Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
| Rule ID | Title | Severity | Service Type | Resource Type |
|---|---|---|---|---|
| CSPM-GCP-2025-0002-02 | OS Login Disabled on Project Metadata | High | ComputeEngineGlobal | VMInstances |
| CSPM-GCP-2025-0005 | Instance Allows Root Login from Any Host | High | Cloud SQL Global | CloudSQL Users |
| CSPM-GCP-2025-0023 | Cloud Storage Bucket Accessible by “_ARG_0_” | Critical | Cloud Storage Global | BucketPolicy |
| CSPM-GCP-2025-0063 | Lack of User-Managed Service Account Key Rotation | Medium | IAM | Keys |
| CSPM-GCP-2025-0105 | Log Metric Filter Doesn’t Exist for Audit Configuration Changes | High | Logging | Metrics |
| CSPM-GCP-2025-0129 | Essential Contacts Not Configured | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0136 | Essential Contacts Not Configured | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0142 | Ensure That Cloud Audit Logging Is Configured Properly | High | IAM | Audit |
| CSPM-GCP-2025-0189 | Firewall Rule Allows Unrestricted SSH TCP Port 22 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0262 | Ensure that RDP Access is Restricted from the Internet | High | Network Security | Firewalls |
| CSPM-GCP-2025-0071 | User-Managed SA Keys | High | IAM | Keys |
| CSPM-GCP-2025-0071 | User-Managed Service Account Keys | High | IAM | Keys |
| CSPM-GCP-2025-0113 | Ensure that sinks are Configured for All Log Entries | High | Logging | Sinks |
| CSPM-GCP-2025-0023 | Cloud Storage Bucket Accessible by “ARG_0“ | Critical | Cloud Storage Global | BucketPolicy |
| CSPM-GCP-2025-0063 | Lack of User-Managed Service Account Key Rotation | Medium | IAM | Keys |
| CSPM-GCP-2025-0069 | Service Account with Admin Privileges | High | IAM | IAM |
| CSPM-GCP-2025-0071 | User-Managed Service Account Keys | High | IAM | Keys |
| CSPM-GCP-2025-0072 | User with Privileged Service Account Roles at the Project Level | High | IAM | IAM |
| CSPM-GCP-2025-0073 | Cloud KMS Cryptographic Keys Exposed to Public Access | High | Cloud KMS Global | Policies |
| CSPM-GCP-2025-0105 | Log Metric Filter Doesn’t Exist for Audit Configuration Changes | High | Logging | Metrics |
| CSPM-GCP-2025-0106 | Log Metric Filter Doesn’t Exist for Storage Bucket IAM Permission Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0107 | KMS Encryption Not Rotated within 90 Days | High | Logging | Metrics |
| CSPM-GCP-2025-0108 | Log Metric Filter Doesn’t Exist for Project Ownership Assignments/Changes | High | Logging | Metrics |
| CSPM-GCP-2025-0109 | Log Metric Filter Doesn’t Exist for SQL Instance Configuration Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0110 | Log Metric Filter Doesn’t Exist for VPC Network Firewall Rule Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0111 | KMS Encryption Not Rotated within 90 Days | Medium | Logging | Metrics |
| CSPM-GCP-2025-0112 | Log Metric Filter Doesn’t Exist for VPC Network Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0113 | Ensure That Sinks Are Configured for All Log Entries | Medium | Logging | Sinks |
| CSPM-GCP-2025-0129 | Essential Contacts Not Configured | Critical | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0136 | Essential Contacts Not Configured | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0137 | Essential Contacts Not Configured with Required Notification Categories | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0139 | Project-Level Essential Contacts Missing Critical Notification Categories | High | IAM | Contacts |
| CSPM-GCP-2025-0140 | Essential Contacts Not Configured at Folder Level | Medium | IAM | Contacts |
| CSPM-GCP-2025-0141 | Folder-Level Essential Contacts Missing Critical Notification Categories | High | IAM | Contacts |
| CSPM-GCP-2025-0142 | Ensure That Cloud Audit Logging Is Configured Properly | High | IAM | Audit |
| CSPM-GCP-2025-0143 | Ensure That Cloud Audit Logging Is Configured Properly at Project Level | High | IAM | Audit |
| CSPM-GCP-2025-0144 | Ensure That Cloud Audit Logging Is Configured Properly at Folder Level | High | IAM | Audit |
| CSPM-GCP-2025-0189 | Firewall Rule Allows Unrestricted SSH TCP Port 22 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0262 | Ensure That RDP Access Is Restricted From the Internet | High | Network Security | Firewalls |
| CSPM-GCP-2025-0264 | Firewall Rule Allows Unrestricted RDP Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0266 | API Keys Should Only Exist for Active Services | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0268 | API Key Application Restrictions Not Set | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0269 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0270 | Ensure API Keys Are Rotated Every 90 Days | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0274 | Ensure Cloud Audit Logging Includes DATA_READ, DATA_WRITE, and ADMIN_READ Log Types at Project Level | High | IAM | Policies |
| CSPM-GCP-2025-0280 | Ensure Cloud Asset Inventory Is Enabled | Medium | Service Usage | EnabledServices |
| CSPM-GCP-2025-0281 | Ensure Access Approval and Access Transparency APIs are enabled for Project-Level Resources | Medium | Cloud Resource Manager | ApprovalRequests |
