Google Cloud Platform (GCP)
      Back to home
      1. Knowledge Base
      2. Cloud Scanning (CSPM)
      3. Google Cloud Platform (GCP)

      What cloud services are supported for Google Cloud?

      Cloud Scanning for Google Cloud verifies security best practices and security misconfigurations that contribute to the most common causes of security breaches within a vast list of services.

      Cost-saving plugins
      There is a set of plugins highlighting unused or misused services that could help save monthly Google Cloud costs. Read more about these plugins in this article:
      https://support.holmsecurity.com/hc/en-us/articles/8052279700124

      Supported services

      Here's the list of services that we currently support:

      • API
      • BigQuery
      • BigTable
      • CLB
      • Cloud Composer
      • Cloud Functions
      • CloudBuild
      • Compute
      • Cryptographic Keys
      • DNS
      • Dataflow
      • Dataproc
      • Deployment Manager
      • IAM
      • Kubernetes
      • Logging
      • Pub/Sub
      • Resource Manager
      • SQL
      • Security
      • Service Usage
      • Spanner
      • Storage
      • VPC Network

      Supported policies

      Across the services, the following policies are scanned for: 

      • API - API Key API Restriction
      • API - API Key Active Services Only
      • API - API Key Application Restriction
      • API - API Key Rotation
      • API - Project API Keys
      • BigQuery - Dataset All Users Policy
      • BigQuery - Dataset Labels Added
      • BigQuery - Datasets CMK Encrypted
      • BigQuery - Tables CMK Encrypted
      • BigTable - BigTable Instance Labels Added
      • CLB - CLB CDN Enabled
      • CLB - CLB HTTPS Only
      • CLB - CLB Logging Enabled
      • CLB - CLB No Instances
      • CLB - Security Policy Enabled
      • Cloud Composer - Airflow Web Server Public Access
      • Cloud Composer - Environment Default Service Account
      • Cloud Composer - Environment Encryption
      • Cloud Composer - Environment Labels Added
      • Cloud Functions - Cloud Function All Users Policy
      • Cloud Functions - Cloud Function Labels Added
      • Cloud Functions - Cloud Function Serverless VPC Access
      • Cloud Functions - HTTP Trigger require HTTPS
      • Cloud Functions - Ingress All Traffic Disabled
      • CloudBuild - Comment Control Enabled
      • CloudBuild - Specific Source Branch
      • CloudBuild - Trigger Has Tags
      • CloudBuild - User Approval Enabled
      • Compute - Application Consistent Snapshots
      • Compute - Autoscale Enabled
      • Compute - Autoscale Minimum CPU Utilization Target
      • Compute - CSEK Encryption Enabled
      • Compute - Confidential Computing Enabled
      • Compute - Connect Serial Ports Disabled
      • Compute - Deprecated Images
      • Compute - Disk Automatic Backup Enabled
      • Compute - Disk In Use
      • Compute - Disk Labels Added
      • Compute - Disk MultiAz
      • Compute - Disk Old Snapshots
      • Compute - Enable Usage Export
      • Compute - Frequently Used Snapshots
      • Compute - IP Forwarding Disabled
      • Compute - Image Labels Added
      • Compute - Images CMK Encrypted
      • Compute - Instance Automatic Restart Enabled
      • Compute - Instance Default Service Account
      • Compute - Instance Desired Machine Type
      • Compute - Instance Group Auto Healing Enabled
      • Compute - Instance Labels Added
      • Compute - Instance Level SSH Only
      • Compute - Instance Maintenance Behavior
      • Compute - Instance Preemptibility Disabled
      • Compute - Instance Public Access Disabled
      • Compute - Instance Template Machine Type
      • Compute - Instances Multi AZ
      • Compute - OS Login 2FA Enabled
      • Compute - OS Login Enabled
      • Compute - Persistent Disks Auto Delete
      • Compute - Public Disk Images
      • Compute - Shielded VM Enabled
      • Compute - Snapshot Encryption
      • Compute - Snapshot Labels Added
      • Compute - VM Disks CMK Encryption
