Skip to content

The 88 Google Cloud security checks Black Cat runs

Black Cat SSPM evaluates 88 security policies against your Google Cloud configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

criticalOverly Permissive IAM Binding

Replace overly permissive GCP IAM bindings with least-privilege predefined or custom roles

highSA Impersonation Role Binding

Remove or scope down GCP IAM bindings that grant service account impersonation roles

mediumExcessive Project Owners

Reduce the number of GCP project Owners by removing users who do not require that role

mediumOwner Role Group Assignment

Replace GCP group-based Owner role bindings with less permissive roles or individual assignments

mediumPrivileged Service Account Binding

Replace privileged GCP IAM role bindings for service accounts with least-privilege roles

highOld Service Account Keys

Rotate GCP service account keys older than 90 days and delete the old keys

mediumUser Managed Service Account Keys

Migrate GCP workloads from user-managed service account keys to Workload Identity Federation

mediumBucket Uniform Access Disabled

Enable uniform bucket-level access on GCP Storage buckets and migrate ACLs to IAM policies

highSA Key Creation Not Disabled

Enable the GCP organization policy to disable service account key creation

mediumSA Key Upload Not Disabled

Enable the GCP organization policy to disable service account key uploads

highDefault SA Grant Not Disabled

Enable the GCP org policy to prevent automatic IAM grants for default service accounts

highUnrestricted API Key

Add API and application restrictions to GCP API keys to limit their scope

mediumStale API Key

Delete stale GCP API keys that have not been used recently

highKMS Separation of Duties Violation

Remove conflicting GCP KMS roles to enforce separation of duties between admins and encrypters

highSA Separation of Duties Violation

Remove conflicting GCP service account roles to enforce separation of duties

criticalOrg-Level Owner Binding

Remove org-level Owner role bindings in GCP and grant Owner only at the project level

highOrg-Level Editor Binding

Remove org-level Editor role bindings in GCP and replace with project-level specific roles

highExternal Members at Org Level

Remove external members from GCP organization-level IAM bindings

highInstance Uses Default Service Account

Replace the default Compute Engine service account with a custom least-privilege service account (CIS GCP 4.1)

criticalCloud KMS Key Publicly Accessible

Remove public IAM members (allUsers, allAuthenticatedUsers) from Cloud KMS crypto keys

criticalSecret Manager Secret Publicly Accessible

Remove public IAM members (allUsers, allAuthenticatedUsers) from Secret Manager secrets

criticalGKE Legacy ABAC Enabled

Disable legacy Attribute-Based Access Control and use RBAC for GKE cluster authorization (CIS GKE 6.2.1)

highGKE Workload Identity Disabled

Enable Workload Identity to bind Kubernetes service accounts to GCP IAM service accounts without key files (CIS GKE 6.2.2)

highGKE Master Authorized Networks Disabled

Enable master authorized networks to restrict GKE control plane access to specific CIDR ranges (CIS GKE 6.6.3)

audit

highAudit Logging Not Enabled

Enable Admin Read, Data Read, and Data Write audit logs for GCP services

mediumData Access Logs Incomplete

Enable all data access log types (DATA_READ, DATA_WRITE) for GCP services with incomplete logging

highSubnet Flow Logs Disabled

Enable VPC flow logs on all subnetworks to capture network traffic metadata for security monitoring (CIS GCP 3.8)

mediumPostgreSQL log_connections Not Enabled

Set the log_connections database flag to on to log all connection attempts (CIS GCP 6.2.2)

mediumPostgreSQL log_disconnections Not Enabled

Set the log_disconnections database flag to on to log all session disconnections (CIS GCP 6.2.3)

lowPostgreSQL log_min_messages Below WARNING

Set log_min_messages to WARNING or a more severe level (CIS GCP 6.2.5)

lowPostgreSQL log_min_error_statement Above ERROR

Set log_min_error_statement to ERROR or a more severe level (CIS GCP 6.2.6)

lowPostgreSQL log_min_duration_statement Not Disabled

Set log_min_duration_statement to -1 to disable duration-based statement logging and avoid logging sensitive data (CIS GCP 6.2.7)

