Best practice rules for GCP Resource Manager
- Define Allowed External IPs for VM Instances
Ensure that "Define Allowed External IPs for VM Instances" policy is enforced at the GCP organization level.
- Detect GCP Resource Manager Configuration Changes
Resource Manager configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Disable Automatic IAM Role Grants for Default Service Accounts
Ensure that "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced.
- Disable Guest Attributes of Compute Engine Metadata
Ensure that "Disable Guest Attributes of Compute Engine Metadata" policy is enabled at the GCP organization level.
- Disable Serial Port Access Support at Organization Level
Ensure that "Disable VM serial port access" policy is enforced at the GCP organization level.
- Disable Service Account Key Upload
Ensure that the key upload feature for Cloud IAM service accounts is disabled.
- Disable User-Managed Key Creation for Service Accounts
Ensure that the user-managed key creation for Cloud IAM service accounts is disabled.
- Disable Workload Identity at Cluster Creation
Ensure that "Disable Workload Identity Cluster Creation" policy is enabled for your GCP organizations.
- Enforce Detailed Audit Logging Mode
Ensure that "Google Cloud Platform - Detailed Audit Logging Mode" policy is enabled for your GCP organizations.
- Enforce Uniform Bucket-Level Access
Ensure that "Enforce uniform bucket-level access" organization policy is enabled at the Google Cloud Platform (GCP) organization level, and that the project inherits the parent's policy.
- Prevent Service Account Creation for Google Cloud Organizations
Ensure that Cloud IAM service account creation is disabled at the organization level.
- Require OS Login
Ensure that "Require OS Login" policy is enabled for your GCP organizations.
- Restrict Allowed Google Cloud APIs and Services
Ensure that "Restrict allowed Google Cloud APIs and services" organization policy is enforced for your GCP organizations.
- Restrict Authorized Networks on Cloud SQL instances
Ensure that "Restrict Authorized Networks on Cloud SQL instances" policy is enforced at GCP organization level.
- Restrict Default Google-Managed Encryption for Cloud SQL Instances (Deprecated)
Ensure that "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy is enforced at the GCP organization level.
- Restrict Load Balancer Creation Based on Load Balancer Types
Ensure that "Restrict Load Balancer Creation Based on Load Balancer Types" policy is enforced at the GCP organization level.
- Restrict Public IP Access for Cloud SQL Instances at Organization Level
Ensure that "Restrict Public IP access on Cloud SQL instances" policy is enabled at the GCP organization level.
- Restrict Shared VPC Subnetworks
Ensure that "Restrict Shared VPC Subnetworks" policy is enforced for your GCP organizations.
- Restrict VPC Peering Usage
Ensure that "Restrict VPC Peering Usage" policy is enforced for your GCP organizations.
- Restrict VPN Peer IPs
Ensure that "Restrict VPN Peer IPs" constraint policy is enabled for your GCP organizations.
- Restrict Virtual Machine IP Forwarding
Ensure that "Restrict VM IP Forwarding" policy is enforced at the GCP organization level.
- Restrict the Creation of Cloud Resources to Specific Locations
Ensure that "Google Cloud Platform - Resource Location Restriction" constraint policy is enforced for your GCP organizations.
- Restricting the Use of Images
Ensure that "Define Trusted Image Projects" policy is enforced for your GCP organizations.
- Skip Default VPC Network Creation
Ensure that the creation of the default VPC network is disabled at the GCP organization level.