IAM Audit

​

Checks performed

• Users Should Use Work Email For Access
• KMS Admin Roles Should Not Have CryptoKey Role
• User Managed Service Account Should Not Have Admin Priviledges
• Service Account Keys Should Be Rotated
• Keys Should Be Managed By Google
• Service Accounts Admin And User Permissions Should Not Be Assigned At The Same Time
• Service Account User Should Not Have Service Account Token Creator Role
• KMS Cryptokeys Should Not Be Public
• KMS Encryption Keys Should Be Rotated
• Cryptographic Keys Should Be Rotated
• Ensure API Keys Are Not Created For A Project
• Ensure API Keys Are Restricted To Specific Hosts And Apps
• Ensure API Keys Are Restricted To Necessary APIs
• Ensure API Keys Are Rotated Periodically
• Ensure Essential Contacts Configured For Organization
• Ensure Dataproc Clusters Encrypted Using CMEK
• Define Allowed External IPs for VM Instances
• Disable Automatic IAM Role Grants for Default Service Accounts
• Disable Guest Attributes of Compute Engine Metadata
• Disable Serial Port Access Support at Organization Level
• Disable Service Account Key Upload
• Disable User-Managed Key Creation for Service Accounts
• Disable Workload Identity at Cluster Creation
• Enforce Detailed Audit Logging Mode
• Enforce Uniform Bucket-Level Access at Organization Level
• Prevent Service Account Creation for Google Cloud Organizations
• Require OS Login
• Restrict Allowed Google Cloud APIs and Services
• Restrict Authorized Networks on Cloud SQL instances
• Restrict Default Google-Managed Encryption for Cloud SQL Instances
• Restrict Load Balancer Creation Based on Load Balancer Types
• Restrict Public IP Access for Cloud SQL Instances at Organization Level
• Restrict Shared VPC Subnetworks
• Restrict VPC Peering Usage
• Restrict VPN Peer IPs
• Restrict Virtual Machine IP Forwarding
• Restrict the Creation of Cloud Resources to Specific Locations
• Restricting the Use of Images
• Skip Default VPC Network Creation