S.

No Area Category
1 Cloud Governance and Management Cloud Strategy and Policies
2 Cloud Governance and Management Cloud Risk Management

3 Cloud Governance and Management Cloud Resource Provisioning

4 Cloud Governance and Management Cloud Cost Management
5 Cloud Governance and Management Vendor Management

6 Identity and Access Management Access Control Policies

7 Identity and Access Management Privileged Access Management

8 Identity and Access Management Password Policy

9 Identity and Access Management Password History

10 Identity and Access Management Password Protection

11 Identity and Access Management Multi-Factor Authentication

12 Identity and Access Management Federated Identity Management

13 Identity and Access Management Session Management

14 Identity and Access Management Audit Logging and Monitoring

15 Data Security Data Encryption

16 Data Security Data Residency and Classification

17 Data Security Data Masking

18 Data Security Key Management

19 Data Security Sensitive Data Handling

20 Data Security Data Sharing and APIs
21 Incident Management Incident Detection and Response
22 Incident Management Incident Escalation and Reporting
23 Incident Management Threat Intelligence and Monitoring
24 Incident Management Post-Incident Analysis
25 Incident Management Communication with CSP
26 Compliance with CSP Regulations Regulatory Compliance
27 Compliance with CSP Regulations Contractual Compliance with CSP

28 Compliance with CSP Regulations Auditability of Cloud Environment

29 Compliance with CSP Regulations Compliance with Industry Standards

30 Compliance with CSP Regulations Data Residency Requirements

31 Compliance with CSP Regulations Backup Policies and Procedures
32 Data Backup and Recovery in the Cloud Backup Testing and Validation
33 Data Backup and Recovery in the Cloud Data Recovery in Cloud
34 Data Backup and Recovery in the Cloud Cross-Region Backup
35 Data Backup and Recovery in the Cloud Business Impact Analysis for Cloud
36 Data Backup and Recovery in the Cloud Network Segmentation

37 Network Security Network Traffic Monitoring

38 Network Security Firewall and IDS/IPS Management
39 Network Security Endpoint Security in Cloud
40 Network Security Zero Trust Architecture
41 Network Security Disaster Recovery Planning
42 Business Continuity Disaster Recovery Testing
43 Business Continuity RTO/RPO for Cloud Systems

44 Business Continuity Third-Party DR Service Providers

45 Business Continuity Post-Drill Analysis

46 Business Continuity Crisis Management in Cloud

47 Business Continuity Logging and Monitoring Configuration
48 Monitoring and Logging Retention Policies for Cloud Logs
49 Monitoring and Logging Log Review and Analysis
50 Monitoring and Logging Security Event Management
51 Monitoring and Logging Cloud Cost Optimization

52 Cloud Cost Management Cost Reporting and Allocation

53 Cloud Cost Management Billing Discrepancy Review
54 Cloud Cost Management Cloud Service Provider Integration
55 Vulnerability Management Vulnerability Scanning
56 Vulnerability Management Vulnerability Classification

57 Vulnerability Management Vulnerability Remediation

58 Vulnerability Management Critical Vulnerability Resolution

59 Vulnerability Management Vulnerability Disclosure

60 Vulnerability Management Comprehensive Coverage

61 Patch Management Patch Management Policy

62 Patch Management Patch Application
63 Patch Management Critical Patch Timeliness
64 Patch Management Patch Testing

65 Patch Management Patch Coordination with CSP

66 Patch Management Rollback Procedures

67 Network and Infrastructure Management Load Balancing

68 Network and Infrastructure Management Auto-scaling Integration

69 Network and Infrastructure Management Load Balancing Testing

70 Network and Infrastructure Management Security Integration

71 System and Network Hardening Secure Baseline Configuration

72 System and Network Hardening Server and VM Hardening

73 System and Network Hardening Disable Unnecessary Services

74 System and Network Hardening Configuration Management Tools

75 System and Network Hardening Container Hardening

76 Secure CI/CD Security in CI/CD Pipelines

77 Secure CI/CD Secure Code Repositories

78 Secure CI/CD Automated Vulnerability Testing

79 Secure CI/CD Role-Based Access Control (RBAC)

80 Secure CI/CD CI/CD Logging and Monitoring
81 Change Management Change Management Policy

82 Change Management Change Approval Process

83 Change Management Change Documentation

84 Change Management Testing Changes

85 Change Management Emergency Change Process

Point
Ensure the organization has a cloud strategy that aligns with business goals.
Review the risk management process for cloud operations, including third-party risks.