mediumPostgreSQL pgaudit Extension Not Enabled

Enable the pgaudit extension for detailed audit logging (CIS GCP 6.2.8)

configuration

criticalPublic Firewall Rule

Restrict GCP firewall rules to specific IP ranges instead of allowing 0.0.0.0/0 ingress

criticalFirewall Rule Exposes Dangerous Port

Restrict source ranges for firewall rules exposing SSH, RDP, or database ports to 0.0.0.0/0

mediumFirewall Rule Egress Open to World

Restrict egress firewall destinations to prevent data exfiltration

lowBucket Versioning Disabled

Enable object versioning on GCP Storage buckets to protect against accidental deletion

highSecurity Contact Missing

Add a security notification contact to GCP Essential Contacts for the project

mediumEssential Contacts Coverage Incomplete

Add essential contacts for TECHNICAL_INCIDENTS, LEGAL, and BILLING notifications

mediumInstance Serial Port Enabled

Disable serial port access on Compute Engine instances to prevent unauthorized interactive access (CIS GCP 4.5)

mediumShielded VM Disabled

Enable Shielded VM (vTPM and integrity monitoring) on Compute Engine instances to protect against boot-level threats

mediumDefault VPC In Use

Replace the default VPC network with a custom VPC to enforce explicit network segmentation (CIS GCP 3.1)

highCloud SQL Instance Has Public IP

Configure Cloud SQL instances to use private IP only to avoid direct internet exposure (CIS GCP 6.6)

highCloud SQL SSL Not Required

Require SSL/TLS for all connections to Cloud SQL instances to protect data in transit (CIS GCP 6.4)

mediumMySQL skip_show_database Not Enabled

Set the skip_show_database database flag to on to restrict SHOW DATABASES to privileged users (CIS GCP 6.1.2)

mediumMySQL local_infile Enabled

Set the local_infile database flag to off to prevent loading local files (CIS GCP 6.1.3)

mediumCloud SQL Backup Not Enabled

Enable automated backups on Cloud SQL instances to ensure data recovery capability (CIS GCP 6.7)

highCloud KMS Key Rotation Period Exceeds 90 Days

Configure Cloud KMS key rotation to occur at least every 90 days — CIS GCP 1.10

mediumCloud KMS Encryption Key Has No Rotation Schedule

Enable automatic key rotation on Cloud KMS ENCRYPT_DECRYPT keys — CIS GCP 1.10

highCloud KMS Key Primary Version Not Active

Ensure Cloud KMS crypto keys have an active primary key version to prevent encryption failures

lowCloud KMS Key Uses Software Protection Level

Migrate Cloud KMS keys to HSM protection level for hardware-backed key security

mediumSecret Manager Secret Has No Rotation

Enable automatic rotation for Secret Manager secrets to reduce the risk of long-lived credentials

lowSecret Manager Secret Has No Versioning

Ensure Secret Manager secrets have at least 2 versions to confirm rotation is occurring

highGKE Network Policy Disabled

Enable network policy enforcement on GKE clusters to control pod-to-pod traffic (CIS GKE 6.6.7)

highGKE Private Cluster Disabled

Create a new private GKE cluster with private nodes to prevent direct internet exposure (CIS GKE 6.6.2)

mediumGKE Shielded Nodes Disabled

Enable Shielded Nodes on the GKE cluster to protect node integrity against boot-level attacks (CIS GKE 6.5.5)

mediumGKE Release Channel Not Set

Enroll the GKE cluster in the REGULAR or STABLE release channel to receive automatic Kubernetes security updates (CIS GKE 6.5.3)

mediumGKE Binary Authorization Disabled

Enable Binary Authorization on the GKE cluster to enforce image provenance policies (CIS GKE 6.10.2)

mediumGKE Database Encryption Disabled

Enable application-layer secrets encryption on the GKE cluster using a Cloud KMS key (CIS GKE 6.3.1)

lowGKE Intranode Visibility Disabled

Enable intranode visibility on the GKE cluster to expose pod-to-pod traffic to VPC flow logs

