Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
| Rule ID | Title | Severity | Service Type | Resource Type |
|---|---|---|---|---|
| CSPM-GCP-2025-0001 | Enable Deletion Protection for VM Instances | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0002-01 | OS Login Disabled on Compute Instances | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0002-02 | OS Login Disabled on Project Metadata | Medium | ComputeEngineGlobal | VMInstances |
| CSPM-GCP-2025-0003 | Datasets Publicly Accessible | Critical | BigQuery | Datasets |
| CSPM-GCP-2025-0004 | Dataset Not Encrypted with CMKs | Medium | BigQuery | Datasets |
| CSPM-GCP-2025-0005 | Instance Allows Root Login from Any Host | Critical | Cloud SQL Global | CloudSQL Users |
| CSPM-GCP-2025-0006 | Cloud SQL Missing Automated Backup | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0007 | Cloud SQL Accessible from Public Ranges | Critical | Cloud SQL | Instances |
| CSPM-GCP-2025-0008 | Cloud SQL Public Internet Access | Critical | Cloud SQL | Instances |
| CSPM-GCP-2025-0010 | Cloud SQL Not Enforcing TLS/SSL | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0011 | Missing Backup Protection | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0012 | Cloud SQL Public Internet Access | Critical | Cloud SQL | Instances |
| CSPM-GCP-2025-0013 | MySQL Local Infile Enabled | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0015 | PostgreSQL Log Connections Off | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0018 | Log Min Duration Statement Not Set | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0020 | SQL Server Remote Access Enabled | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0021 | Contained DB Authentication Enabled | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0022 | Cross DB Ownership Chaining Enabled | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0023 | Storage Bucket Public Access | Critical | Cloud Storage Global | BucketPolicy |
| CSPM-GCP-2025-0027 | Uniform Bucket Access Disabled | High | Cloud Storage | Buckets |
| CSPM-GCP-2025-0028 | Insecure Default Firewall Rules | High | Network Security | Firewalls |
| CSPM-GCP-2025-0029 | Firewall Allows All Ports | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0030 | Unrestricted DNS Firewall Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0031 | Unrestricted FTP Firewall Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0035 | Project-wide SSH Keys Enabled | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0036 | Serial Port Access Enabled | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0037 | Default Service Account Used | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0041 | Ensure That IP Forwarding Is Not Enabled on Instances | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0044 | Shielded VM Disabled | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0056 | Cloud Functions HTTP Access | Medium | Cloud Functions | Functions |
| CSPM-GCP-2025-0058 | Cloud Function Public Access | Critical | Cloud Functions | Functions |
| CSPM-GCP-2025-0062 | Non-Workspace Account in Use | Medium | IAM | Policies |
| CSPM-GCP-2025-0063 | Service Account Keys Not Rotated | High | IAM | Keys |
| CSPM-GCP-2025-0069 | Service Account Admin Privileges | Critical | IAM | IAM |
| CSPM-GCP-2025-0071 | User-Managed SA Keys | Critical | IAM | Keys |
| CSPM-GCP-2025-0073 | KMS Keys Publicly Accessible | Critical | Cloud KMS Global | Policies |
| CSPM-GCP-2025-0074 | KMS Rotation Missing | Medium | Cloud KMS | Keys |
| CSPM-GCP-2025-0075 | GKE Basic Auth Enabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0082 | Missing Master Authorized Networks | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0094 | GKE Legacy Authorization Enabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0103 | Redis AUTH Disabled | High | Cloud Memorystore | RedisInstances |
| CSPM-GCP-2025-0105 | Missing Log Metric (Audit Changes) | High | Logging | Metrics |
| CSPM-GCP-2025-0128 | Privileged SA Roles Assigned | Critical | IAM | IAM |
| CSPM-GCP-2025-0130 | Cloud Storage Public Bucket | Critical | Cloud Storage Global | BucketPolicy |
| CSPM-GCP-2025-0189 | Unrestricted SSH Port 22 | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0262 | Unrestricted RDP | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0275 | Unrestricted Egress All Ports | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0282 | Kubernetes API Server Exposed | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0113 | Ensure that sinks are configured for all Log Entries | Medium | Logging | Sinks |
| CSPM-GCP-2025-0114 | Alerts doesn’t exist for audit configuration changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0115 | Alerts doesn’t exist for cloud storage IAM permission changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0116 | Alerts doesn’t exist for Custom Role Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0117 | Alerts doesn’t exist for project ownership assignments/changes | High | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0118 | Alerts doesn’t exist for SQL Instance Configuration Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0119 | Alerts don’t exist for VPC Network Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0120 | Alerts don’t exist for VPC Network Firewall Rule Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0121 | Alerts don’t exist for VPC Network Route Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0071 | User-Managed Service Account Keys | Critical | IAM | Keys |
