Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Run all in-scope Pods in the namespace “in-scope-pci”.

Google Cloud Directory Sync (GCDS)

Cloud Identity

Security Assertion Markup Language (SAML)

Pub/Sub

BigQuery using a data pipeline job with continuous updates via Cloud VPN

Cloud Storage using a scheduled task and gsutil via Cloud Interconnect

Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN

Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.

Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.

Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

Customer-supplied encryption keys.

Google default encryption

Secret Manager

Cloud External Key Manager

Customer-managed encryption keys

Customer-managed encryption keys

Customer-Supplied Encryption Keys

Key Access Justifications

Access Transparency and Approval

Cloud External Key Manager

roles/logging.privateLogViewer

roles/logging.admin

roles/viewer

roles/logging.viewer

Enforce 2-factor authentication in GSuite for all users.

Configure Cloud Identity-Aware Proxy for the App Engine Application.

Provision user passwords using GSuite Password Sync.

Configure Cloud VPN between your private network and GCP.

On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.

On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.

On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account.

On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.

Implement an organization policy that ensures that all VM resources created across your organization use customer-managed encryption keys (CMEK) protection.

Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances.

Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection.

No action is necessary because Google encrypts data while it is in use by default.

Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with security keys in the Google Admin console.

Create a Cloud Identity password policy with strong password settings, and configure 2-Step Verification with verification codes via text or phone call in the Google Admin console.

Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with security keys in the Google Admin console.

Create an Active Directory domain password policy with strong password settings, and configure post-SSO (single sign-on) 2-Step Verification with verification codes via text or phone call in the Google Admin console.

Send all logs to the SIEM system via an existing protocol such as syslog.

Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.

Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.

Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.

•1 Grant logging, viewer rote to the security team at the organization resource level.

•2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.

•1 Grant logging. viewer rote to the security team at the organization resource level.

•2 Grant logging. admin role to the developer team at the organization resource level.

•1 Grant logging.admin role to the security team at the organization resource level.

•2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.

•1 Grant logging.admin role to the security team at the organization resource level.

•2 Grant logging.admin role to the developer team at the organization resource level.

Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module

(HSM) system from supported vendors.

Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.

Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.

Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.

Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.

Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project.

2. Grant your Google Cloud project access to a supported external key management partner system.

1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).

2. In Cloud KMS, grant your Google Cloud project access to use the key.

1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system.

2. In the external key management partner system, grant access for this key to use your Google Cloud project.

1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).

2. In Cloud KMS, grant your Google Cloud project access to use the key.

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

Cloud Data Loss Prevention with format-preserving encryption

Cloud Data Loss Prevention with cryptographic hashing

Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys

Cloud Armor

VPC Firewall Rules

Cloud Identity and Access Management

Cloud CDN

Disable and revoke access to compromised keys.

Enable automatic key version rotation on a regular schedule.

Manually rotate key versions on an ad hoc schedule.

Limit the number of messages encrypted with each key version.

Disable the Cloud KMS API.

Create a project with multiple VPC networks for each environment.

Create a folder for each development and production environment.

Create a Google Group for the Engineering team, and assign permissions at the folder level.

Create an Organizational Policy constraint for each folder environment.

Create projects for each environment, and grant IAM rights to each engineering user.

Define an organization policy constraint.

Configure packet mirroring policies.

Enable VPC Flow Logs on the subnet.

Monitor and analyze Cloud Audit Logs.

Text message or phone call code

Security key

Google Authenticator application

Google prompt

Use Cloud Build to build the container images.

Build small containers using small base images.

Delete non-used versions from Container Registry.

Use a Continuous Delivery tool to deploy the application.

Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and movesthe files to the archive storage class.

Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12months ago and archives them to another Cloud Storage bucket. Delete the original files.

Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys ofthe Cloud Storage files containing Pll to de-identify them Delete the original keys.

Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are olderthan 12 months Delete the original files.

Cloud Key Management Service

Compute Engine guest attributes

Compute Engine custom metadata

Secret Manager

Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises

Use Cloud External Key Manager to delete specific encryption keys.

Use customer-managed encryption keys to delete specific encryption keys.

Use Google default encryption to delete specific encryption keys.

Validate that the egress firewall rules allow any outgoing traffic Log in to each VM and execute OS specific update commands Configure the Cloud Scheduler job to update with critical patches daily for daily updates.

Ensure that VM Manager is installed and running on the VMs. In the OS patch management service. configure the patch jobs to update with critical patches daily.

Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic Log in to each VM. and configure a daily cron job to enable for OS updates at night during low activity periods.

Copy the latest patches to the Cloud Storage bucket. Log in to each VM. download the patches from the bucket, and install them.

•1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring

•2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly

•1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium

•2 Monitor the findings in SCC

* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring

•2 Activate Confidential Computing

•3 Enforce these actions by using organization policies

•1 Use secure hardened images from the Google Cloud Marketplace

•2 When deploying the images activate the Confidential Computing option

•3 Enforce the use of the correct images and Confidential Computing by using organization policies

Configure the project with Cloud VPN.

Configure the project with Shared VPC.

Configure the project with Cloud Interconnect.

Configure the project with VPC peering.

Configure all Compute Engine instances with Private Access.

Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.

Enable theconstraints/storage.publicAccessPreventionconstraint at the organization level.

Enable theconstraints/storage.uniformBucketLevelAccessconstraint at the organization level.

Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.

Use customer-managed encryption keys.

Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.

Enable Admin activity logs to monitor access to resources.

Enable Access Transparency logs with Access Approval requests for Google employees.

