Auto Checks: GCP

Auto Checks is a feature that verifies technical configurations in your cloud environment against ISO 27001 requirements. These checks are run automatically and linked to your implementation steps within Kertos.

Auto Checks for GCP enable automated detection of misconfigurations in your Google Cloud Platform environment — mapped to ISO 27001:2022 controls and curated in collaboration with auditors. The checks help your organization continuously monitor compliance posture across key services like IAM, Cloud Storage, BigQuery, Compute Engine, and CloudSQL.

How It Works

How to activate Auto Checks for GCP in Kertos
First, you need to enable Auto Checks on the Integration Setup Page for GCP.

If you haven’t set up the GCP integration yet, you must complete this first — Auto Checks won’t work without it.
If you connected GCP before Auto Checks were released, you’ll need to reconfigure the integration, as Auto Checks require additional permissions beyond the original discovery setup.

⚠️ Admin rights in your GCP environment are mandatory.
Without them, you won’t be able to assign required roles, enable APIs, or create service accounts.

First-Time Setup Instructions

To activate Auto Checks for GCP:

  • Go to the Integrations page
  • Click Setup on the GCP Integration card
  • Click Start Setup (for first-time setup)
  • Choose your preferred setup method:
    • Quick Setup – One-click configuration via Kertos
    • Self Setup – Step-by-step configuration
       → Full Setup Guide
  • Toggle Enable Auto Checks to ON
  • Click Save
  • Click Start Sync to begin Auto Checks on your GCP environment

Reconfiguring the GCP Integration

  • To enable Auto Checks for an existing GCP integration:
  • Go to the Integrations page
  • Click Setup on the GCP Integration card
  • Toggle Enable Auto Checks to ON
  • Grant the required permissions in GCP
     → Full Reconfiguration Guide
  • Click Save
  • Click Start Sync to run Auto Checks on your cloud environment

What Are the GCP Auto Checks Based On?

The GCP Auto Checks are based on the CIS Google Cloud Platform Foundation Benchmark v4.0.0 - 05-02-2025. This benchmark is an industry-standard guideline developed by the Center for Internet Security and defines secure configuration best practices for GCP environments.

In close collaboration with auditors, we selected the most relevant configuration checks from the CIS benchmark and aligned them with ISO 27001:2022 controls. Each check includes clear remediation guidance and contributes directly to implementation progress.

Which Auto Checks are available for GCP, and how are they mapped to ISO 27001:2022 controls?

Each Auto Check is mapped to a specific ISO 27001:2022 control, helping to demonstrate technical implementation of key requirements. Below is the full list of our supported GCP Auto Checks and their control mappings:

ISO Control IDISO Control TitleAuto Check Title
A.5.12Risk treatmentEnsure Cloud Storage Buckets Are Not Publicly Accessible
A.5.12Risk treatmentEnsure BigQuery Datasets Are Not Publicly Accessible
A.5.15Segregation of dutiesEnsure KMS roles are assigned to different users to maintain security
A.5.25Information security incident management planning and preparationConfigure Essential Contacts for the Organization
A.8.13Information backupCheck that automatic backups are configured for Cloud SQL databases
A.8.15LoggingEnsure logging and alerts are set up for IAM configuration changes
A.8.15LoggingEnsure logging and alerts exist for Cloud SQL instance configuration changes
A.8.15LoggingEnsure logging and alerts exist for changes to VPC network routes
A.8.15LoggingConfirm that audit logs are enabled to track all user activities
A.8.16Monitoring activitiesEnsure logging and alerts exist for changes to VPC firewall rules
A.8.2Privileged access rightsCheck that VM instances do not use default service accounts with full API access
A.8.2Information access restrictionCheck that 'external scripts enabled' setting is off for Cloud SQL servers
A.8.2Privileged access rightsVerify that service accounts do not have administrative roles
A.8.20Networks securityIdentify Cloud SQL instances configured with public IP addresses
A.8.20Networks securityVerify Cloud SQL instances do not permit open access from all public IP addresses
A.8.20Networks securityEnsure IP forwarding is disabled on all VM instances
A.8.20Networks securityEnsure SSH access to VMs is restricted from external internet sources
A.8.20Networks securityEnsure serial port connections to VM instances are disabled
A.8.24Use of cryptographyEnsure Cloud SQL instances only allow secure (SSL) connections
A.8.24Use of cryptographyVerify that critical VM disks are encrypted with customer-provided keys
A.8.3Authentication informationRestrict API Keys to Only Required Services
A.8.9Configuration managementCheck that Compute Instances have Shielded VM security enabled

FAQs

Do I need to modify anything in GCP to activate Auto Checks?
No additional configuration is required if your GCP integration is set up correctly. Just toggle on Auto Checks in Kertos

What GCP services are currently supported?
We currently support Auto Checks for the following GCP services:

  • IAM 
  • Cloud Storage
  • API Keys
  • BigQuery
  • Compute Engine
  • VPC Networking
  • Cloud SQL
  • Cloud Logging

Can I disable Auto Checks for GCP?
Yes. Go to the GCP integration in Kertos, click Reconfigure, and toggle Auto Checks off.

Do I need to update permissions if I already set up the GCP integration in the past?
Yes. If you're reconfiguring an existing GCP integration to enable Auto Checks, it's essential that the required permissions are correctly granted in your GCP environment.
Even if you previously connected GCP to Kertos, Auto Checks require specific additional scopes and roles.

See the full list of required permissions here:
https://docs.kertos.io/en/article/auto-checks-integration-guide-for-gcp 

Was this article helpful?