highGKE Logging Disabled

Enable Cloud Logging on the GKE cluster to capture audit and system logs (CIS GKE 6.7.1)

highGKE Node Pool Auto-Upgrade Disabled

Enable automatic node upgrades on GKE node pools to ensure nodes receive security patches (CIS GKE 6.5.1)

highCloud Logging Sink Missing

Create an enabled Cloud Logging sink with an empty filter to export all log entries (CIS 2.2)

mediumLog Metric for Project Ownership Missing

Create a log-based metric to track project ownership assignment changes (CIS 2.4)

mediumLog Metric for Audit Config Changes Missing

Create a log-based metric to track audit configuration changes (CIS 2.5)

mediumLog Metric for Custom Role Changes Missing

Create a log-based metric to track custom IAM role changes (CIS 2.6)

mediumAlert Policy Disabled

Enable the disabled alert policy to ensure monitoring coverage

highAlert Policy Has No Notification Channels

Add notification channels to the alert policy so incidents are delivered to responders

mediumLog Metric Project Ownership Alert Missing

Create an alert policy for the project-ownership-assignments log metric with notification channels (CIS 2.4)

mediumLog Metric Audit Config Alert Missing

Create an alert policy for the audit-config-changes log metric with notification channels (CIS 2.5)

mediumLog Metric Custom Role Alert Missing

Create an alert policy for the custom-role-changes log metric with notification channels (CIS 2.6)

highDNS DNSSEC Disabled

Enable DNSSEC on the public DNS managed zone to protect against DNS spoofing (CIS 3.3)

mediumDNS DNSSEC RSASHA1 Key-Signing Key

Replace the RSASHA1 key-signing algorithm with a stronger algorithm such as RSASHA256 or ECDSAP256SHA256 (CIS 3.4)

mediumDNS DNSSEC RSASHA1 Zone-Signing Key

Replace the RSASHA1 zone-signing algorithm with a stronger algorithm such as RSASHA256 or ECDSAP256SHA256 (CIS 3.5)

mediumDNS Logging Disabled

Enable DNS query logging on the managed zone for audit and security monitoring (CIS 2.12)

data protection

criticalBigQuery Dataset Public Access

Remove allUsers and allAuthenticatedUsers access entries from the BigQuery dataset (CIS 7.1)

encryption

highSSL Policy Weak TLS Version

Update the SSL policy to require TLS 1.2 minimum and use MODERN or RESTRICTED profile (CIS 3.9)

identity

highInstance Uses Full Cloud-Platform API Scope

Use a custom service account with only the OAuth scopes the workload requires (CIS GCP 4.2)

mediumInstance Does Not Block Project-Wide SSH Keys

Enable block-project-ssh-keys metadata on the instance to prevent project-level SSH key access (CIS GCP 4.3)

mediumOS Login Disabled on Instance

Enable OS Login for centralized SSH key management via IAM (CIS GCP 4.4)

mediumCloud Function Default Service Account

Assign a dedicated service account with least-privilege permissions instead of the default compute SA

network

mediumIP Forwarding Enabled on Instance

Disable IP forwarding unless the instance is explicitly acting as a router or network appliance (CIS GCP 4.6)

highLegacy VPC Network In Use

Migrate workloads to a custom-mode VPC network and delete the legacy network (CIS GCP 3.2)

criticalCloud SQL Authorized Networks Open to World

Remove 0.0.0.0/0 from authorized networks and restrict to specific IP ranges or use Cloud SQL Auth Proxy (CIS GCP 6.5)

highCloud Function Public Ingress

Restrict Cloud Function ingress to internal-only or internal-and-GCLB traffic

highCloud Run Service Public Ingress

Restrict Cloud Run service ingress to internal or internal-and-cloud-load-balancing traffic

secret management

highCloud Function Plaintext Secrets in Environment

Move secrets from plaintext environment variables to Secret Manager references (CIS 1.17)

sharing

criticalPublic Storage Bucket

Remove public access from GCP Storage buckets and use signed URLs for controlled access

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial