Platform: GCP
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | API keys are not the primary or recommended method for GCE management. They are typically for public APIs or billing. Secure management of API keys (restriction, rotation, Secret Manager) is crucial if used for other services. | API keys are generally not recommended for managing Compute Engine resources; service accounts are preferred. If used for other services accessed from GCE, keys should be restricted and stored in Secret Manager. |
| Authentication & Authorization | IAM Integration | True | Granular access control via Google Cloud IAM roles and policies at project, instance, and resource levels. Supports basic, predefined, and custom roles. Enforces principle of least privilege. | |
| Authentication & Authorization | MFA | True | MFA (2-Step Verification) is supported and becoming mandatory for Google Cloud accounts. OS Login with 2FA can be enabled for SSH access to VMs, linking user accounts to Google identity and requiring a second factor. | MFA is for user accounts accessing the console/SSH; not directly for service accounts. |
| Authentication & Authorization | Service Account Support | True | Service accounts are the preferred method for applications on VMs to authenticate to GCP services. They can be attached to instances, eliminating the need for hardcoded credentials. Avoid using the default compute service account. | Default service account has broad permissions; dedicated service accounts with least privilege are recommended. |
| Authentication & Authorization | Standard Protocols | True | Leverages OAuth 2.0 for server-to-server interactions (via service accounts and access tokens with scopes). OpenID Connect (OIDC) is used for federated identity, especially with Workload Identity Federation for external workloads. | |
| Compliance & Certifications | Compliance Documentation | True | Google Cloud Compliance Reports Manager provides on-demand access to ISO/IEC certificates, SOC reports, and other compliance documentation relevant to Compute Engine. Compliance Resource Center offers detailed information. | |
| Compliance & Certifications | Industry Certifications | True | Google Cloud Platform (including Compute Engine) adheres to ISO/IEC 27001, 27017, 27018, 27701, SOC 1/2/3, HIPAA, FedRAMP, PCI DSS, CSA STAR, and various regional certifications. | |
| Data Loss Prevention (DLP) | Data Masking/Redaction | True | Cloud DLP supports data masking and redaction for sensitive information. This can be applied to data before it's stored on GCE disks or as it's processed by applications running on VMs, by integrating with DLP APIs. | Requires integration with Cloud DLP; not a native GCE feature. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | True | Cloud DLP can be used to discover, classify, and report on sensitive data within Compute Engine instances (e.g., data on disks, logs, or data processed by applications on VMs). This requires configuring DLP scans to target relevant GCE resources or data flows. | Requires integration with Cloud DLP; not a native GCE feature. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Organization Policies (constraints/gcp.resourceLocations) can restrict resource creation. VPC Firewall Rules can block egress traffic to other regions. VPC Service Controls provide comprehensive data exfiltration prevention by creating service perimeters. | Requires configuration of Organization Policies, VPC Firewall Rules, or VPC Service Controls. |
| Data Residency & Sovereignty | Data Location Transparency | True | Users can view the specific region and zone of VMs and disks in the Google Cloud Console. Google provides public information on physical data center locations for regions. Access Transparency and Access Approval features offer further visibility and control. | |
| Data Residency & Sovereignty | Region Selection | True | Google Compute Engine allows selection of specific regions and zones for VM instances and persistent disks to meet data residency requirements. Over 40 regions available globally. | |
| Encryption | Encryption at Rest | True | All data on persistent disks and snapshots is encrypted at rest by default using Google-Managed Encryption Keys (GMEK). Supports Customer-Managed Encryption Keys (CMEK) via Cloud KMS and Customer-Supplied Encryption Keys (CSEK) for granular control. | |
| Encryption | Encryption in Transit | True | Google encrypts data in transit at network layers by default. Users can implement TLS termination at Google Cloud Load Balancers (with Google-managed or self-managed certs, SSL Policies for TLS versions/cipher suites) or configure TLS directly on VMs (e.g., with Certbot/Nginx). | Requires configuration at the load balancer or VM level for end-to-end encryption. |
| Logging & Monitoring | Access Logging | True | Detailed access logs for Compute Engine are provided through Data Access Logs within Cloud Audit Logs, recording API calls that read or modify user-provided data. Explicit enablement is required. | Data Access logs are disabled by default and must be explicitly enabled. |
| Logging & Monitoring | Audit Logging | True | Comprehensive audit trails (Admin Activity, Data Access, System Event, Policy Denied logs) are available via Cloud Audit Logs. Capture who, what, where, and when for resource modifications and data access. Logs can be viewed in Logs Explorer and exported. | Data Access logs are disabled by default and must be explicitly enabled. |
| Logging & Monitoring | Log Retention | True | Admin Activity and System Event logs are retained for 400 days (fixed). Data Access and Policy Denied logs default to 30 days but are configurable up to 3650 days. Logs can be exported to Cloud Storage or BigQuery for long-term archival. | Data Access logs default to 30 days; longer retention requires configuration or export. |
| Logging & Monitoring | Monitoring & Alerting | True | Integration with Cloud Monitoring for real-time metrics (CPU, disk I/O, network traffic, uptime) and configurable alerting policies. Ops Agent provides more detailed metrics. Various notification channels are supported. | Installing the Ops Agent is recommended for comprehensive metrics like memory utilization. |
| Network Security | API Gateway Integration | True | API Gateway can be integrated with Compute Engine backends by using an external HTTP(S) load balancer and a Serverless Network Endpoint Group (NEG) pointing to the API Gateway. Provides enhanced security, centralized management, and scalability. | Requires a load balancer as an intermediary; direct integration is not supported. |
| Network Security | DDoS Protection | True | DDoS protection is provided by Google Cloud Armor, applied to backend services of a Google Cloud Load Balancer (e.g., External HTTP(S) Load Balancer) that fronts GCE instances. Offers Standard and Managed Protection Plus tiers with WAF, rate limiting, and adaptive protection. | Requires integration with Google Cloud Load Balancing and Cloud Armor. |
| Network Security | Firewall Rules | True | GCE firewall rules operate at the VPC network level, controlling ingress/egress traffic to VMs. They are stateful and can be applied to all instances, or granularly using network tags or service accounts. Implicit deny ingress and allow egress rules exist by default. | |
| Network Security | Private Access | True | Supports private connectivity for VMs via Private Google Access (for Google APIs) and Private Service Connect (for Google APIs and other services). VPC Service Controls can create service perimeters to prevent data exfiltration. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | Google Cloud APIs, including Compute Engine API, are designed with security in mind, adhering to secure API design principles as part of Google's overall SDL. This includes consistent authentication, authorization, and data handling. | |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Google's internal development processes include rigorous code reviews and security testing for its services, including Compute Engine, as part of its SDL. This ensures the platform itself is built securely. | |
| Vulnerability Management & Patching | Security Updates | True | Google provides OS Patch management service for automated patching and compliance reporting for guest OS. Many Google-provided images auto-install security updates. Best practice is to patch base images and deploy new instances. | Users are responsible for patching guest OS and applications; Google manages host OS. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Security Command Center (SCC) provides managed vulnerability assessment for high-severity issues and misconfigurations. Web Security Scanner for web applications. Third-party tools (Nessus, Qualys) also integrate. Google allows penetration testing on user projects. |