The 88 Google Cloud security checks Black Cat runs
Black Cat SSPM evaluates 88 security policies against your Google Cloud configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Replace overly permissive GCP IAM bindings with least-privilege predefined or custom roles
Remove or scope down GCP IAM bindings that grant service account impersonation roles
Reduce the number of GCP project Owners by removing users who do not require that role
Replace GCP group-based Owner role bindings with less permissive roles or individual assignments
Replace privileged GCP IAM role bindings for service accounts with least-privilege roles
Rotate GCP service account keys older than 90 days and delete the old keys
Migrate GCP workloads from user-managed service account keys to Workload Identity Federation
Enable uniform bucket-level access on GCP Storage buckets and migrate ACLs to IAM policies
Enable the GCP organization policy to disable service account key creation
Enable the GCP organization policy to disable service account key uploads
Enable the GCP org policy to prevent automatic IAM grants for default service accounts
Add API and application restrictions to GCP API keys to limit their scope
Delete stale GCP API keys that have not been used recently
Remove conflicting GCP KMS roles to enforce separation of duties between admins and encrypters
Remove conflicting GCP service account roles to enforce separation of duties
Remove org-level Owner role bindings in GCP and grant Owner only at the project level
Remove org-level Editor role bindings in GCP and replace with project-level specific roles
Remove external members from GCP organization-level IAM bindings
Replace the default Compute Engine service account with a custom least-privilege service account (CIS GCP 4.1)
Remove public IAM members (allUsers, allAuthenticatedUsers) from Cloud KMS crypto keys
Remove public IAM members (allUsers, allAuthenticatedUsers) from Secret Manager secrets
Disable legacy Attribute-Based Access Control and use RBAC for GKE cluster authorization (CIS GKE 6.2.1)
Enable Workload Identity to bind Kubernetes service accounts to GCP IAM service accounts without key files (CIS GKE 6.2.2)
Enable master authorized networks to restrict GKE control plane access to specific CIDR ranges (CIS GKE 6.6.3)
audit
Enable Admin Read, Data Read, and Data Write audit logs for GCP services
Enable all data access log types (DATA_READ, DATA_WRITE) for GCP services with incomplete logging
Enable VPC flow logs on all subnetworks to capture network traffic metadata for security monitoring (CIS GCP 3.8)
Set the log_connections database flag to on to log all connection attempts (CIS GCP 6.2.2)
Set the log_disconnections database flag to on to log all session disconnections (CIS GCP 6.2.3)
Set log_min_messages to WARNING or a more severe level (CIS GCP 6.2.5)
Set log_min_error_statement to ERROR or a more severe level (CIS GCP 6.2.6)
Set log_min_duration_statement to -1 to disable duration-based statement logging and avoid logging sensitive data (CIS GCP 6.2.7)
Enable the pgaudit extension for detailed audit logging (CIS GCP 6.2.8)
configuration
Restrict GCP firewall rules to specific IP ranges instead of allowing 0.0.0.0/0 ingress
Restrict source ranges for firewall rules exposing SSH, RDP, or database ports to 0.0.0.0/0
Restrict egress firewall destinations to prevent data exfiltration
Enable object versioning on GCP Storage buckets to protect against accidental deletion
Add a security notification contact to GCP Essential Contacts for the project
Add essential contacts for TECHNICAL_INCIDENTS, LEGAL, and BILLING notifications
Disable serial port access on Compute Engine instances to prevent unauthorized interactive access (CIS GCP 4.5)
Enable Shielded VM (vTPM and integrity monitoring) on Compute Engine instances to protect against boot-level threats
Replace the default VPC network with a custom VPC to enforce explicit network segmentation (CIS GCP 3.1)
Configure Cloud SQL instances to use private IP only to avoid direct internet exposure (CIS GCP 6.6)
Require SSL/TLS for all connections to Cloud SQL instances to protect data in transit (CIS GCP 6.4)
