Permissions for Platform GCP Policies
The platform contains various native policies for GCP, each of which requiring a different set of permissions to be enabled in users' GCP cloud environment in order for everything to work as expected.
Below, you can view a comprehensive list of our available platform policies for GCP, their display names, and which permissions are required for each policy.
Platform GCP Policies and Required Permissions
Policy Name | Display Name | Required Permissions |
|---|---|---|
GCP_AUDIT_BUCKET_LOGGING_DISABLED | GCP Audit Bucket Logging Disabled CS Policy | storage.buckets.list |
GCP_AUDIT_BUCKET_LOG_SINK_PUBLIC | GCP Audit Bucket Log Sink Public CS Policy | storage.buckets.list |
GCP_AUDIT_COMPUTE_PROJECT_WIDE_SSH_KEYS_ALLOWED | GCP Audit Computer Project Wide SSH Keys Allowed CS Policy | compute.instances.list |
GCP_AUDIT_COMPUTE_SECURE_BOOT_DISABLED | GCP Audit Compute Secure Boot Disabled CS Policy | compute.instances.list |
GCP_AUDIT_COMPUTE_SERIAL_PORTS_ENABLED | GCP Audit Compute Serial Ports Enabled CS Policy | compute.projects.get |
GCP_AUDIT_DEFAULT_VPC_NETWORK_USED | GCP Audit Default VPC Network Used CS Policy | compute.networks.list |
GCP_AUDIT_DISK_ENCRYPTED_WITHOUT_CSEK | GCP Audit Disk Encrypted Without CSEK CS Policy | compute.instances.list |
GCP_AUDIT_FOR_UNRESTRICTED_SERVICE_ACCESS | GCP Audit For Unrestricted Service Access CS Policy | compute.networks.list |
GCP_AUDIT_FULL_API_ACCESS | GCP Audit Full API Access CS Policy | compute.instances.list |
GCP_AUDIT_INSTANCE_USING_PUBLIC_IP_ADDRESS | GCP Audit Instance Using Public IP Address CS Policy | compute.instances.list |
GCP_AUDIT_IP_FORWARDING_ENABLED | GCP Audit IP Forwarding Enabled CS Policy | compute.instances.list |
GCP_AUDIT_OS_LOGIN_DISABLED | GCP Audit OS Login Disabled CS Policy | compute.instances.list |
GCP_AUDIT_SQL_INSTANCE_AUTO_BACKUP_DISABLED | GCP Audit SQL Instance Auto Backup Disabled CS Policy | compute.instances.list |
GCP_Audit_Admin_Service_Account | GCP Audit Admin Service Account CS Policy | resourcemanager.projects.getIamPolicy |
GCP_Audit_Basic_User_Roles_CS_Policy | GCP Audit Basic User Roles CS Policy | resourcemanager.projects.getIamPolicy |
GCP_Audit_Bigquery_Dataset_Encrypted_Without_CMEK | GCP Audit Bigquery Dataset Encrypted Without CMEK CS Policy | bigquery.datasets.list |
GCP_Audit_Bigquery_Table_CMEK_Enabled | GCP Audit Bigquery Table CMEK Enabled CS Policy | bigquery.datasets.list |
GCP_Audit_Bucket_IAM_Not_Monitored | GCP Audit Bucket IAM Not Monitored CS Policy | logging.logMetrics.list |
GCP_Audit_Bucket_Log_Locked_Retention_Policy_Set | GCP Audit Bucket Log Locked Retention Policy Set CS Policy | storage.buckets.list |
GCP_Audit_Bucket_Object_Versioning_Enabled | GCP Audit Bucket Object Versioning Enabled CS Policy | storage.buckets.list |
GCP_Audit_Bucket_Policy_Only_Enabled | GCP Audit Bucket Policy Only Enabled CS Policy | storage.buckets.list |
GCP_Audit_Cloud_DNSSEC_Disabled | GCP Audit Cloud DNSSEC Disabled CS Policy | dns.managedZones.list |
GCP_Audit_Cloud_DNS_Zones_Signing_For_RSASHA1 | GCP Audit Cloud DNS Zones Signing For RSASHA1 CS Policy | dns.managedZones.list |
GCP_Audit_Confidential_Computing_Disabled | GCP Audit VM Instance Confidential Computing Enabled CS Policy | compute.instances.list |
GCP_Audit_Custom_Role_Not_Monitored | GCP Audit Custom Role Not Monitored CS Policy | logging.logMetrics.list |
GCP_Audit_DNS_Logging_Disabled | GCP Audit DNS Logging Disabled CS Policy | compute.networks.list |
GCP_Audit_Default_Service_Account_Used | GCP Audit VM Not Using Default Service Account CS Policy | compute.instances.list |
GCP_Audit_Firewall_Rule_Logging_Disabled_CS_Policy | GCP Audit Firewall Rule Logging Disabled CS Policy | compute.firewalls.list |
GCP_Audit_For_LDAP_Access | GCP Audit For Unrestricted LDAP Access CS Policy | compute.firewalls.list |