Evaluate provisioning and de-provisioning processes for cloud resources.

Check if cloud cost management practices are in place, including monitoring usage.
Assess vendor management practices, including cloud SLAs and security requirements.

Ensure proper access control policies are implemented for cloud environments.

Verify privileged access management is in place, following the principle of least privilege.

Ensure the organization enforces strong password complexity rules (length, special
characters, numbers).
Review the policy for password history and re-use prevention in cloud environments.

Evaluate the storage and protection mechanisms for passwords in the cloud (e.g., hash and
encryption).
Check if multi-factor authentication is enforced for cloud users.

Ensure federated identity management is in place for integrating identity across platforms.

Review session management controls to prevent session hijacking in cloud environments.

Verify that audit logging and monitoring are implemented to track user activities.

Ensure that data encryption is enforced at rest and in transit for sensitive data.

Check if the organization complies with data residency requirements for cloud data.

Review data masking practices for protecting sensitive information.

Verify key management procedures for encryption are secure and comply with policies.

Assess how sensitive data is handled within cloud applications and storage.
Review data sharing policies, especially around API usage in cloud environments.
Evaluate the incident detection process for timely identification of cloud threats.
Ensure proper escalation and reporting procedures for cloud incidents are in place.
Assess threat intelligence capabilities for monitoring cloud-specific threats.
Review post-incident analysis practices to learn from cloud incidents.
Assess communication protocols with the cloud service provider during incidents.
Ensure the organization complies with applicable cloud regulatory requirements.
Check that contracts with CSPs include terms for compliance, security, and auditability.

Evaluate the auditability of cloud environments, including access logs and configurations.
Verify compliance with industry standards like ISO 27001 or SOC 2 for cloud environments.

Ensure adherence to data residency laws specific to cloud storage locations.

Check if backup policies and procedures cover all critical cloud data.
Verify that backups are regularly tested and validated for cloud environments.
Ensure data recovery processes are clearly defined and tested in the cloud.
Review cross-region backup strategies for resiliency and disaster recovery.
Assess business impact analysis processes for cloud-based services.
Check if network segmentation isolates sensitive workloads in cloud environments.

Verify network traffic monitoring is active and logs are regularly reviewed.
Ensure firewall and IDS/IPS are configured to protect cloud workloads.
Assess endpoint security measures for devices accessing cloud resources.
Evaluate if a zero-trust architecture is implemented for cloud access.
Review disaster recovery plans for cloud data and infrastructure.
Ensure disaster recovery testing is conducted regularly for cloud services.
Assess RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for cloud systems.

Evaluate third-party disaster recovery service providers if used for cloud operations.

Review the post-drill analysis to ensure lessons learned are implemented to improve the DR
plan.
Check crisis management procedures for cloud-related incidents.
Verify logging and monitoring configurations in the cloud for security events.
Ensure log retention policies align with business and compliance needs.
Review processes for log analysis and identifying security threats in the cloud.
Assess security event management processes for cloud environments.
Check if cloud cost optimization practices are in place to reduce unnecessary expenses.

Verify cost reporting mechanisms are in place to allocate cloud costs accurately.
Ensure billing discrepancies are regularly reviewed and reconciled with CSP.
Ensure proper integration with cloud service provider (CSP) management tools.
Ensure regular vulnerability scanning is conducted for cloud-based systems.
Verify that vulnerabilities are classified based on severity (e.g., high, medium, low).

