| Open DNS | Determines if TCP or UDP port 53 for DNS is open to the public |
| Open SSH | Determines if TCP port 22 for FTP is open to the public |
| Open CIFS | Determines if UDP port 445 for CIFS is open to the public |
| Open FTP | Determines if TCP port 20 or 21 for FTP is open to the public |
| Open Hadoop HDFS NameNode Metadata Service | Determines if TCP port 8020 for HDFS NameNode metadata service is open to the public. |
| Open Hadoop HDFS NameNode WebUI | Determines if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public |
| Open Kibana | Determines if TCP port 5601 for Kibana is open to the public |
| Open MySQL | Determines if TCP port 4333 or 3306 for MySQL is open to the public |
| Open NetBIOS | Determines if UDP port 137 or 138 for NetBIOS is open to the public |
| Open Oracle | Determines if TCP port 1521 for Oracle is open to the public |
| Open PostgreSQL | Determines if TCP port 5432 for PostgreSQL is open to the public |
| Open RDP | Determines if TCP port 3389 for RDP is open to the public |
| Open RPC | Determines if TCP port 135 for RPC is open to the public |
| Open SMBoTCP | Determines if TCP port 445 for Windows SMB over TCP is open to the public |
| Open SMTP | Determines if TCP port 25 for SMTP is open to the public |
| Open SQLServer | Determines if TCP port 1433 or UDP port 1434 for SQL Server is open to the public |
| Open Telnet | Determines if TCP port 23 for Telnet is open to the public |
| Open VNC Client | Determines if TCP port 5500 for VNC Client is open to the public |
| Open VNC Server | Determines if TCP port 5900 for VNC Server is open to the public |
| Open Oracle Auto Data Warehouse | Determines if TCP port 1522 for Oracle Auto Data Warehouse is open to the public |
| Multiple Subnets | Ensures that VPCs have multiple networks to provide a layered architecture |
| Default VPC In Use | Determines whether the default VPC is being used for launching VM instances |
| VM Max Instances | Ensures the total number of VM instances does not exceed a set threshold |
| Instances Multi AZ | Ensures managed instances are regional for availability purposes. |
| Key Rotation | Ensures cryptographic keys are set to rotate on a regular schedule |
| DB Restorable | Ensures SQL instances can be restored to a recent point |
| DB Automated Backups | Ensures automated backups are enabled for SQL instances |
| DB Multiple AZ | Ensures that SQL instances have a failover replica to be cross-AZ for high availability |
| DB Publicly Accessible | Ensures that SQL instances have a failover replica to be cross-AZ for high availability. |
| Bucket Versioning | Ensures object versioning is enabled on storage buckets |
| Bucket Logging | Ensures object logging is enabled on storage buckets |
| CLB HTTPS Only | Ensures CLBs are configured to only accept connections on HTTPS ports |
| Excessive Firewall Rules | Determines if there are an excessive number of firewall rules in the account |
| Open All Ports | Determines if all ports are open to the public |
| CLB No Instances | Detects CLBs that have no backend instances attached |
| Flow Logs Enabled | Ensures VPC flow logs are enabled for traffic logging |
| Autoscale Enabled | Ensures instance groups have autoscale enabled for high availability |
| Service Limits | Determines if the number of resources is close to the per-account limit. |
| Private Endpoint | Ensures the private endpoint setting is enabled for kubernetes clusters |
| Monitoring Enabled | Ensures all Kubernetes clusters have monitoring enabled |
| Private Access Enabled | Ensures Private Google Access is enabled for all Subnets |
| Instance Level SSH Only | Ensures that instances are not configured to allow project-wide SSH keys |
| VM Instances Least Privilege | Ensures that instances are not configured to use the default service account with full access to all cloud APIs |
| IP Forwarding Disabled | Ensures that IP forwarding is disabled on all instances |
| Connect Serial Ports Disabled | Ensures connecting to serial ports is not enabled for VM instances |
| CSEK Encryption Enabled | Ensures Customer Supplied Encryption Key Encryption is enabled on disks |
| Storage Bucket All Users Policy | Ensures Storage bucket policies do not allow global write delete or read permissions |
| Security Policy Enabled | Ensures all backend services have an attached security policy |
| CLB CDN Enabled | Ensures that Cloud CDN is enabled on all load balancers |
| DNS Security Enabled | Ensures that DNS Security is enabled on all managed zones |
| DNS Security Signing Algorithm | Ensures that DNS Security is not using the RSASHA1 algorithm for key or zone signing |
| OS Login Enabled | Ensures OS login is enabled for the project |
| Database SSL Enabled | Ensures SQL databases have SSL enabled |
| Service Account Key Rotation | Ensures that service account keys are rotated within 90 days of creation. |
| Service Account Managed Keys | Ensures that service account keys are being managed by Google. |
| Cluster Least Privilege | Ensures Kubernetes clusters are created with limited service account access scopes |
| Project Ownership Logging | Ensures that logging and log alerts exist for project ownership assignments and changes |
| Storage Permissions Logging | Ensures that logging and log alerts exist for storage permission changes |
| SQL Configuration Logging | Ensures that logging and log alerts exist for SQL configuration changes |
| Audit Configuration Logging | Ensures that logging and log alerts exist for audit configuration changes. |
| Custom Role Logging | Ensures that logging and log alerts exist for custom role creation and changes |
| VPC Firewall Rule Logging | Ensures that logging and log alerts exist for firewall rule changes |
| VPC Network Route Logging | Ensures that logging and log alerts exist for VPC network route changes |
| VPC Network Logging | Ensures that logging and log alerts exist for VPC network changes |
| Alias IP Ranges Enabled | Ensures all Kubernetes clusters have alias IP ranges enabled |
| Legacy Authorization Disabled | Ensure legacy authorization is set to disabled on Kubernetes clusters |
| Master Authorized Network | Ensures master authorized networks is set to enabled on Kubernetes clusters |
| Cluster Labels Added | Ensures all Kubernetes clusters have labels added |
| Web Dashboard Disabled | Ensures all Kubernetes clusters have the web dashboard disabled. |
| Default Service Account | Ensures all Kubernetes cluster nodes are not using the default service account. |
| COS Image Enabled | Ensures all Kubernetes cluster nodes have Container-Optimized OS enabled |
| Automatic Node Repair Enabled | Ensures all Kubernetes cluster nodes have automatic repair enabled |
| Automatic Node Upgrades Enabled | Ensures all Kubernetes cluster nodes have automatic upgrades enabled |
| Network Policy Enabled | Ensures all Kubernetes clusters have network policy enabled |
| Pod Security Policy Enabled | Ensures pod security policy is enabled for all Kubernetes clusters |
| Any Host Root Access | Ensures SQL instances root user cannot be accessed from any host |
| Service Account Admin | Ensures that user managed service accounts do not have any admin owner or write privileges. |
| Service Account User | Ensures that no users have the Service Account User role. |
| Service Account Separation | Ensures that no users have both the Service Account User and Service Account Admin role. |
| KMS User Separation | Ensures that no users have the KMS admin role and any one of the CryptoKey roles. |
| Audit Logging Enabled | Ensures that default audit logging is enabled on the project. |
| Log Sinks Enabled | Ensures a log sink is enabled to export all logs |
| Private Cluster Enabled | Ensures private cluster is enabled for all Kubernetes clusters |
| Logging Enabled | Ensures all Kubernetes clusters have logging enabled |
| Corporate Emails Only | Ensures that no users are using their Gmail accounts for access to GCP. |
| Basic Authentication Disabled | Ensure basic authentication is set to disabled on Kubernetes clusters. |