// Level 3 · Controls
GCP
CIS Google Cloud Platform Foundations Benchmark
1.1High
Ensure that corporate login credentials are used
Block personal accounts for corporate access.
1.2Critical
Ensure MFA is enforced for all non-service accounts
MFA across the org.
1.4Critical
Ensure ServiceAccount has no Admin privileges
Avoid IAM admin on service accounts.
1.5Critical
Ensure that Service Account has no Admin privileges
Least privilege for SAs.
1.7High
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Rotate SA keys.
2.1High
Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
Capture admin/data-access logs.
2.2Medium
Ensure that sinks are configured for all log entries
Ship logs out of the project.
2.4High
Ensure log metric filter and alerts exist for project ownership assignments/changes
Detect privilege changes.
3.1Medium
Ensure that the default network does not exist in a project
Custom-mode VPCs only.
3.6High
Ensure that SSH access is restricted from the internet
Use IAP tunneling instead.
3.7High
Ensure that RDP access is restricted from the internet
Block global 3389.
4.1High
Ensure that instances are not configured to use the default service account
Per-workload SAs.
4.4Medium
Ensure oslogin is enabled for a project
Centralised SSH access via IAM.
5.1Critical
Ensure that Cloud Storage buckets are not anonymously or publicly accessible
Prevent public buckets.
6.1.1High
Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges
Restrict root.