GCP_Audit_For_MEMCACHED_Access | GCP Audit For Unrestricted MEMCACHED Access CS Policy | compute.firewalls.list |
GCP_Audit_For_MONGODB_Access | GCP Audit For Unrestricted MONGODB Access CS Policy | compute.firewalls.list |
GCP_Audit_For_MYSQL_Access | GCP Audit For Unrestricted MYSQL Access CS Policy | compute.firewalls.list |
GCP_Audit_For_NETBIOS_Access | GCP Audit For Unrestricted NETBIOS Access CS Policy | compute.firewalls.list |
GCP_Audit_For_POP3_Access | GCP Audit For Unrestricted POP3 Access CS Policy | compute.firewalls.list |
GCP_Audit_For_TELNET_Access | GCP Audit For Unrestricted TELNET Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_CASSANDRA_Access | GCP Audit For Unrestricted CASSANDRA Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_CISCOSECURE_WEBSM_Access | GCP Audit For Unrestricted CISCOSECURE WEBSM Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_DIRECTORY_SERVICES_Access | GCP Audit For Unrestricted DIRECTORY SERVICES Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_DNS_Access | GCP Audit For Unrestricted DNS Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_ELASTICSEARCH_Access | GCP Audit For Unrestricted ELASTICSEARCH Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_FTP_Access | GCP Audit For Unrestricted FTP Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_HTTP_Access | GCP Audit For Unrestricted HTTP Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_ORACLEDB_Access | GCP Audit For Unrestricted ORACLEDB Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_POSTGRESQL_Access | GCP Audit For Unrestricted POSTGRESQL Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_RDP_Access | GCP Audit For Unrestricted RDP Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_REDIS_Access | GCP Audit For Unrestricted REDIS Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_SMTP_Access | GCP Audit For Unrestricted SMTP Access CS Policy | compute.firewalls.list |
GCP_Audit_For_Unrestricted_SSH_Access | GCP Audit For Unrestricted SSH Access CS Policy | compute.firewalls.list |
GCP_Audit_GKE_Alpha_Cluster_Enabled | GCP Audit GKE Alpha Cluster Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_CLUSTER_BINARY_AUTHORIZATION_DISABLED | GCP Audit GKE Cluster Binary Authorization Disabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Auto_Repair_Enabled | GCP Audit GKE Cluster Auto Repair Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Auto_Upgrade_Enabled | GCP Audit GKE Cluster Auto Upgrade Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_COS_Enabled | GCP Audit GKE Cluster COS Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Control_Plane_Authorized_Networks_Enabled | GCP Audit GKE Cluster Control Plane Authorized Networks Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_For_Application_Layer_Secret_Encryption | GCP Audit GKE Cluster For Application Layer Secret Encryption CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Host_Private_Google_Access_Enabled | GCP Audit GKE Cluster Host Private Google Access Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_IP_Alias_Enabled | GCP Audit GKE Cluster IP Alias Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Integrity_Monitoring_Enabled | GCP Audit GKE Cluster Integrity Monitoring Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Intranode_Visibility_Enabled | GCP Audit GKE Cluster Intranode Visibility Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Legacy_Metadata_Disabled | GCP Audit GKE Cluster Legacy Metadata Disabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Logging_Enabled | GCP Audit GKE Cluster Logging Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Monitoring_Enabled | GCP Audit GKE Cluster Monitoring Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Network_Policy_Enabled | GCP Audit GKE Cluster Network