Auto Checks: GCP
Auto Checks for GCP enable automated detection of misconfigurations in your Google Cloud Platform environment — mapped to ISO 27001:2022 controls and curated in collaboration with auditors. The checks help your organization continuously monitor compliance posture across key services like IAM, Cloud Storage, BigQuery, Compute Engine, and CloudSQL.
How It Works
How to activate Auto Checks for GCP in Kertos?
You must have admin rights in your GCP Cloud environment to complete the setup.
Without sufficient permissions, you won’t be able to assign the necessary roles, enable APIs, or create service accounts.
If you have admin rights proceed as follows:
- Go to the Integrations page
- Click Start Setup (for first-time setup) or Reconfigure (if GCP is already connected)
- Choose one of the setup methods:
- Quick Setup – Fast onboarding via a few steps in Kertos, but you must manually grant the required permissions in your GCP environment
- Self Setup – A guided process that includes the permission setup directly in the flow
Granting the correct permissions in GCP is required in all cases — both for Quick Setup and for Reconfigure.
You can find the detailed permission instructions here:
https://docs.kertos.io/en/article/auto-checks-integration-guide-for-gcp
- Toggle Enable Auto Checks to ON
- Click Save
- Click Start Sync to run the discovery
Once completed, relevant Auto Checks for GCP services in use will be automatically linked to applicable ISO controls and implementation steps.
What Are the GCP Auto Checks Based On?
The GCP Auto Checks are based on the CIS Google Cloud Platform Foundation Benchmark v4.0.0 - 05-02-2025. This benchmark is an industry-standard guideline developed by the Center for Internet Security and defines secure configuration best practices for GCP environments.
In close collaboration with auditors, we selected the most relevant configuration checks from the CIS benchmark and aligned them with ISO 27001:2022 controls. Each check includes clear remediation guidance and contributes directly to implementation progress.
Which Auto Checks are available for GCP, and how are they mapped to ISO 27001:2022 controls?
Each Auto Check is mapped to a specific ISO 27001:2022 control, helping to demonstrate technical implementation of key requirements. Below is the full list of our supported GCP Auto Checks and their control mappings:
| ISO Control ID | ISO Control Title | Auto Check Title |
|---|---|---|
| A.5.12 | Risk treatment | Ensure Cloud Storage Buckets Are Not Publicly Accessible |
| A.5.12 | Risk treatment | Ensure BigQuery Datasets Are Not Publicly Accessible |
| A.5.15 | Segregation of duties | Ensure KMS roles are assigned to different users to maintain security |
| A.5.25 | Information security incident management planning and preparation | Configure Essential Contacts for the Organization |
| A.8.13 | Information backup | Check that automatic backups are configured for Cloud SQL databases |
| A.8.15 | Logging | Ensure logging and alerts are set up for IAM configuration changes |
| A.8.15 | Logging | Ensure logging and alerts exist for Cloud SQL instance configuration changes |
| A.8.15 | Logging | Ensure logging and alerts exist for changes to VPC network routes |
| A.8.15 | Logging | Confirm that audit logs are enabled to track all user activities |
| A.8.16 | Monitoring activities | Ensure logging and alerts exist for changes to VPC firewall rules |
| A.8.2 | Privileged access rights | Check that VM instances do not use default service accounts with full API access |
| A.8.2 | Information access restriction | Check that 'external scripts enabled' setting is off for Cloud SQL servers |
| A.8.2 | Privileged access rights | Verify that service accounts do not have administrative roles |
| A.8.20 | Networks security | Identify Cloud SQL instances configured with public IP addresses |
| A.8.20 | Networks security | Verify Cloud SQL instances do not permit open access from all public IP addresses |
| A.8.20 | Networks security | Ensure IP forwarding is disabled on all VM instances |
| A.8.20 | Networks security | Ensure SSH access to VMs is restricted from external internet sources |
| A.8.20 | Networks security | Ensure serial port connections to VM instances are disabled |
| A.8.24 | Use of cryptography | Ensure Cloud SQL instances only allow secure (SSL) connections |
| A.8.24 | Use of cryptography | Verify that critical VM disks are encrypted with customer-provided keys |
| A.8.3 | Authentication information | Restrict API Keys to Only Required Services |
| A.8.9 | Configuration management | Check that Compute Instances have Shielded VM security enabled |
FAQs
Do I need to modify anything in GCP to activate Auto Checks?
No additional configuration is required if your GCP integration is set up correctly. Just toggle on Auto Checks in Kertos
What GCP services are currently supported?
We currently support Auto Checks for the following GCP services:
- IAM
- Cloud Storage
- API Keys
- BigQuery
- Compute Engine
- VPC Networking
- Cloud SQL
- Cloud Logging
Can I disable Auto Checks for GCP?
Yes. Go to the GCP integration in Kertos, click Reconfigure, and toggle Auto Checks off.
Do I need to update permissions if I already set up the GCP integration in the past?
Yes. If you're reconfiguring an existing GCP integration to enable Auto Checks, it's essential that the required permissions are correctly granted in your GCP environment.
Even if you previously connected GCP to Kertos, Auto Checks require specific additional scopes and roles.
See the full list of required permissions here:
https://docs.kertos.io/en/article/auto-checks-integration-guide-for-gcp