Google Cloud Foundation
Organization, folders, projects, IAM, service accounts, networking, logging, encryption, compute, storage and database services.
Google Cloud Compliance Monitoring
Continuously assess identity, resource hierarchy, networking, logging, data services and Container-Optimized OS security across your Google Cloud environment.

Includes Container-Optimized OS host checks that require agent or guest evidence beyond the control plane.
Benchmark coverage
Cloud control plane and workload operating system coverage
Organization, folders, projects, IAM, service accounts, networking, logging, encryption, compute, storage and database services.
Filesystem security, services, SSH, authentication, logging, kernel settings and host firewall configuration.
What we assess
Control plane and workload posture together
Assess both the Google Cloud control plane and the security posture of the workloads running inside it.
Organization, folder and project structure
Users, groups, roles, IAM bindings and privileged access
Service account roles, user-managed keys and key age
Effective constraints and inherited policy state
Audit logs, sinks, metrics, alerts and notification channels
VPCs, firewall rules, routes, public IPs and DNS
VM metadata, Shielded VM, disks and IP forwarding
Cloud Storage, BigQuery, Cloud SQL and encryption
Cloud KMS, Secret Manager and key rotation
Container-Optimized OS configuration and drift
Automation coverage
191 controls are supported by full API or agent evidence. 21 additional controls are policy-assisted against customer baselines.
Google Cloud API, OS Config, VM Manager or approved guest collectors can verify the control.
Collected evidence is compared with approved ranges, folder taxonomy, retention, roles or org baselines.
0 collection failures treated as compliance. Incomplete inventory is never converted into a Pass.
Example findings
4 user-managed service account keys exceed the approved maximum key age.
9 firewall rules permit unrestricted inbound access from the internet.
3 projects are not connected to the approved centralized logging sink.
2 Cloud SQL instances accept connections over public network interfaces.
6 service accounts hold administrative roles outside the approved exception list.
27 nodes do not match the approved SSH or host-hardening configuration.
Example findings shown for demonstration purposes.
How it works
Configure a read-only service account or workload identity with least-privilege permissions.
Trusteed inventories organization, folders, projects, inherited policies and resources.
Cloud APIs provide configuration evidence while OS Config or approved guest collectors validate host-level controls.
Every finding identifies the affected project, location, resource, observed value and expected configuration.
Secure by design
Benchmark reference
GCP Foundation coverage is based on v5.0.0. Container-Optimized OS coverage is based on v1.2.0.
Connect your organization and continuously assess cloud resources and workload configuration with evidence you can share with security teams and auditors.