| CSPM-GCP-2025-0114 | Alerts doesn’t exist for Audit Configuration changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0113 | Ensure that sinks are Configured for All Log Entries | Medium | Logging | Sinks |
| CSPM-GCP-2025-0115 | Alerts doesn’t exist for Cloud Storage IAM Permission Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0116 | Alerts doesn’t exist for Custom Role changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0117 | Alerts don’t exist for Project Ownership Assignments/Changes | High | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0118 | Alerts don’t exist for SQL Instance Configuration Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0119 | Alerts Don’t exist for VPC Network Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0120 | Alerts don’t exist for VPC Network Firewall Rule Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0121 | Alerts don’t exist for VPC Network Route Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0009 | MySQL Instances with Binary Logging Disabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0014 | Log Checkpoints Database Flag for PostgreSQL Instance Is off | Medium | Cloud SQL | VMInstances |
| CSPM-GCP-2025-0016 | Log Disconnections Database Flag for PostgreSQL Instance Is off | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0017 | Log Lock Waits Database Flag for PostgreSQL Instance Is off | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0018 | Log Min Duration Statement Database Flag for PostgreSQL Instance Is Not Set to -1 | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0019 | Log Min Error Statement Database Flag for PostgreSQL Instance Is Not Set to ERROR | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0020 | SQL Server Instances with Remote Access Enabled | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0024 | Cloud Storage Buckets with Access Logging Disabled | Medium | Cloud Storage | Buckets |
| CSPM-GCP-2025-0025 | Cloud Storage Private Access Prevention not enforced | High | Cloud Storage | Buckets |
| CSPM-GCP-2025-0024 | Cloud Storage Buckets with access logging disabled | Medium | Cloud Storage | Buckets |
| CSPM-GCP-2025-0025 | Cloud Storage Private Access Prevention not enforced | High | Cloud Storage | Buckets |
| CSPM-GCP-2025-0026 | Cloud Storage Buckets without Object Versioning | Medium | Cloud Storage | Buckets |
| CSPM-GCP-2025-0027 | Cloud Storage Buckets Without Uniform Bucket-Level Access | High | Cloud Storage | Buckets |
| CSPM-GCP-2025-0028 | VPC using Insecure Default Firewall Rules | High | Network Security | Firewalls |
| CSPM-GCP-2025-0029 | VPC Firewall Rules allowing All Ports Exposed | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0030 | Firewall Rule allows unrestricted DNS Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0031 | Firewall Rule allows Unrestricted FTP Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0032 | Firewall Rule allows Unrestricted ICMP Access | Medium | Network Security | Firewalls |
| CSPM-GCP-2025-0033 | Firewall Rule allows Unrestricted Access to Custom Ports | High | Network Security | Firewalls |
| CSPM-GCP-2025-0044 | Shielded VM Disabled | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0045 | Instance without deletion protection | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0051 | Old Instance Disk Snapshot | Medium | ComputeEngineGlobal | Snapshots |
| CSPM-GCP-2025-0056 | Cloud Functions not enforcing HTTPS-Only Access | Medium | Cloud Functions | Functions |
| CSPM-GCP-2025-0057 | Potential Secrets in Function Environment Variables (Gen 1) | High | Cloud Functions | Functions |
| CSPM-GCP-2025-0059 | GEN_1 Cloud Functions Exposed with Public Access | Critical | Cloud Functions | Functions |
| CSPM-GCP-2025-0060 | Secret Manager API is “Disabled” for your Project | Medium | Service Usage | EnabledServices |
| CSPM-GCP-2025-0062 | Gmail/Non-Workspace Account in use | Medium | IAM | Policies |
| CSPM-GCP-2025-0063 | Lack of User-Managed Service Account Key Rotation | High | IAM | Keys |
| CSPM-GCP-2025-0069 | Service Account with Admin Privileges | Critical | IAM | IAM |
| CSPM-GCP-2025-0071 | User-Managed Service Account Keys | Critical | IAM | Keys |
| CSPM-GCP-2025-0072 | User with Privileged Service Account Roles at the Project Level | Critical | IAM | IAM |
| CSPM-GCP-2025-0073 | Cloud KMS Cryptographic Keys Exposed to Public Access | Critical | Cloud KMS Global | Policies |
| CSPM-GCP-2025-0074 | KMS Encryption Not Rotated within 90 Days | Medium | Cloud KMS | CryptoKeys |
| CSPM-GCP-2025-0074-01 | KMS Encryption Not Rotated within 90 Days | Medium | Cloud KMS | Keys |
| CSPM-GCP-2025-0074-02 | KMS Encryption Not Rotated within 90 Days | Medium | Cloud KMS Global | Keys |