Review the process for tracking and remediating vulnerabilities identified in cloud
environments.
Confirm that there is an established timeline for resolving critical vulnerabilities.
Ensure proper coordination between cloud service providers and internal teams for
vulnerability disclosure.
Ensure that vulnerability scanning covers containers and virtual machines in the cloud.

Ensure a formal patch management policy is in place for cloud environments.

Verify that all cloud systems, applications, and infrastructure are regularly patched.
Confirm that critical patches are applied within an agreed-upon timeframe.
Ensure testing of patches is done in non-production environments before deployment.

Verify that patching schedules are coordinated with cloud service providers to avoid
disruption.
Review rollback procedures for patches that fail or cause issues.
Ensure that cloud-based load balancing is properly configured to distribute traffic evenly
across servers.
Review the use of auto-scaling with load balancing to manage varying traffic loads.

Ensure that the load balancing configurations are regularly tested and monitored.

Verify the integration of load balancers with security tools, such as WAF (Web Application
Firewalls).
Ensure that cloud systems follow a baseline configuration that aligns with industry security
standards.
Verify that cloud servers and virtual machines are hardened according to organizational
security policies.
Confirm that unnecessary services and ports are disabled or removed from cloud
environments.
Evaluate the use of configuration management tools for enforcing secure baseline settings.

Verify that system hardening extends to containers, virtual machines, and serverless
environments.
Ensure that security checks are integrated into the CI/CD pipeline for cloud-based
applications.
Verify that code repositories for cloud applications are secure and access-controlled.

Ensure automated testing for vulnerabilities is part of the CI/CD process before deployment
to production.
Ensure role-based access controls (RBAC) are enforced within the CI/CD pipeline.
Review logging and monitoring of all deployment activities in the CI/CD pipeline.
Ensure a formal change management policy is in place for all changes affecting cloud systems
and infrastructure.
Verify that all changes undergo a formal approval process, including risk assessments, before
implementation.
Confirm that detailed documentation is maintained for all changes, including rationale,
impact analysis, and approvals.
Ensure that changes are tested in a staging or non-production environment before being
applied to production systems.
Review the procedures for handling emergency changes, including post-implementation
review and approval processes.
check point

1. Use Cloud Audit Logs to review actions taken by privileged accounts.

2. 7. Just-in-Time (JIT) Access with Access Approval (if applicable): - For highly sensitive resources or
actions, consider implementing JIT access by requiring additional approval before granting access.

1. Go to IAM & Admin in the Google Cloud Console.

2. In the Admin Console for Google Workspace or Cloud Identity, verify that MFA is enforced.
3. Check if users have enabled 2-Step Verification under Security > Authentication > 2-Step
Verification.
4. If Identity-Aware Proxy (IAP) is used, confirm that MFA policies are applied for users accessing
services.

In the Google Cloud Console, go to the IAM & Admin section.

Look for the integration with external identity providers under Identity Federation.
1. Check if federated identities are configured via services like Google Cloud Identity, Google
Workspace, or third-party identity providers (IdPs) such as Okta, Azure AD, or ADFS.
2. Federated identities allow users to log in using credentials from these external systems rather than
native Google Cloud accounts
3. Go to the Security > Authentication > SSO with third-party identity providers in Google Workspace
or Cloud Identity.
4. Ensure that SAML or OAuth 2.0 is set up to allow external IdP-based login
5. Ensure that roles and permissions from the external identity system map properly to GCP’s IAM
roles.
6. Review if the principle of least privilege is applied and that roles from external IdPs are correctly
mapped to avoid excessive permissions.

Verify the session timeout configurations in Google Workspace Admin Console under Security >
Access and data control > Session control.
Audit Logs Overview: Navigate to the "Logs Explorer" in the GCP Console.
Check for Audit Logs: Confirm that Admin Activity Logs, Data Access Logs, System Event Logs, and
Policy Denied Logs are present. These logs should capture relevant user activities.
Log Retention Settings: Review the retention policy for logs to ensure they meet organizational
requirements.
Verify if audit logs are exported to a centralized logging solution (e.g., BigQuery, Cloud Storage) for
long-term retention and analysis.