Set the skip_show_database database flag to on to restrict SHOW DATABASES to privileged users (CIS GCP 6.1.2)
Set the local_infile database flag to off to prevent loading local files (CIS GCP 6.1.3)
Enable automated backups on Cloud SQL instances to ensure data recovery capability (CIS GCP 6.7)
Configure Cloud KMS key rotation to occur at least every 90 days — CIS GCP 1.10
Enable automatic key rotation on Cloud KMS ENCRYPT_DECRYPT keys — CIS GCP 1.10
Ensure Cloud KMS crypto keys have an active primary key version to prevent encryption failures
Migrate Cloud KMS keys to HSM protection level for hardware-backed key security
Enable automatic rotation for Secret Manager secrets to reduce the risk of long-lived credentials
Ensure Secret Manager secrets have at least 2 versions to confirm rotation is occurring
Enable network policy enforcement on GKE clusters to control pod-to-pod traffic (CIS GKE 6.6.7)
Create a new private GKE cluster with private nodes to prevent direct internet exposure (CIS GKE 6.6.2)
Enable Shielded Nodes on the GKE cluster to protect node integrity against boot-level attacks (CIS GKE 6.5.5)
Enroll the GKE cluster in the REGULAR or STABLE release channel to receive automatic Kubernetes security updates (CIS GKE 6.5.3)
Enable Binary Authorization on the GKE cluster to enforce image provenance policies (CIS GKE 6.10.2)
Enable application-layer secrets encryption on the GKE cluster using a Cloud KMS key (CIS GKE 6.3.1)
Enable intranode visibility on the GKE cluster to expose pod-to-pod traffic to VPC flow logs
Enable Cloud Logging on the GKE cluster to capture audit and system logs (CIS GKE 6.7.1)
Enable automatic node upgrades on GKE node pools to ensure nodes receive security patches (CIS GKE 6.5.1)
Create an enabled Cloud Logging sink with an empty filter to export all log entries (CIS 2.2)
Create a log-based metric to track project ownership assignment changes (CIS 2.4)
Create a log-based metric to track audit configuration changes (CIS 2.5)
Create a log-based metric to track custom IAM role changes (CIS 2.6)
Enable the disabled alert policy to ensure monitoring coverage
Add notification channels to the alert policy so incidents are delivered to responders
Create an alert policy for the project-ownership-assignments log metric with notification channels (CIS 2.4)
Create an alert policy for the audit-config-changes log metric with notification channels (CIS 2.5)
Create an alert policy for the custom-role-changes log metric with notification channels (CIS 2.6)
Enable DNSSEC on the public DNS managed zone to protect against DNS spoofing (CIS 3.3)
Replace the RSASHA1 key-signing algorithm with a stronger algorithm such as RSASHA256 or ECDSAP256SHA256 (CIS 3.4)
Replace the RSASHA1 zone-signing algorithm with a stronger algorithm such as RSASHA256 or ECDSAP256SHA256 (CIS 3.5)
Enable DNS query logging on the managed zone for audit and security monitoring (CIS 2.12)
data protection
Remove allUsers and allAuthenticatedUsers access entries from the BigQuery dataset (CIS 7.1)
encryption
Update the SSL policy to require TLS 1.2 minimum and use MODERN or RESTRICTED profile (CIS 3.9)
identity
Use a custom service account with only the OAuth scopes the workload requires (CIS GCP 4.2)
Enable block-project-ssh-keys metadata on the instance to prevent project-level SSH key access (CIS GCP 4.3)
Enable OS Login for centralized SSH key management via IAM (CIS GCP 4.4)
Assign a dedicated service account with least-privilege permissions instead of the default compute SA
network
Disable IP forwarding unless the instance is explicitly acting as a router or network appliance (CIS GCP 4.6)
Migrate workloads to a custom-mode VPC network and delete the legacy network (CIS GCP 3.2)
Remove 0.0.0.0/0 from authorized networks and restrict to specific IP ranges or use Cloud SQL Auth Proxy (CIS GCP 6.5)
Restrict Cloud Function ingress to internal-only or internal-and-GCLB traffic
Restrict Cloud Run service ingress to internal or internal-and-cloud-load-balancing traffic
secret management
Move secrets from plaintext environment variables to Secret Manager references (CIS 1.17)
sharing
Remove public access from GCP Storage buckets and use signed URLs for controlled access