Guides

Permissions for Platform GCP Policies

Suggest Edits

The platform contains various native policies for GCP, each of which requiring a different set of permissions to be enabled in users' GCP cloud environment in order for everything to work as expected.

Below, you can view a comprehensive list of our available platform policies for GCP, their display names, and which permissions are required for each policy.

Platform GCP Policies and Required Permissions

Policy NameDisplay NameRequired Permissions
GCP_AUDIT_BUCKET_LOGGING_DISABLEDGCP Audit Bucket Logging Disabled CS Policystorage.buckets.list
GCP_AUDIT_BUCKET_LOG_SINK_PUBLICGCP Audit Bucket Log Sink Public CS Policystorage.buckets.list
logging.sinks.list
orgpolicy.policy.get
resourcemanager.projects.get
GCP_AUDIT_COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWEDGCP Audit Computer Project Wide SSH Keys Allowed CS Policycompute.instances.list
GCP_AUDIT_COMPUTE_SECURE_BOOT_DISABLEDGCP Audit Compute Secure Boot Disabled CS Policycompute.instances.list
GCP_AUDIT_COMPUTE_SERIAL_PORTS_ENABLEDGCP Audit Compute Serial Ports Enabled CS Policycompute.projects.get
GCP_AUDIT_DEFAULT_VPC_NETWORK_USEDGCP Audit Default VPC Network Used CS Policycompute.networks.list
GCP_AUDIT_DISK_ENCRYPTED_WITHOUT_CSEKGCP Audit Disk Encrypted Without CSEK CS Policycompute.instances.list
compute.disks.get
GCP_AUDIT_FOR_UNRESTRICTED_SERVICE_ACCESSGCP Audit For Unrestricted Service Access CS Policycompute.networks.list
compute.firewalls.list
GCP_AUDIT_FULL_API_ACCESSGCP Audit Full API Access CS Policycompute.instances.list
GCP_AUDIT_INSTANCE_USING_PUBLIC_IP_ADDRESSGCP Audit Instance Using Public IP Address CS Policycompute.instances.list
GCP_AUDIT_IP_FORWARDING_ENABLEDGCP Audit IP Forwarding Enabled CS Policycompute.instances.list
GCP_AUDIT_OS_LOGIN_DISABLEDGCP Audit OS Login Disabled CS Policycompute.instances.list
compute.projects.get
GCP_AUDIT_SQL_INSTANCE_AUTO_BACKUP_DISABLEDGCP Audit SQL Instance Auto Backup Disabled CS Policycompute.instances.list
GCP_Audit_Admin_Service_AccountGCP Audit Admin Service Account CS Policyresourcemanager.projects.getIamPolicy
GCP_Audit_Basic_User_Roles_CS_PolicyGCP Audit Basic User Roles CS Policyresourcemanager.projects.getIamPolicy
GCP_Audit_Bigquery_Dataset_Encrypted_Without_CMEKGCP Audit Bigquery Dataset Encrypted Without CMEK CS Policybigquery.datasets.list
GCP_Audit_Bigquery_Table_CMEK_EnabledGCP Audit Bigquery Table CMEK Enabled CS Policybigquery.datasets.list
bigquery.tables.get
bigquery.tables.list
GCP_Audit_Bucket_IAM_Not_MonitoredGCP Audit Bucket IAM Not Monitored CS Policylogging.logMetrics.list
monitoring.alertPolicies.list
GCP_Audit_Bucket_Log_Locked_Retention_Policy_SetGCP Audit Bucket Log Locked Retention Policy Set CS Policystorage.buckets.list
orgpolicy.policy.get
logging.sinks.list
GCP_Audit_Bucket_Object_Versioning_EnabledGCP Audit Bucket Object Versioning Enabled CS Policystorage.buckets.list
logging.sinks.list
GCP_Audit_Bucket_Policy_Only_EnabledGCP Audit Bucket Policy Only Enabled CS Policystorage.buckets.list
GCP_Audit_Cloud_DNSSEC_DisabledGCP Audit Cloud DNSSEC Disabled CS Policydns.managedZones.list
GCP_Audit_Cloud_DNS_Zones_Signing_For_RSASHA1GCP Audit Cloud DNS Zones Signing For RSASHA1 CS Policydns.managedZones.list
GCP_Audit_Confidential_Computing_DisabledGCP Audit VM Instance Confidential Computing Enabled CS Policycompute.instances.list
GCP_Audit_Custom_Role_Not_MonitoredGCP Audit Custom Role Not Monitored CS Policylogging.logMetrics.list
monitoring.alertPolicies.list
GCP_Audit_DNS_Logging_DisabledGCP Audit DNS Logging Disabled CS Policycompute.networks.list
dns.policies.list
GCP_Audit_Default_Service_Account_UsedGCP Audit VM Not Using Default Service Account CS Policycompute.instances.list
iam.serviceAccounts.list
GCP_Audit_Firewall_Rule_Logging_Disabled_CS_PolicyGCP Audit Firewall Rule Logging Disabled CS Policycompute.firewalls.list