Policy Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Nodepool_Boot_CMEK_Enabled | GCP Audit GKE Cluster Nodepool Boot CMEK Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Over_Privileged_Scopes | GCP Audit GKE Cluster Over Privileged Scopes CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Over_Privileged_Service_Account | GCP Audit GKE Cluster Over Privileged Service Account CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Release_Channel_Enabled | GCP Audit GKE Cluster Release Channel Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Secure_Boot_Enabled | GCP Audit GKE Cluster Secure Boot Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_Workload_Identity_Enabled | GCP Audit GKE Cluster Workload Identity Enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Cluster_shielded_nodes_enabled | GCP Audit GKE Cluster shielded nodes enabled CS Policy | container.clusters.list |
GCP_Audit_GKE_Private_Cluster_Disabled_CS_Policy | GCP Audit GKE Private Cluster Disabled CS Policy | container.clusters.list |
GCP_Audit_Https_Load_Balancer | GCP Audit Https Load Balancer CS Policy | compute.targetHttpProxies.list |
GCP_Audit_KMS_Key_Rotation | GCP Audit KMS Key Rotation CS Policy | cloudkms.projects.locations |
GCP_Audit_KMS_Project_Has_Owner | GCP Audit KMS Project Has Owner CS Policy | resourcemanager.projects.getIamPolicy |
GCP_Audit_KMS_Role_Separation | GCP Audit KMS Role Separation CS Policy | resourcemanager.projects.getIamPolicy |
GCP_Audit_Log_Exported | GCP Audit Log Exported CS Policy | logging.sinks.list |
GCP_Audit_Log_Metrics_And_Alerts_Config_Monitored | GCP Audit Log Metrics And Alerts Config Monitored CS Policy | logging.logMetrics.list |
GCP_Audit_Log_Metrics_And_Alerts_Firewall_Monitored | GCP Audit Log Metrics And Alerts Firewall Monitored CS Policy | logging.logMetrics.list |
GCP_Audit_Log_Metrics_And_Alerts_Network_Monitored | GCP Audit Log Metrics And Alerts Network Monitored CS Policy | logging.logMetrics.list |
GCP_Audit_Log_Metrics_And_Alerts_Route_Monitored | GCP Audit Log Metrics And Alerts Route Monitored CS Policy | logging.logMetrics.list |
GCP_Audit_MYSQL_Instance_For_local_infile_Flag | GCP Audit MYSQL Instance For local_infile Flag CS Policy | cloudsql.instances.list |
GCP_Audit_MYSQL_Instance_For_skip_show_database_Flag | GCP Audit MYSQL Instance For skip_show_database Flag CS Policy | cloudsql.instances.list |
GCP_Audit_ORG_Policy_Confidential_VM_Policy | GCP Audit ORG Policy Confidential VM Policy CS Policy | compute.instances.list |
GCP_Audit_ORG_Policy_Location_Restriction | GCP Audit ORG Policy Location Restriction CS Policy | compute.instances.list |
GCP_Audit_Over_Privileged_Service_Account_User | GCP Audit Over Privileged Service Account User CS Policy | resourcemanager.projects.getIamPolicy |
GCP_Audit_Owner_Not_Monitored | GCP Audit Owner Not Monitored CS Policy | logging.logMetrics.list |
GCP_Audit_PostgreSQL_Instance_For_log_checkpoints_Flag | GCP Audit PostgreSQL Instance For log min error statement Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_connections_Flag | GCP Audit PostgreSQL Instance For log_checkpoints Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_disconnections_Flag | GCP Audit PostgreSQL Instance For log_connections Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_duration_Flag | GCP Audit PostgreSQL Instance For log_disconnections Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_error_verbosity_Flag | GCP Audit PostgreSQL Instance For log_duration Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_hostname_Flag | GCP Audit PostgreSQL Instance For log_error_verbosity Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_lock_waits_Flag | GCP Audit PostgreSQL Instance For log_hostname Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_min_duration_statement_Flag | GCP Audit PostgreSQL Instance For