Configure the organization policy constraint gcp.resourceLocations to europe-west4.

Set the logging storage region to eurcpe-west4 by using the gcloud CLI logging settings update.

Create a new tog bucket in europe-west4. and redirect the _Def auit bucKet to the new bucket.

Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.

Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

Encrypt non-sensitive data and sensitive data with Cloud Key Management Service

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Use Google default encryption.

Manually add users to Google Cloud.

Provision users with basic roles using Google's Identity and Access Management (1AM) service.

Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

Provide granular access with predefined roles.

Security Reviewer

lAP-Secured Tunnel User

lAP-Secured Web App User

Service Broker Operator

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.

Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.

Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

Create an exact replica of your existing perimeter. Add your new access level to the replica. Update the original perimeter after the access level has been vetted.

Update your perimeter with a new access level that never matches. Update the new access level to match your desired state one condition at a time to avoid being overly permissive.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter configuration. Update the perimeter configuration after the access level has been vetted.

Enable the dry run mode on your perimeter. Add your new access level to the perimeter dry run configuration. Update the perimeter configuration after the access level has been vetted.

Cloud IDS

VPC Service Controls logs

VPC Flow Logs

Google Cloud Armor

Packet Mirroring

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.

Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.

In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.

In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.

Marketplace IDS

VPC Flow Logs

VPC Service Controls logs

Packet Mirroring

Google Cloud Armor Deep Packet Inspection

ISO 27001

ISO 27002

ISO 27017

ISO 27018

Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.

Create a custom role with the permission compute.instances.list and grant the Service Account this role.

Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.

Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.

Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.

Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.

Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.

Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.

Configure the Binary Authorization policy with respective attestations for the project.

Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine(GKE).

Enable Container Threat Detection in the Security Command Center (SCC) for the project.

Configure the trusted image organization policy constraint for the project.

Enable Pod Security standards and set them to Restricted.

Identity Aware-Proxy

Cloud NAT

TCP/UDP Load Balancing

Cloud DNS

Create a service account key and add it to the GitHub pipeline configuration file.

Create a service account key and add it to the GitHub repository content.

Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

Configure workload identity federation to use GitHub as an identity pool provider.

Modify the VPC routing with the default route point to the default internet gateway Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.

Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application

Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials Modify the VPC firewall to allow access from IAP network range

Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application

Configuring and monitoring VPC Flow Logs

Defending against XSS and SQLi attacks

Manage the latest updates and security patches for the Guest OS

Encrypting all stored data

Use Policy Analyzer lo query the permissions compute, firewalls, create of

compute, firewalls. Create of compute,firewalls.delete.

Reference the Security Health Analytics - Firewall Vulnerability Findings in the Security Command Center.

Use Policy Analyzer to query the permissions compute, firewalls, get of compute, firewalls, list.

Use Firewall Insights to understand your firewall rules usage patterns.

Store the data in a persistent disk, and delete the disk at expiration time.

Store the data in a Cloud Bigtable table, and set an expiration time on the column families.

Store the data in a BigQuery table, and set the table's expiration time.

Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.

Use Packet Mirroring to mirror traffic to and from particular VM instances. Perform inspection using security software that analyzes the mirrored traffic.

Enable VPC Flow Logs for all subnets in the VPC. Perform inspection on the Flow Logs data using Cloud Logging.

Configure the Fluentd agent on each VM Instance within the VPC. Perform inspection on the log data using Cloud Logging.

Configure Google Cloud Armor access logs to perform inspection on the log data.

Use Forseti with Firewall filters to catch any unwanted configurations in production.

Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

1. Configure all running Web and App servers with respective network tags.

2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.

1. Configure all running Web and App servers with respective service accounts.

2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

1. Re-deploy the Web and App servers with instance templates configured with respective network tags.

2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.

1. Re-deploy the Web and App servers with instance templates configured with respective service accounts.

2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.

Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.

Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Titan Security Keys

Google prompt

Google Authenticator app

Cloud HSM keys

Use service perimeter and create an access level based on the authorized source IP address as thecondition.

Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the globalHTTPS load balancer.

Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).

Use the Restrict Resource service usage organization policy constraint along with Cloud Data Loss Prevention (DLP).

Use multi-factor authentication for admin access to the web application.

Use only applications certified compliant with PA-DSS.

Move the cardholder data environment into a separate GCP project.

Use VPN for all connections between your office and cloud environments.

Use Security Health Analytics to determine user activity.

Use the Cloud Monitoring console to filter audit logs by user.

Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.

Use the Logs Explorer to search for user activity.

Policy Troubleshooter

Policy Analyzer

IAM Recommender

Policy Simulator

Organization

Resource

Project

Folder

Remove all project-level custom Identity and Access Management (1AM) roles.

Disallow inheritance of organization policies.

Identify inherited Identity and Access Management (1AM) roles on projects to be migrated.

Create a new folder for all projects to be migrated.

Remove the specific migration projects from any VPC Service Controls perimeters and bridges.

Create a firewall rule to block internet traffic from the VM.

Provision a NAT Gateway to access the Cloud Storage API endpoint.

Enable Private Google Access on the VPC.

Mount a Cloud Storage bucket as a local filesystem on every VM.

Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.

Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.

Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.

Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.

Cloud Key Management Service

Cloud Data Loss Prevention API

BigQuery

Cloud Security Scanner

Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.

Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.

Create a new key, and use the new key in the application. Delete the old key from the Service Account.

Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

Assign a BigQuery Data Viewer role along with an 1AM condition that limits the access to specified working hours.

Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraints for BigQuery during the specified working hours.

Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours

Run a gsuttl script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.