GCP_Audit_For_LDAP_AccessGCP Audit For Unrestricted LDAP Access CS Policycompute.firewalls.list
GCP_Audit_For_MEMCACHED_AccessGCP Audit For Unrestricted MEMCACHED Access CS Policycompute.firewalls.list
GCP_Audit_For_MONGODB_AccessGCP Audit For Unrestricted MONGODB Access CS Policycompute.firewalls.list
GCP_Audit_For_MYSQL_AccessGCP Audit For Unrestricted MYSQL Access CS Policycompute.firewalls.list
GCP_Audit_For_NETBIOS_AccessGCP Audit For Unrestricted NETBIOS Access CS Policycompute.firewalls.list
GCP_Audit_For_POP3_AccessGCP Audit For Unrestricted POP3 Access CS Policycompute.firewalls.list
GCP_Audit_For_TELNET_AccessGCP Audit For Unrestricted TELNET Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_CASSANDRA_AccessGCP Audit For Unrestricted CASSANDRA Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_CISCOSECURE_WEBSM_AccessGCP Audit For Unrestricted CISCOSECURE WEBSM Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_DIRECTORY_SERVICES_AccessGCP Audit For Unrestricted DIRECTORY SERVICES Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_DNS_AccessGCP Audit For Unrestricted DNS Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_ELASTICSEARCH_AccessGCP Audit For Unrestricted ELASTICSEARCH Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_FTP_AccessGCP Audit For Unrestricted FTP Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_HTTP_AccessGCP Audit For Unrestricted HTTP Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_ORACLEDB_AccessGCP Audit For Unrestricted ORACLEDB Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_POSTGRESQL_AccessGCP Audit For Unrestricted POSTGRESQL Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_RDP_AccessGCP Audit For Unrestricted RDP Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_REDIS_AccessGCP Audit For Unrestricted REDIS Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_SMTP_AccessGCP Audit For Unrestricted SMTP Access CS Policycompute.firewalls.list
GCP_Audit_For_Unrestricted_SSH_AccessGCP Audit For Unrestricted SSH Access CS Policycompute.firewalls.list
GCP_Audit_GKE_Alpha_Cluster_EnabledGCP Audit GKE Alpha Cluster Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_CLUSTER_BINARY_AUTHORIZATION_DISABLEDGCP Audit GKE Cluster Binary Authorization Disabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Auto_Repair_EnabledGCP Audit GKE Cluster Auto Repair Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Auto_Upgrade_EnabledGCP Audit GKE Cluster Auto Upgrade Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_COS_EnabledGCP Audit GKE Cluster COS Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Control_Plane_Authorized_Networks_EnabledGCP Audit GKE Cluster Control Plane Authorized Networks Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_For_Application_Layer_Secret_EncryptionGCP Audit GKE Cluster For Application Layer Secret Encryption CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Host_Private_Google_Access_EnabledGCP Audit GKE Cluster Host Private Google Access Enabled CS Policycontainer.clusters.list
compute.subnetworks.get
GCP_Audit_GKE_Cluster_IP_Alias_EnabledGCP Audit GKE Cluster IP Alias Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Integrity_Monitoring_EnabledGCP Audit GKE Cluster Integrity Monitoring Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Intranode_Visibility_EnabledGCP Audit GKE Cluster Intranode Visibility Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Legacy_Metadata_DisabledGCP Audit GKE Cluster Legacy Metadata Disabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Logging_EnabledGCP Audit GKE Cluster Logging Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Monitoring_EnabledGCP Audit GKE Cluster Monitoring Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Network_Policy_EnabledGCP Audit GKE Cluster