Cyber Essentials for Google Cloud (GCP): configuration guide

Cyber Essentials for Google Cloud (GCP): configuration guide

Cyber Essentials v3.3 treats your Google Cloud project (and any Workspace tenant acting as your identity provider) as in-scope cloud services. Assessors expect MFA on every Google identity, Organization Policies restricting what users can create, Security Command Center with at least the Standard tier enabled, VPC firewall rules with deny-by-default behaviour, and OS Patch Management covering every Compute Engine VM you administer.

What's in scope

• Google Workspace or Cloud Identity - the identity plane for GCP
• Every GCP project in your Organization
• Compute Engine VMs you operate (IaaS - OS-level security is yours)
• GKE clusters you administer (the node side; control plane is Google's)
• VPC networks, firewall rules, Cloud Load Balancers you configure

Google's infrastructure below the API is Google's responsibility and outside your scope.

1. Identity (Workspace / Cloud Identity)

• Enforce 2-Step Verification for every user in your Workspace / Cloud Identity domain. Use a security-key or Titan key policy for administrators.
• Minimum password length 12 characters (Cyber Essentials v3.3); Workspace allows setting 14+.
• Disable less-secure-app access globally. Force OAuth-based access for all legacy SMTP / IMAP / POP integrations.
• Admin role segregation: Super Admins ≤ 3, use Role-Based Access Control in Workspace for all other admin duties.

Evidence: Workspace Admin Console 2SV enrolment report, password policy screenshot, Admin audit log showing role delegations.

2. Organization Policies

Organization Policies are GCP's strongest preventive control set:

• constraints/iam.disableServiceAccountKeyCreation - prevents long-lived service account keys
• constraints/compute.requireOsLogin - every SSH session goes through OS Login with IAM + optional 2FA
• constraints/compute.vmExternalIpAccess - deny VM public IPs by default
• constraints/sql.restrictPublicIp - no public Cloud SQL
• constraints/storage.publicAccessPrevention - all buckets default to private

Export the Organization Policy yaml as evidence - it reads like an assessor's wishlist.

3. Security Command Center

• Enable Security Command Center Standard (free) at a minimum. Premium adds Event Threat Detection which helps with detective-control questions.
• Resolve all HIGH and CRITICAL findings in the Security Health Analytics module before assessment: default firewall rules, weak SSL policies, public datasets.

4. Firewall / VPC

• Delete the default VPC in new projects, or lock down its default firewall rules.
• Custom VPCs with deny-by-default ingress. No 0.0.0.0/0 rules on 22, 3389, 3306, 5432 on production firewalls.
• Use IAP TCP forwarding for admin SSH instead of public SSH. No inbound port required, IAM-gated, logged.

5. Patching Compute Engine

• OS Patch Management (VM Manager) enabled on every zone where you run VMs.
• 14-day SLA for high/critical CVEs per Cyber Essentials v3.3. Configure patch deployments with weekly maintenance windows.
• Container-Optimised OS is auto-updated by Google - preferred base image for GKE nodes to make patching evidence simple.
• Remove end-of-support images. CentOS 7, Ubuntu 18.04, and Windows Server 2012 images are outside the supported-OS clause.

6. Logging (supports multiple controls)

• Cloud Audit Logs retained for at least 400 days (default admin activity retention is 400 days, data access logs must be explicitly enabled and usually retained 30 days minimum).
• Sink to a separate log-retention project with more restrictive IAM - demonstrates tamper-resistance.

7. Common failure points

1. Service account keys downloaded to developer laptops. Replace with Workload Identity Federation.

2. Default VPC still active in production projects with permissive firewall rules.

3. 2SV enforcement not yet cutover for a small tail of contractor accounts.

4. A pinned old image (Ubuntu 18.04) used by a batch job - fails supported-OS.

What Fig checks

Our CE readiness scan reviews Workspace 2SV enrolment, Organization Policy coverage, SCC finding counts, and VM Manager patch compliance before assessment submission. GCP estates that pass our scan pass first-time at >95%.

Start Cyber Essentials - from £299.99 + VAT | Compare tiers | Book CE Plus