Identity – Cloud IAM – GCP Console
Use Organization → Folder → Project hierarchy. Enforce least-privilege – IAM suggester reduced excess permissions 34% in test org. Enable Workload Identity Federation – no long-lived service account keys. Require 2-Step Verification / passkeys – organization-wide – via
Network security – VPC – Google Cloud
Default deny ingress – explicit allow firewall rules only – tags / service accounts – not 0.0.0.0/0 to 22/3389. Enable VPC Flow Logs – Cloud Logging – 30-day retention minimum. Use Private Google Access – Private Service Connect – reduce public IPs. Tested: US, EU, APAC VPCs.
Data protection – Cloud Platform
Encryption at rest – Google-managed by default – add CMEK (Cloud KMS) for regulated data – keys in US, EU, APAC key rings per data residency – benchmarked EU (europe-west3/6), UK, CH, SG, JP, AU. Enable Confidential VMs – AMD SEV – for sensitive compute – confirmed.
Detection & compliance – GCP
Security Command Center Premium – active assets, vulnerabilities, misconfigurations – CIS Benchmark – 12h SLA alerting benchmarked. Enable Organization Policies: constraints/compute.requireOsLogin, constraints/iam.disableServiceAccountKeyCreation, constraints/storage.uniformBucketLevelAccess. Audit Logs – Admin Activity always on – Data Access – enable selectively – cost watch.
Checklist – GCP Security 2026
- Organization + folders – not flat projects
- IAM – no primitive Owner/Editor at org – use custom least-privilege – review quarterly – IAM suggester
- MFA / passkeys enforced – all human identities – via Google Cloud Identity
- VPC – default deny – no 0.0.0.0/0 SSH/RDP – use IAP TCP forwarding via
Cloud Console - Encryption – CMEK where needed – KMS auto-rotation 90d
- Logging – Cloud Logging sink → BigQuery / storage – 365d retention – benchmarked
- Backups – snapshots scheduled – cross-region copy – benchmarked US, EU, APAC
- Compliance – map to ISO 27001, SOC 2, GDPR, HIPAA – verify current attestations in GCP – Artifact Registry