Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
| Rule ID | Title | Severity | Service Type | Resource Type |
|---|---|---|---|---|
| CSPM-GCP-2025-0002-02 | OS Login Disabled (Project Metadata) | Medium | ComputeEngineGlobal | VMInstances |
| CSPM-GCP-2025-0005 | Instance Allows Root Login from Any Host | Critical | Cloud SQL Global | CloudSQL Users |
| CSPM-GCP-2025-0023 | Cloud Storage Bucket Accessible by “_ARG_0_” | Critical | Cloud Storage Global | BucketPolicy |
| CSPM-GCP-2025-0028 | VPC Using Insecure Default Firewall Rules | High | Network Security | Firewalls |
| CSPM-GCP-2025-0029 | VPC Firewall Rules Allowing All Ports Exposed | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0060 | Secret Manager API is “Disabled” for your Project | High | Service Usage | EnabledServices |
| CSPM-GCP-2025-0062 | Gmail/Non-Workspace Account in Use | Medium | IAM | Policies |
| CSPM-GCP-2025-0069 | Service Account with Admin Privileges | Critical | IAM | IAM |
| CSPM-GCP-2025-0073 | Cloud KMS Cryptographic Keys Exposed to Public Access | Critical | Cloud KMS Global | Policies |
| CSPM-GCP-2025-0105 | Log Metric Filter Doesn’t Exist for Audit Configuration Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0129 | Essential Contacts Not Configured | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0136 | Essential Contacts Not Configured | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0142 | Ensure that Cloud Audit Logging Is Configured Properly | Medium | IAM | Audit |
| CSPM-GCP-2025-0189 | Firewall Rule Allows Unrestricted SSH TCP Port 22 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0262 | Ensure that RDP Access is Restricted from the Internet | High | Network Security | Firewalls |
| CSPM-GCP-2025-0277 | Firewall Rule allows unrestricted docker API Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0071 | User-Managed Service Account Keys | Critical | IAM | Keys |
| CSPM-GCP-2025-0113 | Ensure that sinks are configured for all Log Entries | Medium | Logging | Sinks |
| CSPM-GCP-2025-0114 | Alerts doesn’t exist for audit configuration changes. | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0115 | Alerts doesn’t exist for cloud storage IAM permission changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0116 | Alerts doesn’t exist for Custom Role Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0118 | Alerts doesn’t exist for SQL Instance Configuration Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0119 | Alerts don’t exist for VPC Network Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0120 | Alerts don’t exist for VPC Network Firewall Rule Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0121 | Alerts Doesn’t Exist for VPC Network Route Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0071 | User-Managed Service Account Keys | High | IAM | Keys |
| CSPM-GCP-2025-0114 | Alerts doesn’t exist for Audit Configuration changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0113 | Ensure that sinks are Configured for All Log Entries | Medium | Logging | Sinks |
| CSPM-GCP-2025-0115 | Alerts doesn’t exist for Cloud Storage IAM Permission Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0116 | Alerts doesn’t exist for Custom Role changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0117 | Alerts don’t exist for Project Ownership Assignments/Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0118 | Alerts don’t exist for SQL Instance Configuration Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0120 | Alerts don’t exist for VPC Network Firewall Rule Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0121 | Alerts don’t exist for VPC Network Route Changes | Medium | Monitoring | AlertPolicies |
| CSPM-GCP-2025-0051 | Old Instance Disk Snapshot | Medium | ComputeEngineGlobal | Snapshots |
| CSPM-GCP-2025-0060 | Secret Manager API is “Disabled” for your Project | High | Service Usage | EnabledServices |
| CSPM-GCP-2025-0062 | Gmail/Non-Workspace Account in use | Medium | IAM | Policies |
| CSPM-GCP-2025-0063 | Lack of User-Managed Service Account Key Rotation | Medium | IAM | Keys |
| CSPM-GCP-2025-0069 | Service Account with Admin Privileges | Critical | IAM | IAM |
| CSPM-GCP-2025-0072 | User with Privileged Service Account Roles at the Project Level | High | IAM | IAM |
| CSPM-GCP-2025-0073 | Cloud KMS Cryptographic Keys Exposed to Public Access | Critical | Cloud KMS Global | Policies |
| CSPM-GCP-2025-0074 | KMS Encryption Not Rotated within 90 Days | Medium | Cloud KMS | CryptoKeys |
| CSPM-GCP-2025-0074-02 | KMS Encryption Not Rotated within 90 Days | Medium | Cloud KMS Global | Keys |
| CSPM-GCP-2025-0105 | Log Metric Filter Doesn’t Exist for Audit Configuration Changes | Critical | Logging | Metrics |
| CSPM-GCP-2025-0106 | Log Metric Filter Doesn’t Exist for Storage Bucket IAM Permission Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0107 | Log Metric Filter Doesn’t Exist for Custom Role Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0108 | Log Metric Filter Doesn’t Exist for Project Ownership Assignments/Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0109 | Log Metric Filter Doesn’t Exist for SQL Instance Configuration Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0109 | Log Metric Filter Doesn’t Exist for SQL Instance Configuration Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0110 | Log Metric Filter Doesn’t Exist for VPC Network Firewall Rule Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0111 | Log Metric Filter Doesn’t Exist for VPC Network Route Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0112 | Log Metric Filter Doesn’t Exist for VPC Network Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0129 | Essential Contacts Not Configured | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0136 | Essential Contacts Not Configured | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0137 | Essential Contacts Not Configured with Required Notification Categories | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0139 | Project-Level Essential Contacts Missing Critical Notification Categories | High | IAM | Contacts |