Network Policy Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Nodepool_Boot_CMEK_EnabledGCP Audit GKE Cluster Nodepool Boot CMEK Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Over_Privileged_ScopesGCP Audit GKE Cluster Over Privileged Scopes CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Over_Privileged_Service_AccountGCP Audit GKE Cluster Over Privileged Service Account CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Release_Channel_EnabledGCP Audit GKE Cluster Release Channel Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Secure_Boot_EnabledGCP Audit GKE Cluster Secure Boot Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_Workload_Identity_EnabledGCP Audit GKE Cluster Workload Identity Enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Cluster_shielded_nodes_enabledGCP Audit GKE Cluster shielded nodes enabled CS Policycontainer.clusters.list
GCP_Audit_GKE_Private_Cluster_Disabled_CS_PolicyGCP Audit GKE Private Cluster Disabled CS Policycontainer.clusters.list
GCP_Audit_Https_Load_BalancerGCP Audit Https Load Balancer CS Policycompute.targetHttpProxies.list
compute.globalForwardingRules.list
GCP_Audit_KMS_Key_RotationGCP Audit KMS Key Rotation CS Policycloudkms.projects.locations
GCP_Audit_KMS_Project_Has_OwnerGCP Audit KMS Project Has Owner CS Policyresourcemanager.projects.getIamPolicy
cloudkms.projects.locations
GCP_Audit_KMS_Role_SeparationGCP Audit KMS Role Separation CS Policyresourcemanager.projects.getIamPolicy
GCP_Audit_Log_ExportedGCP Audit Log Exported CS Policylogging.sinks.list
GCP_Audit_Log_Metrics_And_Alerts_Config_MonitoredGCP Audit Log Metrics And Alerts Config Monitored CS Policylogging.logMetrics.list
monitoring.alertPolicies.list
GCP_Audit_Log_Metrics_And_Alerts_Firewall_MonitoredGCP Audit Log Metrics And Alerts Firewall Monitored CS Policylogging.logMetrics.list
monitoring.alertPolicies.list
GCP_Audit_Log_Metrics_And_Alerts_Network_MonitoredGCP Audit Log Metrics And Alerts Network Monitored CS Policylogging.logMetrics.list
monitoring.alertPolicies.list
GCP_Audit_Log_Metrics_And_Alerts_Route_MonitoredGCP Audit Log Metrics And Alerts Route Monitored CS Policylogging.logMetrics.list
monitoring.alertPolicies.list
GCP_Audit_MYSQL_Instance_For_local_infile_FlagGCP Audit MYSQL Instance For local_infile Flag CS Policycloudsql.instances.list
GCP_Audit_MYSQL_Instance_For_skip_show_database_FlagGCP Audit MYSQL Instance For skip_show_database Flag CS Policycloudsql.instances.list
GCP_Audit_ORG_Policy_Confidential_VM_PolicyGCP Audit ORG Policy Confidential VM Policy CS Policycompute.instances.list
GCP_Audit_ORG_Policy_Location_RestrictionGCP Audit ORG Policy Location Restriction CS Policycompute.instances.list
orgpolicy.policy.get
resourcemanager.projects.get
GCP_Audit_Over_Privileged_Service_Account_UserGCP Audit Over Privileged Service Account User CS Policyresourcemanager.projects.getIamPolicy
GCP_Audit_Owner_Not_MonitoredGCP Audit Owner Not Monitored CS Policylogging.logMetrics.list
monitoring.alertPolicies.list
GCP_Audit_PostgreSQL_Instance_For_log_checkpoints_FlagGCP Audit PostgreSQL Instance For log min error statement Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_connections_FlagGCP Audit PostgreSQL Instance For log_checkpoints Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_disconnections_FlagGCP Audit PostgreSQL Instance For log_connections Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_duration_FlagGCP Audit PostgreSQL Instance For log_disconnections Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_error_verbosity_FlagGCP Audit PostgreSQL Instance For log_duration Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_hostname_FlagGCP Audit PostgreSQL Instance For log_error_verbosity Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_lock_waits_FlagGCP Audit PostgreSQL Instance For