| CSPM-GCP-2025-0075 | GKE Clusters with Basic Authentication Enabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0076 | GKE Clusters with Certificate-Based Authentication Enabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0077 | GKE Clusters Without Alias IP (IP Aliasing) Enabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0078 | GKE Clusters Without Application-Layer Secrets Encryption | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0079 | GKE Clusters Without Binary Authorization Protection | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0080 | GKE Clusters Missing Resource Labels | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0081 | GKE Clusters with Logging Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0082 | GKE Clusters Without Master Authorized Networks Protection | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0083 | Workload Metadata Configuration Disabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0084 | GKE Clusters with Monitoring Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0085 | GKE Clusters Without Network Policy Enforcement | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0086 | Pod Security Policy Disabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0087 | GKE Clusters with Public Master Endpoints Exposed | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0088 | Private Google Access Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0089 | GKE Clusters Not Enrolled in Release Channel | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0090 | Shielded GKE Nodes Disabled on Clusters | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0091 | Workload identity disabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0092 | Kubernetes Dashboard Enabled | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0093 | Default Service Account in Use for GKE Nodes | High | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0094 | GKE Clusters Using Legacy Authorization Mode | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0095 | GKE Clusters Using Legacy Metadata API Endpoints | High | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0096 | Nodes with Auto-Repair Disabled | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0097 | Nodes with Auto-Upgrade Disabled | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0098 | Lack of Container-Optimized OS Node Images | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0099 | Nodes with Integrity Monitoring Disabled | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0100 | Nodes with Secure Boot Disabled | High | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0101 | Private Cluster Nodes Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0102 | Excessive OAuth Scopes on Default Service Account | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0105 | Log Metric Filter Doesn’t Exist for Audit Configuration Changes | High | Logging | Metrics |
| CSPM-GCP-2025-0106 | Log Metric Filter Doesn’t Exist for Storage Bucket IAM Permission Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0107 | Log Metric Filter Doesn’t Exist for Custom Role Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0108 | Log Metric Filter Doesn’t Exist for Project Ownership Assignments/Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0109 | Log Metric Filter Doesn’t Exist for SQL Instance Configuration Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0110 | Log Metric Filter Doesn’t Exist for VPC Network Firewall Rule Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0111 | Log Metric Filter Doesn’t Exist for VPC Network Route Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0112 | Log Metric Filter Doesn’t Exist for VPC Network Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0113 | Ensure That Sinks Are Configured for All Log Entries | Medium | Logging | Sinks |
| CSPM-GCP-2025-0114 | Alerts Doesn’t Exist for Audit Configuration Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0115 | Alerts Doesn’t Exist for Cloud Storage IAM Permission Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0116 | Alerts Doesn’t Exist for Custom Role Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0117 | Alerts Doesn’t Exist for Project Ownership Assignments/Changes | High | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0118 | Alerts Doesn’t Exist for SQL Instance Configuration Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0119 | Alerts Doesn’t Exist for VPC Network Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0120 | Alerts Doesn’t Exist for VPC Network Firewall Rule Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0121 | Alerts Doesn’t Exist for VPC Network Route Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0123 | Compute Secure Boot Disabled | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0124 | Compute Instance Automatic Restart Disabled | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0125 | Compute Instance On Host Maintenance Not Set to Migrate | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0126 | Compute Instance Persistent Disk Auto-Delete Enabled | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0127 | Preemptible VM Instance Detected | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0128 | User with Privileged Service Account Roles at the Project Level | Critical | IAM | IAM |
| CSPM-GCP-2025-0129 | Essential Contacts Not Configured | Medium | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0132 | Dataproc Cluster Full Encryption with Customer-Managed Keys (kmsKey) Not Configured | Medium | Dataproc | DataprocClusters |
