Best practice rules for GCP Cloud Run
- Check for Publicly Accessible Cloud Run Services
Ensure there are no publicly accessible Google Cloud services available within your GCP account.
- Check for Unrestricted Outbound Network Access
Ensure no Google Cloud Run service allows unrestricted outbound network access.
- Check for the Maximum Number of Container Instances
Configuring a maximum number of instances for your Cloud Run services helps control costs by preventing uncontrolled scaling.
- Check for the Minimum Number of Container Instances
To improve performance, ensure that the minimum number of container instances is greater than 0 (zero).
- Cloud Run Request Concurrency
Configure maximum concurrent requests per instance for Google Cloud Run services.
- Cloud Run Service Runtime Version
Ensure that Cloud Run services are using the latest language runtime version available.
- Cloud Run Services with Inactive Service Accounts
Ensure that your Cloud Run services are using active service accounts.
- Configure Dead Lettering for Pub/Sub-Triggered Services
Ensure that Dead-Letter Topics (DLTs) are configured for Pub/Sub-triggered services.
- Enable Automatic Runtime Security Updates
Ensure that automatic runtime security updates are enabled for your Cloud Run services.
- Enable Binary Authorization
Ensure that Binary Authorization is enabled for Google Cloud Run services.
- Enable End-to-End HTTP/2 for Cloud Run Services
Ensure that end-to-end HTTP/2 support is enabled for Cloud Run services.
- Use Customer-Managed Encryption Keys for Services Encryption
Use Customer-Managed Encryption Keys (CMEKs) to protect Cloud Run services and related data at rest.
- Use Labels for Resource Management
Ensure that all Cloud Run services are labeled for better resource management.