Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
| Rule ID | Title | Severity | Service Type | Resource Type |
|---|---|---|---|---|
| CSPM-GCP-2025-0002-01 | OS Login Disabled on Compute Instances | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0003 | Datasets Publicly Accessible | Critical | BigQuery | Datasets |
| CSPM-GCP-2025-0005 | Instance Allows Root Login from Any Host | High | Cloud SQL Global | CloudSQL Users |
| CSPM-GCP-2025-0006 | Cloud SQL Instances without Automated Backup Configuration | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0010 | Cloud SQL Instances not enforcing TLS/SSL Client Connections | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0018 | Log Min Duration Statement Database Flag for PostgreSQL Instance Is Not Set to -1 | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0062 | Gmail/Non-Workspace Account in Use | High | IAM | Policies |
| CSPM-GCP-2025-0069 | Service Account with Admin Privileges | High | IAM | IAM |
| CSPM-GCP-2025-0105 | Log Metric Filter Doesn’t Exist for Audit Configuration Changes | High | Logging | Metrics |
| CSPM-GCP-2025-0113 | Ensure that sinks are configured for all Log Entries | High | Logging | Sinks |
| CSPM-GCP-2025-0129 | Essential Contacts Not Configured | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0189 | Firewall Rule allows unrestricted SSH TCP Port 22 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0262 | Ensure that RDP access is restricted from the internet | High | Network Security | Firewalls |
| CSPM-GCP-2025-0272 | Ensure that instances are not configured to use the Default Service Account with full Access to all Cloud APIs | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0071 | User-Managed SA Keys | High | IAM | Keys |
| CSPM-GCP-2025-0071 | User-Managed Service Account Keys | High | IAM | Keys |
| CSPM-GCP-2025-0113 | Ensure that sinks are Configured for All Log Entries | High | Logging | Sinks |
| CSPM-GCP-2025-0002-02 | OS Login Disabled on Project Metadata | High | ComputeEngineGlobal | VMInstances |
| CSPM-GCP-2025-0008 | Cloud SQL Public Internet Access | Critical | Cloud SQL | Instances |
| CSPM-GCP-2025-0015 | Log Disconnections Database Flag for PostgreSQL Instance Is off | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0019 | Log Min Error Statement Database Flag for PostgreSQL Instance Is Not Set to ERROR | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0020 | SQL Server Instances with Remote Access Enabled | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0021 | SQL Server Contained Database Authentication Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0022 | Cross DB Ownership Chaining Enabled for SQL Server Instance | High | Cloud SQL | Instances |
| CSPM-GCP-2025-0023 | Cloud Storage Bucket Accessible by “ARG_0“ | Critical | Cloud Storage Global | BucketPolicy |
| CSPM-GCP-2025-0027 | Cloud Storage Buckets without Uniform Bucket-Level Access | High | Cloud Storage | Buckets |
| CSPM-GCP-2025-0041 | Ensure that IP forwarding is not enabled on instances | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0044 | Shielded VM Disabled | Medium | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0057 | Potential Secrets in Function Environment Variables (Gen 1) | Medium | Cloud Functions | Functions |
| CSPM-GCP-2025-0062 | Gmail/Non-Workspace Account in Use | High | IAM | Policies |
| CSPM-GCP-2025-0063 | Lack of User-Managed Service Account Key Rotation | Medium | IAM | Keys |
| CSPM-GCP-2025-0069 | Service Account with Admin Privileges | High | IAM | IAM |
| CSPM-GCP-2025-0071 | User-Managed Service Account Keys | High | IAM | Keys |
| CSPM-GCP-2025-0072 | User with Privileged Service Account Roles at the Project Level | High | IAM | IAM |
| CSPM-GCP-2025-0073 | Cloud KMS Cryptographic Keys Exposed to Public Access | High | Cloud KMS Global | Policies |
| CSPM-GCP-2025-0074-01 | KMS Encryption Not Rotated within 90 Days | Medium | Cloud KMS | Keys |
| CSPM-GCP-2025-0105 | Log Metric Filter Doesn’t Exist for Audit Configuration Changes | High | Logging | Metrics |
