Google Cloud Policy Index

How to Use this Page

This page lists the Google Cloud Policies that Bridgecrew helps you enforce, grouped by category. You can browse this page, search for a specific policy ID or jump to one of the categories from the list below or from the right menu. For each policy, press the link for more details about a policy and its remediation options.

Click a category to jump that section on this page.

General

Encrypt VM Disks for Critical VMs with CSEKs
Violation ID: BC_GCP_GENERAL_1

Encrypt Boot Disks for Instances with CSEKs
Violation ID: BC_GCP_GENERAL_2

Enable Shielded VM when Compute Instances are Launched
Violation ID: BC_GCP_GENERAL_3

Ensure KMS Encryption Keys are Rotated Within a Period of 90 Days
Violation ID: BC_GCP_GENERAL_4

Ensure Cloud SQL Database Instances Require Incoming Connections to use SSL
Violation ID: BC_GCP_GENERAL_5

Enable Cloud SQL Database Instance Backup Configuration
Violation ID: BC_GCP_GENERAL_6

Ensure BigQuery Datasets are Not Anonymously or Publicly Accessible
Violation ID: BC_GCP_GENERAL_7

IAM

Do Not Configure Instances to use Default Service Account
Violation ID: BC_GCP_IAM_1

Ensure Instances are Not Configured to use Default Service Account with Full Access to Cloud APIs
Violation ID: BC_GCP_IAM_2

Do not Assign IAM Users Service Account User or Service Account Token Creator Roles at Project Level
Violation ID: BC_GCP_IAM_3

Ensure Service Account has No Admin Privileges
Violation ID: BC_GCP_IAM_4

Kubernetes

Enable Stackdriver Logging on Kubernetes Engine Clusters
Violation ID: BC_GCP_KUBERNETES_1

Disable Legacy Authorization on Kubernetes Engine Clusters
Violation ID: BC_GCP_KUBERNETES_2

Enable Stackdriver Monitoring on Kubernetes Engine Clusters
Violation ID: BC_GCP_KUBERNETES_3

Enable Automatic Node Repair for Kubernetes Clusters
Violation ID: BC_GCP_KUBERNETES_4

Enable Automatic Node Upgrade for Kubernetes Clusters
Violation ID: BC_GCP_KUBERNETES_5

Create Kubernetes Cluster with Private Cluster Enabled
Violation ID: BC_GCP_KUBERNETES_6

Enable Network Policy on Kubernetes Engine Clusters
Violation ID: BC_GCP_KUBERNETES_7

Ensure Client Certificate Authenticates Kubernetes Engine Clusters
Violation ID: BC_GCP_KUBERNETES_8

Enable PodSecurityPolicy Controller on Kubernetes Engine Clusters
Violation ID: BC_GCP_KUBERNETES_9

Ensure GKE Control Plane is Not Public
Violation ID: BC_GCP_KUBERNETES_10

Ensure GKE Basic Auth is Disabled
Violation ID: BC_GCP_KUBERNETES_11

Enable Master Authorized Networks in GKE Clusters
Violation ID: BC_GCP_KUBERNETES_12

Configure Kubernetes Clusters with Labels
Violation ID: BC_GCP_KUBERNETES_13

Use Container-Optimized OS (Cos) for Kubernetes Engine Clusters Node Image
Violation ID: BC_GCP_KUBERNETES_14

Create Kubernetes Cluster with Alias IP Ranges Enabled
Violation ID: BC_GCP_KUBERNETES_15

Logging

Enable VPC Flow Logs for VPC Network Subnets
Violation ID: BC_GCP_LOGGING_1

Networking

Ensure Google Compute Firewall Ingress does Not Allow Unrestricted SSH Access
Violation ID: BC_GCP_NETWORKING_1

Ensure Google Compute Firewall Ingress does Not Allow Unrestricted RDP Access
Violation ID: BC_GCP_NETWORKING_2

Ensure HTTPS and SSL Proxy Load Balancers do Not Permit SSL Policies with Weak Cipher Suites
Violation ID: BC_GCP_NETWORKING_3

Ensure Cloud SQL Database Instances are Not Publicly Accessible
Violation ID: BC_GCP_NETWORKING_4

Enable DNSSEC for Cloud DNS
Violation ID: BC_GCP_NETWORKING_5

Do not use RSASHA1 for Zone-Signing and Key-Signing Keys in Cloud DNS DNSSEC
Violation ID: BC_GCP_NETWORKING_6

Ensure Default Network Does Not Exist in a Project
Violation ID: BC_GCP_NETWORKING_7

Enable Block Project-wide SSH Keys for VM Instances
Violation ID: BC_GCP_NETWORKING_8

Enable oslogin for a Project
Violation ID: BC_GCP_NETWORKING_9

Ensure No Project Instance Overrides the Project Setting Enabling OSLogin
Violation ID: BC_GCP_NETWORKING_10

Do Not Enable Connecting to Serial Ports for VM Instance
Violation ID: BC_GCP_NETWORKING_11

Do Not Enable IP Forwarding on Instances
Violation ID: BC_GCP_NETWORKING_12

Public

Ensure Cloud Storage Bucket is Not Anonymously or Publicly Accessible
Violation ID: BC_GCP_PUBLIC_1

Ensure Compute Instances Do Not Have Public IP Addresses
Violation ID: BC_GCP_PUBLIC_2

Google Cloud Storage

Encrypt Google Storage Buckets
Violation ID: BC_GCP_GCS_1

Enable Uniform Bucket-Level Access on Cloud Storage Buckets
Violation ID: BC_GCP_GCS_2

Updated 3 months ago


Google Cloud Policy Index


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.