Google Cloud Compliance Monitoring

Continuous Google Cloud compliance from organization policy to workload configuration

Continuously assess identity, resource hierarchy, networking, logging, data services and Container-Optimized OS security across your Google Cloud environment.

Google Cloud
Organization · folder · project
212
Security controls
2
CIS benchmark families
191
Full API or agent coverage
29
Google API collector families
90% of controls supported by full API or agent evidence

Includes Container-Optimized OS host checks that require agent or guest evidence beyond the control plane.

Benchmark coverage

Cloud control plane and workload operating system coverage

Google Cloud Foundation

93 controls

Organization, folders, projects, IAM, service accounts, networking, logging, encryption, compute, storage and database services.

Container-Optimized OS

119 controls

Filesystem security, services, SSH, authentication, logging, kernel settings and host firewall configuration.

What we assess

What we assess across your Google Cloud hierarchy

Control plane and workload posture together

Assess both the Google Cloud control plane and the security posture of the workloads running inside it.

Resource Hierarchy

Organization, folder and project structure

Identity & IAM

Users, groups, roles, IAM bindings and privileged access

Service Accounts

Service account roles, user-managed keys and key age

Organization Policies

Effective constraints and inherited policy state

Logging & Monitoring

Audit logs, sinks, metrics, alerts and notification channels

Network Security

VPCs, firewall rules, routes, public IPs and DNS

Compute Security

VM metadata, Shielded VM, disks and IP forwarding

Data Protection

Cloud Storage, BigQuery, Cloud SQL and encryption

Key & Secret Management

Cloud KMS, Secret Manager and key rotation

Host Hardening

Container-Optimized OS configuration and drift

Automation coverage

What we can collect — and what we refuse to guess

191 controls are supported by full API or agent evidence. 21 additional controls are policy-assisted against customer baselines.

191
Full API or agent evidence

Google Cloud API, OS Config, VM Manager or approved guest collectors can verify the control.

21
Policy-assisted checks

Collected evidence is compared with approved ranges, folder taxonomy, retention, roles or org baselines.

0 collection failures treated as compliance. Incomplete inventory is never converted into a Pass.

Some recommendations classified as Manual by the benchmark can still be supported by API or agent evidence. Trusteed separates the benchmark label from actual technical checkability.

Example findings

What assessments actually surface

Service Account Key Exposure

4 user-managed service account keys exceed the approved maximum key age.

Overly Permissive Firewall Rules

9 firewall rules permit unrestricted inbound access from the internet.

Audit Log Coverage Gap

3 projects are not connected to the approved centralized logging sink.

Public Cloud SQL Exposure

2 Cloud SQL instances accept connections over public network interfaces.

Privileged IAM Assignment

6 service accounts hold administrative roles outside the approved exception list.

Container-Optimized OS Drift

27 nodes do not match the approved SSH or host-hardening configuration.

Example findings shown for demonstration purposes.

How it works

Connect, discover, collect, remediate

01

Connect Google Cloud

Configure a read-only service account or workload identity with least-privilege permissions.

Least-privilege connection
02

Discover the complete hierarchy

Trusteed inventories organization, folders, projects, inherited policies and resources.

Org → folder → project
03

Collect cloud and host evidence

Cloud APIs provide configuration evidence while OS Config or approved guest collectors validate host-level controls.

29 API collector families
04

Review resource-level findings

Every finding identifies the affected project, location, resource, observed value and expected configuration.

Resource-level evidence

Secure by design

Least privilege. Read-only. No guessed Pass.

Read-only permissions
No Google Cloud passwords stored
Organization-to-project inventory
Inherited IAM and policy analysis
Raw evidence retained before exceptions
Disabled API or 403 responses reported as Unknown
Partial inventory never converted into a Pass
Guest evidence used only for host-level checks
0 collection failures treated as compliance

Benchmark reference

Version and coverage details

BenchmarkVersionControls
CIS Google Cloud Platform Foundation Benchmarkv5.0.093
CIS Google Container-Optimized OS Benchmarkv1.2.0119

GCP Foundation coverage is based on v5.0.0. Container-Optimized OS coverage is based on v1.2.0.

See every configuration gap across your Google Cloud hierarchy.

Connect your organization and continuously assess cloud resources and workload configuration with evidence you can share with security teams and auditors.