log_lock_waits Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_min_error_statement_Flag | GCP Audit PostgreSQL Instance For log_min_duration_statement Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_min_error_statement_Flag_For_Severity | GCP Audit PostgreSQL Instance For log_min_error_statement Flag For Severity CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_min_messages_Flag | GCP Audit PostgreSQL Instance For log_min_messages Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_parser_stats_Flag | GCP Audit PostgreSQL Instance For log_parser_stats Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_planner_stats_Flag | GCP Audit PostgreSQL Instance For log_planner_stats Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_statement_flag | GCP Audit PostgreSQL Instance For log_statement Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_statement_stats_Flag | GCP Audit PostgreSQL Instance For log_statement_stats Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_temp_files_Flag | GCP Audit PostgreSQL Instance For log_temp_files Flag CS Policy | cloudsql.instances.list |
GCP_Audit_SQL_Server_For_contained_database_authentication_Flag | GCP Audit SQL Server For contained database authentication Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PubSub_CMEK_Enabled | GCP Audit PubSub CMEK Enabled CS Policy | pubsub.topics.list |
GCP_Audit_SQL_Instance_Not_Monitored | GCP Audit SQL Instance Not Monitored CS Policy | logging.logMetrics.list |
GCP_Audit_SQL_Instance_Using_Public_IP_Address | GCP Audit SQL Instance Using Public IP Address CS Policy | cloudsql.instances.list |
GCP_Audit_SQL_Server_For_cross_db_ownership_chaining_Flag | GCP Audit SQL Server For cross_db_ownership_chaining Flag CS Policy | cloudsql.instances.list |
GCP_Audit_SQL_Server_For_external_scripts_enabled_Flag | GCP Audit SQL Server For external_scripts_enabled Flag CS Policy | cloudsql.instances.list |
GCP_Audit_SQL_Server_For_remote_access_Flag | GCP Audit SQL Server For remote_access Flag CS Policy | cloudsql.instances.list |
GCP_Audit_PostgreSQL_Instance_For_log_executor_status | GCP_Audit_PostgreSQL_Instance_For_log_executor_status | cloudsql.instances.list |
GCP_Audit_SQL_Server_User_Connections_Configured | GCP Audit SQL Server User Connections Configured CS Policy | compute.instances.list |
GCP_Audit_SQL_Server_User_Options_Configured | GCP Audit SQL Server User Options Configured CS Policy | compute.instances.list |
GCP_Audit_SQL_Trace_Flag_3625 | GCP Audit SQL Trace Flags 3625 CS Policy | compute.instances.list |
GCP_Audit_Service_Account_Key_Not_Rotated | GCP Audit Service Account Key Not Rotated CS Policy | iam.serviceAccounts.list |
GCP_Audit_Service_Account_Role_Separation | GCP Audit Service Account Role Separation CS Policy | resourcemanager.projects.getIamPolicy |
GCP_Audit_Sheiled_VM_Instance_Disabled | GCP Audit Sheiled VM Instance Disabled CS Policy | compute.instances.list |
GCP_Audit_Too_Many_KMS_Users | GCP Audit Too Many KMS Users CS Policy | cloud_kms.projects.locations |
GCP_Audit_Unrestricted_Outbound_Access | GCP Audit For Unrestricted Outbound Access CS Policy | compute.firewalls.list |
GCP_Audit_VM_Instance_Disk_Not_Encrypted_With_CMEK | GCP Audit VM Instance Disk Not Encrypted With CMEK CS Policy | compute.instances.list |
GCP_Audit_VPC_Flow_Logs_Enabled | GCP Audit VPC Flow Logs Enabled CS Policy | compute.subnetworks.list |
GCP_Audit_VPC_Private_Google_Access_Enabled | GCP Audit VPC Private Google Access Enabled CS Policy | compute.subnetworks.list |
GCP_Audit_Weak_SSL_Policy | GCP Audit Weak SSL Policy CS Policy | compute.targetHttpsProxies.list |
GCP_Audits_Bucket_Encrypted_Without_CMEK | GCP Audit Bucket Encrypted Without CMEK CS Policy | storage.buckets.list |
GCP_Disks_Encryption_Check | GCP Disks Encryption Check CS Policy | compute.disks.list |
Updated 9 days ago