Best practice rules for GCP Document AI Service
- Check for Data Residency and Regional Controls
Ensure that Document AI processors are deployed in appropriate regions to meet compliance requirements.
- Enable Access Approval for Document AI Resources
Ensure that Access Approval is enabled for all your Document AI resources.
- Enable Data Access Audit Logs for Document AI
Ensure that Data Access audit logs are enabled for Document AI resources.
- Implement Least Privilege Access for Document AI using Cloud IAM
Ensure that IAM roles with administrative permissions are not used for Document AI access control.
- Use Customer-Managed Encryption Keys for Document AI Processors
Use Customer-Managed Encryption Keys (CMEKs) to encrypt data for Document AI processors.
- Use VPC Service Controls for Document AI
Ensure that VPC Service Controls perimeters are used to protect your Document AI resources from data exfiltration.