Best practice rules for GCP Resource Manager
Trend Micro Cloud One™ – Conformity monitors GCP Resource Manager with the following rules:
- Disable Automatic IAM Role Grants for Default Service Accounts
Ensure that "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced.
- Disable Serial Port Access Support at Organization Level
Ensure that "Disable VM serial port access" policy is enforced at the GCP organization level.
- Disable User-Managed Key Creation for Service Accounts
Ensure that the user-managed key creation for Cloud IAM service accounts is disabled.
- Enforce Uniform Bucket-Level Access at Organization Level
Ensure that "Enforce uniform bucket-level access" policy is enabled at the Google Cloud Platform (GCP) organization level.
- Prevent Service Account Creation for Google Cloud Organizations
Ensure that Cloud IAM service account creation is disabled at the organization level.
- Restrict Allowed Google Cloud APIs and Services
Ensure that "Restrict allowed Google Cloud APIs and services" organization policy is enforced for your GCP organizations.
- Restrict Authorized Networks on Cloud SQL instances
Ensure that "Restrict Authorized Networks on Cloud SQL instances" policy is enforced at GCP organization level.
- Restrict Public IP Access for Cloud SQL Instances at Organization Level
Ensure that "Restrict Public IP access on Cloud SQL instances" policy is enabled at the GCP organization level.
- Restrict the Creation of Cloud Resources to Specific Locations
Ensure that "Google Cloud Platform - Resource Location Restriction" constraint policy is enforced for your GCP organizations.