      • Compute - VM Instance Deletion Protection
      • Compute - VM Instances Least Privilege
      • Compute - VM Max Instances
      • Cryptographic Keys - KMS Public Access
      • Cryptographic Keys - Key Protection Level
      • Cryptographic Keys - Key Rotation
      • DNS - DNS Security Enabled
      • DNS - DNS Security Signing Algorithm
      • DNS - DNS Zone Labels Added
      • Dataflow - Dataflow Hanged Jobs
      • Dataflow - Dataflow Jobs Encryption
      • Dataproc - Dataproc Cluster Encryption
      • Dataproc - Dataproc Cluster Labels Added
      • Dataproc - Hadoop Secure Mode Enabled
      • Deployment Manager - Delete Expired Deployments
      • IAM - BigQuery Admin
      • IAM - Bigtable Admin
      • IAM - Corporate Emails Only
      • IAM - KMS User Separation
      • IAM - Member Admin
      • IAM - Pub/Sub Admin
      • IAM - Service Account Admin
      • IAM - Service Account Key Rotation
      • IAM - Service Account Managed Keys
      • IAM - Service Account Role
      • IAM - Service Account Separation
      • IAM - Service Account Token Creator
      • IAM - Service Account User
      • IAM - Service Limits
      • Kubernetes - Alias IP Ranges Enabled
      • Kubernetes - Automatic Node Repair Enabled
      • Kubernetes - Automatic Node Upgrades Enabled
      • Kubernetes - Basic Authentication Disabled
      • Kubernetes - Binary Authorization Enabled
      • Kubernetes - COS Image Enabled
      • Kubernetes - Client Certificate Disabled
      • Kubernetes - Cluster Encryption Enabled
      • Kubernetes - Cluster Labels Added
      • Kubernetes - Cluster Least Privilege
      • Kubernetes - Default Service Account
      • Kubernetes - Integrity Monitoring Enabled
      • Kubernetes - Kubernetes Alpha Disabled
      • Kubernetes - Legacy Authorization Disabled
      • Kubernetes - Logging Enabled
      • Kubernetes - Master Authorized Network
      • Kubernetes - Monitoring Enabled
      • Kubernetes - Network Policy Enabled
      • Kubernetes - Node Encryption Enabled
      • Kubernetes - Pod Security Policy Enabled
      • Kubernetes - Private Cluster Enabled
      • Kubernetes - Private Endpoint
      • Kubernetes - Secure Boot Enabled
      • Kubernetes - Shielded Nodes
      • Kubernetes - Web Dashboard Disabled
      • Logging - Audit Configuration Logging
      • Logging - Audit Logging Enabled
      • Logging - Custom Role Logging
      • Logging - Log Sinks Enabled
      • Logging - Project Ownership Logging
      • Logging - SQL Configuration Logging
      • Logging - Storage Permissions Logging
      • Logging - VPC Firewall Rule Logging
      • Logging - VPC Network Logging
      • Logging - VPC Network Route Logging
      • Pub/Sub - Dead Lettering Enabled
      • Pub/Sub - Topic All Users Policy
      • Pub/Sub - Topic Encryption Enabled
      • Pub/Sub - Topic Labels Added
      • Resource Manager - Compute Allowed External IPs
      • Resource Manager - Detailed Audit Logging Mode
      • Resource Manager - Disable Automatic IAM Grants
      • Resource Manager - Disable Default Encryption Creation
      • Resource Manager - Disable Guest Attributes
      • Resource Manager - Disable Serial Port Access
      • Resource Manager - Disable Service Account Creation
      • Resource Manager - Disable Service Account Key Creation
      • Resource Manager - Disable Service Account Key Upload
      • Resource Manager - Disable VM IP Forwarding
      • Resource Manager - Disable Workload Identity Cluster Creation
      • Resource Manager - Enforce Require OS Login
      • Resource Manager - Enforce Restrict Authorized Networks
      • Resource Manager - Enforce Uniform Bucket-Level Access
      • Resource Manager - Essential Contacts Configured
      • Resource Manager - Location-Based Service Restriction
      • Resource Manager - Restrict Load Balancer Creation
      • Resource Manager - Restrict Shared VPC Subnetworks
      • Resource Manager - Restrict VPC Peering
      • Resource Manager - Restrict VPN Peer IPs
      • Resource Manager - Skip Default Network Creation
