monitoring feature is enabled for your Vertex AI notebook instances.

Ensure that Secure Boot is enabled for your Vertex AI notebook instances.

Ensure that vTPM feature is enabled for your Vertex AI notebook instances.

Ensure that external IP addresses are not assigned to Vertex AI notebook instances.

Ensure that Vertex AI datasets are encrypted using Customer-Managed Encryption Keys (CMEKs) (Not Scored).

Ensure that Vertex AI notebook instances are encrypted using Customer-Managed Encryption Keys (CMEKs).