Auto Checks: GCP
Auto Checks for GCP enable automated detection of misconfigurations in your Google Cloud Platform environment — mapped to ISO 27001:2022 controls and curated in collaboration with auditors. The checks help your organization continuously monitor compliance posture across key services like IAM, Cloud Storage, BigQuery, Compute Engine, and CloudSQL.
How It Works
How to activate Auto Checks for GCP in Kertos
First, you need to enable Auto Checks on the Integration Setup Page for GCP.
If you haven’t set up the GCP integration yet, you must complete this first — Auto Checks won’t work without it.
If you connected GCP before Auto Checks were released, you’ll need to reconfigure the integration, as Auto Checks require additional permissions beyond the original discovery setup.
⚠️ Admin rights in your GCP environment are mandatory.
Without them, you won’t be able to assign required roles, enable APIs, or create service accounts.
First-Time Setup Instructions
To activate Auto Checks for GCP:
- Go to the Integrations page
- Click Setup on the GCP Integration card
- Click Start Setup (for first-time setup)
- Choose your preferred setup method:
- Quick Setup – One-click configuration via Kertos
- Self Setup – Step-by-step configuration
→ Full Setup Guide
- Toggle Enable Auto Checks to
ON - Click Save
- Click Start Sync to begin Auto Checks on your GCP environment
Reconfiguring the GCP Integration
- To enable Auto Checks for an existing GCP integration:
- Go to the Integrations page
- Click Setup on the GCP Integration card
- Toggle Enable Auto Checks to
ON - Grant the required permissions in GCP
→ Full Reconfiguration Guide - Click Save
- Click Start Sync to run Auto Checks on your cloud environment
What Are the GCP Auto Checks Based On?
The GCP Auto Checks are based on the CIS Google Cloud Platform Foundation Benchmark v4.0.0 - 05-02-2025. This benchmark is an industry-standard guideline developed by the Center for Internet Security and defines secure configuration best practices for GCP environments.
In close collaboration with auditors, we selected the most relevant configuration checks from the CIS benchmark and aligned them with ISO 27001:2022 controls. Each check includes clear remediation guidance and contributes directly to implementation progress.
Which Auto Checks are available for GCP, and how are they mapped to ISO 27001:2022 controls?
Each Auto Check is mapped to a specific ISO 27001:2022 control, helping to demonstrate technical implementation of key requirements. Below is the full list of our supported GCP Auto Checks and their control mappings:
| ISO Control ID | ISO Control Title | Auto Check Title |
|---|---|---|
| A.5.12 | Risk treatment | Ensure Cloud Storage Buckets Are Not Publicly Accessible |
| A.5.12 | Risk treatment | Ensure BigQuery Datasets Are Not Publicly Accessible |
| A.5.15 | Segregation of duties | Ensure KMS roles are assigned to different users to maintain security |
| A.5.25 | Information security incident management planning and preparation | Configure Essential Contacts for the Organization |
| A.8.13 | Information backup | Check that automatic backups are configured for Cloud SQL databases |
| A.8.15 | Logging | Ensure logging and alerts are set up for IAM configuration changes |
| A.8.15 | Logging | Ensure logging and alerts exist for Cloud SQL instance configuration changes |
| A.8.15 | Logging | Ensure logging and alerts exist for changes to VPC network routes |
| A.8.15 | Logging | Confirm that audit logs are enabled to track all user activities |
| A.8.16 | Monitoring activities | Ensure logging and alerts exist for changes to VPC firewall rules |
| A.8.2 | Privileged access rights | Check that VM instances do not use default service accounts with full API access |
| A.8.2 | Information access restriction | Check that 'external scripts enabled' setting is off for Cloud SQL servers |
| A.8.2 | Privileged access rights | Verify that service accounts do not have administrative roles |
| A.8.20 | Networks security | Identify Cloud SQL instances configured with public IP addresses |
| A.8.20 | Networks security | Verify Cloud SQL instances do not permit open access from all public IP addresses |
| A.8.20 | Networks security | Ensure IP forwarding is disabled on all VM instances |
| A.8.20 | Networks security | Ensure SSH access to VMs is restricted from external internet sources |
| A.8.20 | Networks security | Ensure serial port connections to VM instances are disabled |
| A.8.24 | Use of cryptography | Ensure Cloud SQL instances only allow secure (SSL) connections |
| A.8.24 | Use of cryptography | Verify that critical VM disks are encrypted with customer-provided keys |
| A.8.3 | Authentication information | Restrict API Keys to Only Required Services |
| A.8.9 | Configuration management | Check that Compute Instances have Shielded VM security enabled |
FAQs
Do I need to modify anything in GCP to activate Auto Checks?
No additional configuration is required if your GCP integration is set up correctly. Just toggle on Auto Checks in Kertos
What GCP services are currently supported?
We currently support Auto Checks for the following GCP services:
- IAM
- Cloud Storage
- API Keys
- BigQuery
- Compute Engine
- VPC Networking
- Cloud SQL
- Cloud Logging
Can I disable Auto Checks for GCP?
Yes. Go to the GCP integration in Kertos, click Reconfigure, and toggle Auto Checks off.
Do I need to update permissions if I already set up the GCP integration in the past?
Yes. If you're reconfiguring an existing GCP integration to enable Auto Checks, it's essential that the required permissions are correctly granted in your GCP environment.
Even if you previously connected GCP to Kertos, Auto Checks require specific additional scopes and roles.
See the full list of required permissions here.