Check Data Encryption at Rest

Review Default Encryption: GCP automatically encrypts data at rest using Google-managed encryption
keys. Verify that this feature is enabled for all relevant services (e.g., Cloud Storage, BigQuery, Cloud
SQL).
Examine Custom Key Usage: If customer-managed encryption keys (CMEK) are used, check the
configuration in the Key Management Service (KMS):
KMS Setup: Ensure that keys are created, managed, and rotated according to policy.
Access Controls: Review IAM roles assigned to users and service accounts managing the keys.

Verify Data Encryption in Transit

TLS Configuration: Check that TLS is enforced for all data in transit:
GCP Services: Review configurations of services like Cloud Storage, Compute Engine, and Cloud SQL to
ensure that they use HTTPS or secure connections.
VPC Network Configuration: Ensure that VPCs are configured to enforce encryption between
resources (e.g., using VPN or Interconnect).
Data Transfer Tools: Assess if tools used for data transfer (like gsutil or Cloud Data Transfer Service)
enforce encryption.
Reference link

Access controlhttps://www.conductorone.com/guides/everything_you_want_to_know_about_gcp-_access_control/

Cloud audit loghttps://cloud.google.com/logging/docs/auditJIT approvalhttps://cloud.google.com/assured-workloads/access-

https://medium.com/google-cloud/google-cloud-platform-security-checklist-part-1-9-identity-and-access-management-iam-d

https://medium.com/google-cloud/use-workload-identity-federation-with-another-gcp-project-98dc3b1c236c

https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1
https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2
https://sysdig.com/blog/suspicious-activity-gcp-audit-logs/
7 Identity Privileged Verify 1. Ensure 1..pam implementation in gcphttps://joelvasallo.com/introducing-goog
and Access privileged that
Access Managem access privileged
Managem ent managem roles
ent ent is in (e.g.,
place, Owner,
following Admin)
the are
principle assigned
of least only to
privilege. users who
need
them
2.
Evaluate
Access
Request
and
Approval
Workflow
3.
Fortifying the Cloud: Mastering Security on
Google Cloud Platform — A Complete Guide
https://medium.com/@williamwarley/fortifying-the-cloud-mastering-security-on-google-cloud-platform-a-complete-guide-6c
S.No.
7
Area
Identity and Access Management (IAM)
- User Access Review: Regularly review user access (at least quarterly) to ensure continued need and appropriate permissions
- Service Account Permissions: Grant service accounts only the minimum roles and permissions required for their specific task
- Short-Lived Credentials: Employ short-lived credentials for service accounts, especially those used for automation or backgro
- MFA Enforcement: Enforce multi-factor authentication (MFA) for all users accessing GCP resources, particularly those with e
- Workload Identity Federation (WIF): Leverage WIF to securely connect on-premises workloads to GCP services without requ
- Cloud Identity (CI) Integration: Integrate IAM with Cloud Identity (CI) for a centralized user management solution, simplifying
- Organization Policies: Define organization policies to enforce specific IAM configurations (e.g., MFA requirement, blocking sp
- Audit Logging: Enable IAM audit logging to track all access changes and resource modifications. Analyze audit logs regularly t
- Security Command Center (SCC): Utilize SCC to gain insights into IAM configurations, identify potential security risks, and rec
Category
Privileged Access Management (PAM)
https://cloud.google.com/blog/products/identity-security/iam-best-practice-guides-available-now
https://cloud.google.com/iam/docs/understanding-roles
https://cloud.google.com/iam/docs/create-short-lived-credentials-direct
https://support.google.com/cloudidentity/answer/175197?hl=en
https://cloud.google.com/iam/docs/workload-identity-federation
https://cloud.google.com/identity/docs
https://cloud.google.com/logging/docs/audit
https://cloud.google.com/logging/docs/audit
https://cloud.google.com/security/products/security-command-center
Point Check Point Reference Link
Principle of Least Privilege (POLP)