| CSPM-GCP-2025-0140 | Essential Contacts Not Configured at Folder Level | Medium | IAM | Contacts |
| CSPM-GCP-2025-0141 | Folder-Level Essential Contacts Missing Critical Notification Categories | High | IAM | Contacts |
| CSPM-GCP-2025-0142 | Ensure That Cloud Audit Logging Is Configured Properly | Medium | IAM | Audit |
| CSPM-GCP-2025-0143 | Ensure That Cloud Audit Logging Is Configured Properly at Project Level | Medium | IAM | Audit |
| CSPM-GCP-2025-0144 | Ensure That Cloud Audit Logging Is Configured Properly at Folder Level | Medium | IAM | Audit |
| CSPM-GCP-2025-0146 | Firewall Rule Allows Unrestricted MySQL Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0147 | Firewall Rule Allows Unrestricted Oracle Database Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0148 | Firewall Rule Allows Unrestricted TCP/UDP Access on All Ports | High | Network Security | Firewalls |
| CSPM-GCP-2025-0149 | Firewall Rule Allows Unrestricted PostgreSQL Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0185 | Firewall Rule Allows Unrestricted RPC TCP Port 135 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0186 | Firewall Rule Allows Unrestricted Redis TCP Port 6379 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0187 | Firewall Rule Allows Unrestricted SMTP TCP Port 25 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0188 | Firewall Rule Allows Unrestricted Microsoft SQL Server TCP Port 1433 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0189 | Firewall Rule Allows Unrestricted SSH TCP Port 22 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0190 | Firewall Rule Allows Unrestricted Access on Range of Ports | High | Network Security | Firewalls |
| CSPM-GCP-2025-0191 | Ensure GCP Firewall Ingress Rules Specify Port Restrictions | High | Network Security | Firewalls |
| CSPM-GCP-2025-0192 | Enable VPC Firewall Rule Logging | High | Network Security | Firewalls |
| CSPM-GCP-2025-0193 | Ensure that VPC Network Firewall logging does not use INCLUDE_ALL_METADATA | High | Network Security | Firewalls |
| CSPM-GCP-2025-0194 | Ensure VPC Network Firewall Rules Do Not Allow Inbound Traffic on High-Risk Ports from Unrestricted Sources | High | Network Security | Firewalls |
| CSPM-GCP-2025-0195 | Firewall Rule Allows Unrestricted Access through “NFS” Well-Known Port | High | Network Security | Firewalls |
| CSPM-GCP-2025-0196 | Firewall rule Allows Unrestricted Access through “DNS” Well-Known Port (53) | High | Network Security | Firewalls |
| CSPM-GCP-2025-0197 | Firewall rule Allows Unrestricted Access through “MongoDB” Well-Known Port (27017) | High | Network Security | Firewalls |
| CSPM-GCP-2025-0198 | Firewall rule Allows Unrestricted Access through “PostgreSQL” Well-Known Port (5432) | High | Network Security | Firewalls |
| CSPM-GCP-2025-0199 | Allows Access through Port Telnet (23) from Unrestricted Sources | High | Network Security | Firewalls |
| CSPM-GCP-2025-0262 | Ensure That RDP Access Is Restricted From the Internet | High | Network Security | Firewalls |
| CSPM-GCP-2025-0263 | Firewall Rule Allows Unrestricted LDAP/LDAPS Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0264 | Firewall Rule Allows Unrestricted RDP Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0265 | Firewall Rule Allows Unrestricted VNC Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0266 | API Keys Should Only Exist for Active Services | Low | API Keys | API Keys |
| CSPM-GCP-2025-0267 | API Key API Restrictions Not Set | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0268 | API Key Application Restrictions Not Set | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0269 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0270 | Ensure API Keys Are Rotated Every 90 Days | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0274 | Ensure Cloud Audit Logging Includes DATA_READ, DATA_WRITE, and ADMIN_READ Log Types at Project Level | Medium | IAM | Policies |
| CSPM-GCP-2025-0275 | Firewall Rule Allows Unrestricted Egress to All Ports | High | Network Security | Firewalls |
| CSPM-GCP-2025-0276 | Firewall Rule Allows Unrestricted Memcached Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0277 | Firewall Rule Allows Unrestricted Docker API Access | Critical | Network Security | Firewalls |
| CSPM-GCP-2025-0278 | Ensure Access Approval for Project-Level Resources Uses Corporate Email Addresses Instead of Consumer Accounts | Medium | Cloud Resource Manager | ApprovalRequests |
| CSPM-GCP-2025-0279 | Ensure Access Approval API Is Used for Project-Level Resources | Medium | Cloud Resource Manager | ApprovalRequests |
| CSPM-GCP-2025-0280 | Ensure Cloud Asset Inventory Is Enabled | Medium | Service Usage | EnabledServices |
| CSPM-GCP-2025-0281 | Ensure Access Approval and Access Transparency APIs are enabled for Project-Level Resources | Medium | Cloud Resource Manager | ApprovalRequests |
| CSPM-GCP-2025-0282 | Firewall Rule Allows Unrestricted Kubernetes API Server Access | Critical | Network Security | Firewalls |