      • Resource Manager - Trusted Image Projects
      • SQL - Any Host Root Access
      • SQL - DB Automated Backups
      • SQL - DB Multiple AZ
      • SQL - DB Publicly Accessible
      • SQL - DB Restorable
      • SQL - Database SSL Enabled
      • SQL - MySQL Latest Version
      • SQL - MySQL Local Infile Disabled
      • SQL - MySQL Skip Show Database Enabled
      • SQL - MySQL Slow Query Log Enabled
      • SQL - PostgreSQL Latest Version
      • SQL - PostgreSQL Log Checkpoints Enabled
      • SQL - PostgreSQL Log Connections Flag Enabled
      • SQL - PostgreSQL Log Disconnections Flag Enabled
      • SQL - PostgreSQL Log Error Verbosity
      • SQL - PostgreSQL Log Hostname Flag Enabled
      • SQL - PostgreSQL Log Lock Waits Flag Enabled
      • SQL - PostgreSQL Log Min Duration Statement
      • SQL - PostgreSQL Log Min Error Statement
      • SQL - PostgreSQL Log Min Messages
      • SQL - PostgreSQL Log Statement
      • SQL - PostgreSQL Log Temp Files
      • SQL - PostgreSQL Max Connections
      • SQL - PostgreSQL Pg Audit Flag Enabled
      • SQL - SQL CMK Encryption
      • SQL - SQL Contained Database Authentication
      • SQL - SQL Cross DB Ownership Chaining
      • SQL - SQL Instance Labels Added
      • SQL - SQL No Public IPs
      • SQL - SQL Server Contained Database Authentication Flag Disabled
      • SQL - SQL Server External Scripts Flag Disabled
      • SQL - SQL Server Remote Access Flag Disabled
      • SQL - SQL Server Trace Flag Disabled
      • SQL - SQL Server User Connections Flag
      • SQL - SQL Server User Options Flag Disabled
      • SQL - SSL Certificate Rotation
      • SQL - Storage Auto Increase Enabled
      • Security - Access Approval Enabled
      • Service Usage - Asset Inventory Enabled
      • Spanner - Spanner Instance Node Count
      • Storage - Bucket Encryption
      • Storage - Bucket Labels Added
      • Storage - Bucket Lifecycle Configured
      • Storage - Bucket Logging
      • Storage - Bucket Uniform Level Access
      • Storage - Bucket Versioning
      • Storage - Storage Bucket All Users Policy
      • Storage - Storage Bucket Retention Policy
      • VPC Network - Default VPC Exists
      • VPC Network - Default VPC In Use
      • VPC Network - Excessive Firewall Rules
      • VPC Network - Firewall Logging Metadata
      • VPC Network - Flow Logs Enabled
      • VPC Network - Instance Default Network
      • VPC Network - Legacy Network Exists
      • VPC Network - Multiple Subnets
      • VPC Network - Open All Ports
      • VPC Network - Open CIFS
      • VPC Network - Open Cassandra
      • VPC Network - Open Cassandra Client
      • VPC Network - Open Cassandra Internode
      • VPC Network - Open Cassandra Monitoring
      • VPC Network - Open Cassandra Thrift
      • VPC Network - Open Custom Ports
      • VPC Network - Open DNS
      • VPC Network - Open Docker
      • VPC Network - Open Elasticsearch
      • VPC Network - Open FTP
      • VPC Network - Open HTTP
      • VPC Network - Open Hadoop HDFS NameNode Metadata Service
      • VPC Network - Open Hadoop HDFS NameNode WebUI
      • VPC Network - Open Internal web
      • VPC Network - Open Kibana
      • VPC Network - Open LDAP
      • VPC Network - Open LDAPS
      • VPC Network - Open MSSQL
      • VPC Network - Open Memcached
      • VPC Network - Open MongoDB
      • VPC Network - Open MySQL
      • VPC Network - Open NetBIOS
      • VPC Network - Open Oracle
      • VPC Network - Open Oracle Auto Data Warehouse
      • VPC Network - Open PostgreSQL
      • VPC Network - Open RDP
      • VPC Network - Open RPC
      • VPC Network - Open Redis
      • VPC Network - Open SMBoTCP
      • VPC Network - Open SMTP
      • VPC Network - Open SNMP
      • VPC Network - Open SQLServer
      • VPC Network - Open SSH
      • VPC Network - Open Salt
      • VPC Network - Open Telnet
      • VPC Network - Open VNC Client
      • VPC Network - Open VNC Server
      • VPC Network - Private Access Enabled
      • VPC Network - VPC DNS Logging Enabled