| CSPM-GCP-2025-0133 | Table Not Encrypted with Customer-Managed Keys (CMKs) | Medium | BigQuery | Tables |
| CSPM-GCP-2025-0134 | Dataproc Clusters Are Publicly Accessible | Critical | Dataproc | DataprocClusters |
| CSPM-GCP-2025-0135 | Ensure that your Google Cloud Filestore instances have Deletion Protection feature enabled | Medium | Filestore | FilestoreInstances |
| CSPM-GCP-2025-0136 | Essential Contacts Not Configured | Medium | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0137 | Essential Contacts Not Configured with Required Notification Categories | Medium | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0139 | Project-Level Essential Contacts Missing Critical Notification Categories | Medium | IAM | Contacts |
| CSPM-GCP-2025-0140 | Essential Contacts Not Configured at Folder Level | Medium | IAM | Contacts |
| CSPM-GCP-2025-0141 | Folder-Level Essential Contacts Missing Critical Notification Categories | Medium | IAM | Contacts |
| CSPM-GCP-2025-0142 | Ensure That Cloud Audit Logging Is Configured Properly | Medium | IAM | Audit |
| CSPM-GCP-2025-0143 | Ensure That Cloud Audit Logging Is Configured Properly at Project Level | Medium | IAM | Audit |
| CSPM-GCP-2025-0144 | Ensure That Cloud Audit Logging Is Configured Properly at Folder Level | Medium | IAM | Audit |
| CSPM-GCP-2025-0146 | Firewall Rule Allows Unrestricted MySQL Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0147 | Firewall Rule Allows Unrestricted Oracle Database Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0148 | Firewall Rule Allows Unrestricted TCP/UDP Access on All Ports | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0149 | Firewall Rule Allows Unrestricted PostgreSQL Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0150 | GKE Clusters Without Intranode Visibility Enabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0151 | Alpha GKE Cluster in Use | High | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0152 | GKE Cluster Cost Allocation Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0153 | GKE Cluster Backup for GKE Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0154 | GKE Clusters Without gVisor Sandbox Protection | High | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0155 | GKE Confidential Nodes Not Enabled Due to Incompatible Machine Type | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0156 | GKE N2D Nodes Without Confidential Computing Enabled | Medium | Kubernetes Engine | NodePools |
| CSPM-GCP-2025-0157 | GKE Dataplane V2 Not Enabled for Inter-Node Encryption | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0158 | GKE Workload Vulnerability Scanning Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0159 | GKE Security Posture Dashboard Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0160 | GKE Inter-Node Transparent Encryption Disabled | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0161 | GKE Cluster Security Notifications Not Configured | Medium | Kubernetes Engine | Clusters |
| CSPM-GCP-2025-0162 | MySQL Instances Running Outdated Database Version | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0164 | MySQL Skip Show Database Flag Not Enabled | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0165 | MySQL Slow Query Logging Disabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0166 | PostgreSQL Instances Running Outdated Database Version | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0167 | PostgreSQL Log Error Verbosity Misconfigured | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0168 | Log Min Messages Flag Not Properly Configured for PostgreSQL Instance | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0169 | Log Statement Flag Not Properly Configured for PostgreSQL Instance | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0170 | Max Connections Flag Not Properly Configured for PostgreSQL Instance | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0171 | PostgreSQL Log Planner Stats Flag Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0172 | PostgreSQL Log Executor Stats Flag Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0173 | PostgreSQL Log Parser Stats Flag Enabled | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0174 | PostgreSQL Log Statement Stats Flag Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0175 | PostgreSQL Temporary File Logging Disabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0176 | PostgreSQL PGAudit Extension Not Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0177 | PostgreSQL Hostname Logging Disabled | Low | Cloud SQL | Instances |
| CSPM-GCP-2025-0178 | PostgreSQL Hostname Logging Disabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0179 | User Connections Flag Configured for SQL Server Instance | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0180 | SQL Server External Scripts Execution Enabled | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0181 | SQL Server Trace Flag 3625 Not Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0185 | Firewall Rule Allows Unrestricted RPC TCP Port 135 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0186 | Firewall Rule Allows Unrestricted Redis TCP Port 6379 Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0187 | Firewall Rule Allows Unrestricted SMTP TCP Port 25 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0188 | Firewall Rule Allows Unrestricted Microsoft SQL Server TCP Port 1433 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0189 | Firewall Rule Allows Unrestricted SSH TCP Port 22 Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0190 | Firewall Rule Allows Unrestricted Access on Range of Ports | High | Network Security | Firewalls |
