Best practice rules for GCP Cloud Tasks
- Check for Publicly Accessible Cloud Tasks Queues
Ensure there are no publicly accessible Cloud Tasks queues available in your GCP account.
- Configure Exponential Backoff for Retries
Ensure that exponential backoff for retries is configured for Cloud Tasks queues.
- Configure Rate Limits for Task Dispatches
Ensure that Cloud Tasks queues have task dispatch rate limits configured.
- Configure Retry Policy for Cloud Tasks Queues
Ensure that a retry policy is configured for Cloud Tasks queues.
- Enable Data Access Audit Logs for Cloud Tasks Resources
Ensure that Data Access audit logs are enabled for Google Cloud Tasks resources.
- Implement Least Privilege Access for Cloud Tasks Queues
Ensure that IAM roles with administrative permissions are not used for Cloud Tasks queue management.
- Implement Least Privilege for Cloud Tasks Queue Service Accounts
Ensure that Cloud Tasks queue service accounts are granted least privilege access.
- Use Cloud Logging for Cloud Tasks Queues
Ensure that Cloud Logging is enabled for Cloud Tasks queues.
- Use Customer-Managed Encryption Keys for Cloud Tasks
Use Customer-Managed Encryption Keys (CMEKs) to encrypt all Google Cloud tasks in your GCP project.
- Use IAM Policy Conditions
Ensure Google Cloud Tasks queues are protected with IAM policy conditions.
- Use VPC Service Controls for Cloud Tasks
Ensure that VPC Service Controls perimeters are used to protect your Cloud Tasks resources from data exfiltration.