Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
| Rule ID | Title | Severity | Service Type | Resource Type |
|---|---|---|---|---|
| CSPM-GCP-2025-0001 | Enable Deletion Protection for VM Instances | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0003 | Datasets Publicly Accessible | Critical | BigQuery | Datasets |
| CSPM-GCP-2025-0006 | Cloud SQL Instances without Automated Backup Configuration | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0007 | Cloud SQL Instances accessible from Public Ranges | Critical | Cloud SQL | Instances |
| CSPM-GCP-2025-0010 | Cloud SQL Instances not enforcing TLS/SSL client connections | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0035 | Block Project-Wide SSH Keys is not enabled | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0036 | Serial Port Access is enabled | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0037 | Instances configured to use Default Service Account | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0056 | Cloud Functions not enforcing HTTPS-Only Access | Medium | Cloud Functions | Functions |
| CSPM-GCP-2025-0058 | Cloud Functions Accessible by “_ARG_0_” | Critical | Cloud Functions | Functions |
| CSPM-GCP-2025-0075 | GKE Clusters with Basic Authentication enabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0082 | GKE Clusters without Master Authorized Networks Protection | Critical | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0094 | GKE Clusters using Legacy Authorization Mode | Critical | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0103 | Redis Instance does not have AUTH enabled | Critical | Cloud Memorystore | RedisInstances |
| CSPM-GCP-2025-0122 | Confidential Computing Disabled | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0131 | Dataproc Cluster VM disk encryption with customer-managed keys (gcePdKmsKeyName) Not Configured | High | Dataproc | DataprocClusters |
| CSPM-GCP-2025-0154 | GKE Clusters without gVisor Sandbox Protection | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0307 | Redis Cluster has Deletion Protection disabled | High | Cloud Memorystore | RedisClusters |
| CSPM-GCP-2025-0002-01 | OS Login Disabled on Compute Instances | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0004 | Dataset Not Encrypted with Customer-Managed Keys (CMKs) | Medium | BigQuery | Datasets |
| CSPM-GCP-2025-0008 | Cloud SQL Instances Accessible from Public Internet | Critical | Cloud SQL | Instances |
| CSPM-GCP-2025-0009 | MySQL Instances with Binary Logging Disabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0014 | Log Checkpoints Database Flag for PostgreSQL Instance Is off | Medium | Cloud SQL | VMInstances |
| CSPM-GCP-2025-0015 | Log Connections Database Flag for PostgreSQL Instance Is off | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0016 | Log Disconnections Database Flag for PostgreSQL Instance Is off | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0017 | Log Lock Waits Database Flag for PostgreSQL Instance Is off | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0018 | Log Min Duration Statement Database Flag for PostgreSQL Instance Is Not Set to -1 | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0019 | Log Min Error Statement Database Flag for PostgreSQL Instance Is Not Set to ERROR | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0020 | SQL Server Instances with Remote Access enabled | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0021 | SQL Server Contained Database Authentication enabled | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0022 | Cross DB Ownership Chaining Enabled for SQL Server Instance | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0023 | Cloud Storage Bucket Accessible by “ARG_0“ | Critical | Cloud Storage Global | BucketPolicy |
| CSPM-GCP-2025-0024 | Cloud Storage Buckets with Access Logging Disabled | Medium | Cloud Storage | Buckets |
| CSPM-GCP-2025-0025 | Cloud Storage Private Access Prevention not enforced | High | Cloud Storage | Buckets |
| CSPM-GCP-2025-0026 | Cloud Storage Buckets without Object Versioning | Medium | Cloud Storage | Buckets |
| CSPM-GCP-2025-0027 | Cloud Storage Buckets Without Uniform Bucket-Level Access | Medium | Cloud Storage | Buckets |
| CSPM-GCP-2025-0024 | Cloud Storage Buckets with access logging disabled | Medium | Cloud Storage | Buckets |
| CSPM-GCP-2025-0025 | Cloud Storage Private Access Prevention not enforced | High | Cloud Storage | Buckets |
| CSPM-GCP-2025-0026 | Cloud Storage Buckets without Object Versioning | Medium | Cloud Storage | Buckets |
| CSPM-GCP-2025-0027 | Cloud Storage Buckets Without Uniform Bucket-Level Access | High | Cloud Storage | Buckets |
| CSPM-GCP-2025-0028 | VPC using Insecure Default Firewall Rules | High | Network Security | Firewalls |
| CSPM-GCP-2025-0029 | VPC Firewall Rules allowing All Ports Exposed | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0030 | Firewall Rule allows unrestricted DNS Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0031 | Firewall Rule Allows Unrestricted FTP Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0032 | Firewall Rule allows Unrestricted ICMP Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0033 | Firewall Rule allows Unrestricted Access to Custom Ports | High | Network Security | Firewalls |