log_hostname Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_min_duration_statement_FlagGCP Audit PostgreSQL Instance For log_lock_waits Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_min_error_statement_FlagGCP Audit PostgreSQL Instance For log_min_duration_statement Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_min_error_statement_Flag_For_SeverityGCP Audit PostgreSQL Instance For log_min_error_statement Flag For Severity CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_min_messages_FlagGCP Audit PostgreSQL Instance For log_min_messages Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_parser_stats_FlagGCP Audit PostgreSQL Instance For log_parser_stats Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_planner_stats_FlagGCP Audit PostgreSQL Instance For log_planner_stats Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_statement_flagGCP Audit PostgreSQL Instance For log_statement Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_statement_stats_FlagGCP Audit PostgreSQL Instance For log_statement_stats Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_temp_files_FlagGCP Audit PostgreSQL Instance For log_temp_files Flag CS Policycloudsql.instances.list
GCP_Audit_SQL_Server_For_contained_database_authentication_FlagGCP Audit SQL Server For contained database authentication Flag CS Policycloudsql.instances.list
GCP_Audit_PubSub_CMEK_EnabledGCP Audit PubSub CMEK Enabled CS Policypubsub.topics.list
GCP_Audit_SQL_Instance_Not_MonitoredGCP Audit SQL Instance Not Monitored CS Policylogging.logMetrics.list
monitoring.alertPolicies.list
GCP_Audit_SQL_Instance_Using_Public_IP_AddressGCP Audit SQL Instance Using Public IP Address CS Policycloudsql.instances.list
GCP_Audit_SQL_Server_For_cross_db_ownership_chaining_FlagGCP Audit SQL Server For cross_db_ownership_chaining Flag CS Policycloudsql.instances.list
GCP_Audit_SQL_Server_For_external_scripts_enabled_FlagGCP Audit SQL Server For external_scripts_enabled Flag CS Policycloudsql.instances.list
GCP_Audit_SQL_Server_For_remote_access_FlagGCP Audit SQL Server For remote_access Flag CS Policycloudsql.instances.list
GCP_Audit_PostgreSQL_Instance_For_log_executor_statusGCP_Audit_PostgreSQL_Instance_For_log_executor_statuscloudsql.instances.list
GCP_Audit_SQL_Server_User_Connections_ConfiguredGCP Audit SQL Server User Connections Configured CS Policycompute.instances.list
GCP_Audit_SQL_Server_User_Options_ConfiguredGCP Audit SQL Server User Options Configured CS Policycompute.instances.list
GCP_Audit_SQL_Trace_Flag_3625GCP Audit SQL Trace Flags 3625 CS Policycompute.instances.list
GCP_Audit_Service_Account_Key_Not_RotatedGCP Audit Service Account Key Not Rotated CS Policyiam.serviceAccounts.list
GCP_Audit_Service_Account_Role_SeparationGCP Audit Service Account Role Separation CS Policyresourcemanager.projects.getIamPolicy
GCP_Audit_Sheiled_VM_Instance_DisabledGCP Audit Sheiled VM Instance Disabled CS Policycompute.instances.list
GCP_Audit_Too_Many_KMS_UsersGCP Audit Too Many KMS Users CS Policycloud_kms.projects.locations
GCP_Audit_Unrestricted_Outbound_AccessGCP Audit For Unrestricted Outbound Access CS Policycompute.firewalls.list
GCP_Audit_VM_Instance_Disk_Not_Encrypted_With_CMEKGCP Audit VM Instance Disk Not Encrypted With CMEK CS Policycompute.instances.list
GCP_Audit_VPC_Flow_Logs_EnabledGCP Audit VPC Flow Logs Enabled CS Policycompute.subnetworks.list
GCP_Audit_VPC_Private_Google_Access_EnabledGCP Audit VPC Private Google Access Enabled CS Policycompute.subnetworks.list
GCP_Audit_Weak_SSL_PolicyGCP Audit Weak SSL Policy CS Policycompute.targetHttpsProxies.list
compute.sslPolicies.list
compute.targetSslProxies.list
GCP_Audits_Bucket_Encrypted_Without_CMEKGCP Audit Bucket Encrypted Without CMEK CS Policystorage.buckets.list
GCP_Disks_Encryption_CheckGCP Disks Encryption Check CS Policycompute.disks.list

Updated 4 days ago