| CSPM-GCP-2025-0191 | Ensure GCP Firewall Ingress Rules Specify Port Restrictions | High | Network Security | Firewalls |
| CSPM-GCP-2025-0192 | Enable VPC Firewall Rule Logging | Medium | Network Security | Firewalls |
| CSPM-GCP-2025-0193 | Ensure that VPC Network Firewall logging does not use INCLUDE_ALL_METADATA | Medium | Network Security | Firewalls |
| CSPM-GCP-2025-0194 | Ensure VPC Network Firewall Rules Do Not Allow Inbound Traffic on High-Risk Ports from Unrestricted Sources | High | Network Security | Firewalls |
| CSPM-GCP-2025-0195 | Firewall Rule Allows Unrestricted Access through “NFS” Well-Known Port | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0196 | Firewall rule Allows Unrestricted Access through “DNS” Well-Known Port (53) | High | Network Security | Firewalls |
| CSPM-GCP-2025-0197 | Firewall rule Allows Unrestricted Access through “MongoDB” Well-Known Port (27017) | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0198 | Firewall rule Allows Unrestricted Access through “PostgreSQL” Well-Known Port (5432) | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0199 | Allows Access through Port Telnet (23) from Unrestricted Sources | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0262 | Ensure That RDP Access Is Restricted From the Internet | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0263 | Firewall Rule Allows Unrestricted LDAP/LDAPS Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0264 | Firewall Rule Allows Unrestricted RDP Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0265 | Firewall Rule Allows Unrestricted VNC Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0266 | API Keys Should Only Exist for Active Services | High | API Keys | API Keys |
| CSPM-GCP-2025-0267 | API Key API Restrictions Not Set | High | API Keys | API Keys |
| CSPM-GCP-2025-0268 | API Key Application Restrictions Not Set | High | API Keys | API Keys |
| CSPM-GCP-2025-0269 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access | High | API Keys | API Keys |
| CSPM-GCP-2025-0270 | Ensure API Keys Are Rotated Every 90 Days | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0272 | Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0274 | Ensure Cloud Audit Logging Includes DATA_READ, DATA_WRITE, and ADMIN_READ Log Types at Project Level | Medium | IAM | Policies |
| CSPM-GCP-2025-0275 | Firewall Rule Allows Unrestricted Egress to All Ports | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0276 | Firewall Rule Allows Unrestricted Memcached Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0277 | Firewall Rule Allows Unrestricted Docker API Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0278 | Ensure Access Approval for Project-Level Resources Uses Corporate Email Addresses Instead of Consumer Accounts | Medium | Cloud Resource Manager | ApprovalRequests |
| CSPM-GCP-2025-0279 | Ensure Access Approval API Is Used for Project-Level Resources | Medium | Cloud Resource Manager | ApprovalRequests |
| CSPM-GCP-2025-0280 | Ensure Cloud Asset Inventory Is Enabled | Medium | Service Usage | EnabledServices |
| CSPM-GCP-2025-0281 | Ensure Access Approval and Access Transparency APIs are enabled for Project-Level Resources | Medium | Cloud Resource Manager | ApprovalRequests |
| CSPM-GCP-2025-0282 | Firewall Rule Allows Unrestricted Kubernetes API Server Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0301 | Use Customer-Managed Encryption Keys (CMEKs) to encrypt data at rest within your Filestore instances | Medium | Filestore | FilestoreInstances |
| CSPM-GCP-2025-0302 | Configure maintenance windows for Redis instances to ensure controlled patching and updates | Medium | Cloud Memorystore | RedisInstances |
| CSPM-GCP-2025-0303 | Configure maintenance windows for Memcache instances to ensure controlled patching and updates | Medium | Cloud Memorystore | MemcacheInstances |
| CSPM-GCP-2025-0304 | Configure maintenance windows for Redis clusters to ensure controlled patching and updates | Medium | Cloud Memorystore | RedisClusters |
| CSPM-GCP-2025-0305 | Configure maintenance windows for Valkey instances to ensure controlled patching and updates | Medium | Cloud Memorystore | ValkeyInstances |
| CSPM-GCP-2025-0306 | Redis Instance Has Read Replicas Disabled | Medium | Cloud Memorystore | RedisInstances |
| CIEM-GCP-2025-0001 | Inactive groups | Critical | IAM | Groups |
| CIEM-GCP-2025-0002 | Inactive users | Critical | IAM | Users |
| CIEM-GCP-2025-0003 | Empty groups | Critical | IAM | Groups |
| CIEM-GCP-2025-0004 | Delete folders that do not have ownership | Critical | IAM | Folders |
| CIEM-GCP-2025-0005 | Delete projects that do not have ownership | Critical | IAM | Policies |
| CIEM-GCP-2025-0006 | Service account keys must be rotated after 30 days | Critical | IAM | Keys |
| CIEM-GCP-2025-0007 | Delete inactive service account | Critical | IAM | ServiceAccounts |