| CSPM-GCP-2025-0041 | Ensure that IP Forwarding is not enabled on instances | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0044 | Shielded VM Disabled | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0045 | Instance without deletion protection | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0056 | Cloud Functions not enforcing HTTPS-Only Access | Medium | Cloud Functions | Functions |
| CSPM-GCP-2025-0057 | Potential Secrets in Function Environment Variables (Gen 1) | Medium | Cloud Functions | Functions |
| CSPM-GCP-2025-0059 | GEN_1 Cloud Functions Exposed with Public Access | Medium | Cloud Functions | Functions |
| CSPM-GCP-2025-0071 | User-Managed Service Account Keys | High | IAM | Keys |
| CSPM-GCP-2025-0074-01 | KMS Encryption Not Rotated within 90 Days | Medium | Cloud KMS | Keys |
| CSPM-GCP-2025-0075 | GKE Clusters with Basic Authentication Enabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0076 | GKE Clusters with Certificate-Based Authentication Enabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0077 | GKE Clusters Without Alias IP (IP Aliasing) Enabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0078 | GKE Clusters Without Application-Layer Secrets Encryption | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0079 | GKE Clusters Without Binary Authorization Protection | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0080 | GKE Clusters Missing Resource Labels | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0081 | GKE Clusters with Logging Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0082 | GKE Clusters Without Master Authorized Networks Protection | Critical | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0083 | Workload Metadata Configuration Disabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0084 | GKE Clusters with Monitoring Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0085 | GKE Clusters Without Network Policy Enforcement | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0086 | Pod Security Policy Disabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0087 | GKE Clusters with Public Master Endpoints Exposed | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0088 | Private Google Access Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0089 | GKE Clusters Not Enrolled in Release Channel | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0090 | Shielded GKE Nodes Disabled on Clusters | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0091 | Workload identity disabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0092 | Kubernetes Dashboard Enabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0093 | Default Service Account in Use for GKE Nodes | High | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0094 | GKE Clusters Using Legacy Authorization Mode | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0095 | GKE Clusters Using Legacy Metadata API Endpoints | High | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0096 | Nodes with Auto-Repair Disabled | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0097 | Nodes with Auto-Upgrade Disabled | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0098 | Lack of Container-Optimized OS Node Images | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0099 | Nodes with Integrity Monitoring Disabled | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0100 | Nodes with Secure Boot Disabled | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0101 | Private Cluster Nodes Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0102 | Excessive OAuth Scopes on Default Service Account | High | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0113 | Ensure That Sinks Are Configured for All Log Entries | Medium | Logging | Sinks |
| CSPM-GCP-2025-0114 | Alerts Doesn’t Exist for Audit Configuration Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0115 | Alerts Doesn’t Exist for Cloud Storage IAM Permission Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0116 | Alerts Doesn’t Exist for Custom Role Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0117 | Alerts Doesn’t Exist for Project Ownership Assignments/Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0118 | Alerts Doesn’t Exist for SQL Instance Configuration Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0119 | Alerts Doesn’t Exist for VPC Network Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0120 | Alerts Doesn’t Exist for VPC Network Firewall Rule Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0121 | Alerts Doesn’t Exist for VPC Network Route Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0123 | Compute Secure Boot Disabled | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0124 | Compute Instance Automatic Restart Disabled | Low | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0125 | Compute Instance On Host Maintenance Not Set to Migrate | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0126 | Compute Instance Persistent Disk Auto-Delete Enabled | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0127 | Preemptible VM Instance Detected | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0128 | User with Privileged Service Account Roles at the Project Level | High | IAM | IAM |