| CSPM-GCP-2025-0106 | Log Metric Filter Doesn’t Exist for Storage Bucket IAM Permission Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0107 | KMS Encryption Not Rotated within 90 Days | High | Logging | Metrics |
| CSPM-GCP-2025-0108 | Log Metric Filter Doesn’t Exist for Project Ownership Assignments/Changes | High | Logging | Metrics |
| CSPM-GCP-2025-0109 | Log Metric Filter Doesn’t Exist for SQL Instance Configuration Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0110 | Log Metric Filter Doesn’t Exist for VPC Network Firewall Rule Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0111 | KMS Encryption Not Rotated within 90 Days | Medium | Logging | Metrics |
| CSPM-GCP-2025-0112 | Log Metric Filter Doesn’t Exist for VPC Network Changes | Medium | Logging | Metrics |
| CSPM-GCP-2025-0113 | Ensure That Sinks Are Configured for All Log Entries | Medium | Logging | Sinks |
| CSPM-GCP-2025-0129 | Essential Contacts Not Configured | Critical | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0136 | Essential Contacts Not Configured | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0137 | Essential Contacts Not Configured with Required Notification Categories | High | Cloud Resource Manager | Contacts |
| CSPM-GCP-2025-0139 | Project-Level Essential Contacts Missing Critical Notification Categories | High | IAM | Contacts |
| CSPM-GCP-2025-0140 | Essential Contacts Not Configured at Folder Level | Medium | IAM | Contacts |
| CSPM-GCP-2025-0141 | Folder-Level Essential Contacts Missing Critical Notification Categories | Medium | IAM | Contacts |
| CSPM-GCP-2025-0142 | Ensure That Cloud Audit Logging Is Configured Properly | High | IAM | Audit |
| CSPM-GCP-2025-0143 | Ensure That Cloud Audit Logging Is Configured Properly at Project Level | High | IAM | Audit |
| CSPM-GCP-2025-0144 | Ensure That Cloud Audit Logging Is Configured Properly at Folder Level | High | IAM | Audit |
| CSPM-GCP-2025-0164 | MySQL Skip Show Database Flag Not Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0167 | PostgreSQL Log Error Verbosity Misconfigured | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0168 | Log Min Messages Flag Not Properly Configured for PostgreSQL Instance | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0169 | Log Statement Flag Not Properly Configured for PostgreSQL Instance | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0174 | Log Statement Flag Not Properly Configured for PostgreSQL Instance | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0176 | PostgreSQL PGAudit Extension Not Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0178 | PostgreSQL Hostname Logging Disabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0179 | User Connections Flag Configured for SQL Server Instance | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0180 | SQL Server External Scripts Execution Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0181 | SQL Server Trace Flag 3625 Not Enabled | Medium | Cloud SQL | Instances |
| CSPM-GCP-2025-0189 | Firewall Rule Allows Unrestricted SSH TCP Port 22 Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0262 | Ensure That RDP Access Is Restricted From the Internet | High | Network Security | Firewalls |
| CSPM-GCP-2025-0264 | Firewall Rule Allows Unrestricted RDP Access | High | Network Security | Firewalls |
| CSPM-GCP-2025-0266 | API Keys Should Only Exist for Active Services | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0268 | API Key Application Restrictions Not Set | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0269 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0270 | Ensure API Keys Are Rotated Every 90 Days | Medium | API Keys | API Keys |
| CSPM-GCP-2025-0272 | Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | High | ComputeEngine | VMInstances |
| CSPM-GCP-2025-0274 | Ensure Cloud Audit Logging Includes DATA_READ, DATA_WRITE, and ADMIN_READ Log Types at Project Level | High | IAM | Policies |
| CSPM-GCP-2025-0280 | Ensure Cloud Asset Inventory Is Enabled | Medium | Service Usage | EnabledServices |
| CSPM-GCP-2025-0281 | Ensure Access Approval and Access Transparency APIs are enabled for Project-Level Resources | Medium | Cloud Resource Manager | ApprovalRequests |