| CSPM-GCP-2025-0132 | Dataproc Cluster Full Encryption with Customer-Managed Keys (kmsKey) Not Configured | High | Dataproc | DataprocClusters |
| CSPM-GCP-2025-0133 | Table Not Encrypted with Customer-Managed Keys (CMKs) | Medium | BigQuery | Tables |
| CSPM-GCP-2025-0134 | Dataproc Clusters Are Publicly Accessible | High | Dataproc | DataprocClusters |
| CSPM-GCP-2025-0135 | Ensure that your Google Cloud Filestore instances have Deletion Protection feature enabled | Medium | Filestore | FilestoreInstances |
| CSPM-GCP-2025-0150 | GKE Clusters Without Intranode Visibility Enabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0151 | Alpha GKE Cluster in Use | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0152 | GKE Cluster Cost Allocation Disabled | Low | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0153 | GKE Cluster Backup for GKE Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0154 | GKE Clusters Without gVisor Sandbox Protection | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0155 | GKE Confidential Nodes Not Enabled Due to Incompatible Machine Type | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0156 | GKE N2D Nodes Without Confidential Computing Enabled | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0157 | GKE Dataplane V2 Not Enabled for Inter-Node Encryption | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0158 | GKE Workload Vulnerability Scanning Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0159 | GKE Security Posture Dashboard Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0160 | GKE Inter-Node Transparent Encryption Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0161 | GKE Cluster Security Notifications Not Configured | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0162 | MySQL Instances Running Outdated Database Version | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0164 | MySQL Skip Show Database Flag Not Enabled | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0165 | MySQL Slow Query Logging Disabled | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0166 | PostgreSQL Instances Running Outdated Database Version | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0167 | PostgreSQL Log Error Verbosity Misconfigured | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0168 | Log Min Messages Flag Not Properly Configured for PostgreSQL Instance | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0169 | Log Statement Flag Not Properly Configured for PostgreSQL Instance | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0170 | Max Connections Flag Not Properly Configured for PostgreSQL Instance | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0171 | PostgreSQL Log Planner Stats Flag Enabled | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0172 | PostgreSQL Log Executor Stats Flag Enabled | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0173 | PostgreSQL Log Parser Stats Flag Enabled | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0174 | PostgreSQL Log Statement Stats Flag Enabled | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0175 | PostgreSQL Temporary File Logging Disabled | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0176 | PostgreSQL PGAudit Extension Not Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0177 | PostgreSQL Hostname Logging Disabled | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0178 | PostgreSQL Hostname Logging Disabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0179 | User Connections Flag Configured for SQL Server Instance | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0180 | SQL Server External Scripts Execution Enabled | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0181 | SQL Server Trace Flag 3625 Not Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0272 | Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0301 | Use Customer-Managed Encryption Keys (CMEKs) to encrypt data at rest within your Filestore instances | Medium | Filestore | FilestoreInstances |
| CSPM-GCP-2025-0302 | Configure maintenance windows for Redis instances to ensure controlled patching and updates | Medium | Cloud Memorystore | RedisInstances |
| CSPM-GCP-2025-0303 | Configure maintenance windows for Memcache instances to ensure controlled patching and updates | Medium | Cloud Memorystore | MemcacheInstances |
| CSPM-GCP-2025-0304 | Configure maintenance windows for Redis clusters to ensure controlled patching and updates | Medium | Cloud Memorystore | RedisClusters |
| CSPM-GCP-2025-0305 | Configure maintenance windows for Valkey instances to ensure controlled patching and updates | Medium | Cloud Memorystore | ValkeyInstances |
| CSPM-GCP-2025-0306 | Redis Instance Has Read Replicas Disabled | Medium | Cloud Memorystore | RedisInstances |
