Google Cloudintermediate

GCP Security Command Center CIS Benchmark Compliance Guide

Implement CIS GCP Foundations Benchmark with Security Command Center. Learn to enable Security Health Analytics, remediate CIS findings, and generate compliance reports.

12 min readUpdated 2026-01-14

The CIS (Center for Internet Security) GCP Foundations Benchmark provides prescriptive security configuration guidance for Google Cloud Platform. Security Command Center integrates CIS benchmark compliance checking through Security Health Analytics, enabling continuous monitoring and automated remediation of security misconfigurations.

This guide covers enabling CIS compliance monitoring, understanding and remediating CIS findings, and generating compliance reports. For comprehensive cloud security practices, see our 30 Cloud Security Tips for 2026 guide.

Prerequisites

  • Security Center Admin role for SCC configuration
  • SCC Premium tier (required for CIS compliance mapping)
  • Organization-level access for full compliance visibility
  • gcloud CLI installed and configured

Enable Required APIs

# Enable Security Command Center API
gcloud services enable securitycenter.googleapis.com

# Enable Cloud Asset API for compliance reporting
gcloud services enable cloudasset.googleapis.com

Step 1: Enable CIS Compliance Monitoring

Verify SCC Premium Tier

    - Navigate to [Security Command Center](https://console.cloud.google.com/security/command-center) - Click **Settings** in the navigation - Verify **Premium** tier is enabled (required for CIS compliance) - If not enabled, click **Upgrade to Premium**

Enable Security Health Analytics

# Enable Security Health Analytics at organization level
gcloud scc settings services enable \
    --organization=ORGANIZATION_ID \
    --service=SECURITY_HEALTH_ANALYTICS

# Verify all compliance modules are enabled
gcloud scc settings services modules list \
    --organization=ORGANIZATION_ID \
    --service=SECURITY_HEALTH_ANALYTICS

Configure Compliance Standards

    - In Security Command Center, go to **Compliance** - Select **CIS GCP Foundations Benchmark** - Choose the benchmark version (1.3 or 2.0) - Review enabled controls and scope

Step 2: Understand CIS Benchmark Categories

The CIS GCP Foundations Benchmark covers these security domains:

1. Identity and Access Management (Section 1)

  • 1.1 - Ensure corporate login credentials are used
  • 1.4 - Ensure service account has no admin privileges
  • 1.5 - Ensure service account keys are rotated
  • 1.6 - Ensure user-managed service account keys are rotated
  • 1.7 - Ensure service account key creation is disabled

2. Logging and Monitoring (Section 2)

  • 2.1 - Ensure Cloud Audit Logging is configured
  • 2.2 - Ensure log metric filters exist for VPC changes
  • 2.3 - Ensure log metric filters exist for IAM changes
  • 2.4 - Ensure log sink exists with appropriate permissions

3. Networking (Section 3)

  • 3.1 - Ensure default network does not exist
  • 3.2 - Ensure legacy networks do not exist
  • 3.6 - Ensure SSH access is restricted from the internet
  • 3.7 - Ensure RDP access is restricted from the internet

4. Virtual Machines (Section 4)

  • 4.1 - Ensure instances do not use default service account
  • 4.2 - Ensure instances do not have public IP addresses
  • 4.4 - Ensure OS Login is enabled
  • 4.5 - Ensure Shielded VM is enabled

5. Storage (Section 5)

  • 5.1 - Ensure Cloud Storage buckets are not anonymously accessible
  • 5.2 - Ensure Cloud Storage buckets have uniform access enabled

6. Cloud SQL (Section 6)

  • 6.1 - Ensure Cloud SQL does not allow public access
  • 6.2 - Ensure Cloud SQL requires SSL connections
  • 6.4 - Ensure Cloud SQL has automated backups enabled

Step 3: View CIS Compliance Findings

Via Console

    - Go to **Security Command Center > Compliance** - Select **CIS GCP Foundations Benchmark** - Review the compliance score and control status - Click on any control to see detailed findings

Via gcloud CLI

# List all CIS-related findings
gcloud scc findings list ORGANIZATION_ID \
    --source="-" \
    --filter='state="ACTIVE" AND sourceProperties.compliance_standards.standard="cis"' \
    --format="table(finding.category,finding.severity,finding.resourceName)"

# Get findings for specific CIS control (e.g., 3.6 - SSH access)
gcloud scc findings list ORGANIZATION_ID \
    --source="-" \
    --filter='state="ACTIVE" AND category="OPEN_SSH_PORT"' \
    --format="table(finding.category,finding.resourceName,finding.createTime)"

# Count findings by severity
gcloud scc findings list ORGANIZATION_ID \
    --source="-" \
    --filter='state="ACTIVE" AND sourceProperties.compliance_standards.standard="cis"' \
    --format="value(finding.severity)" | sort | uniq -c

Export Compliance Report

# Export findings to BigQuery for reporting
gcloud scc notifications create cis-compliance-export \
    --organization=ORGANIZATION_ID \
    --pubsub-topic=projects/PROJECT_ID/topics/cis-findings \
    --filter='sourceProperties.compliance_standards.standard="cis"'

Step 4: Remediate Common CIS Findings

CIS 1.5 - Service Account Key Rotation

# List service account keys older than 90 days
gcloud iam service-accounts keys list \
    --iam-account=SERVICE_ACCOUNT_EMAIL \
    --format="table(name,validAfterTime,validBeforeTime)" \
    --filter="validAfterTime<'-P90D'"

# Delete old key
gcloud iam service-accounts keys delete KEY_ID \
    --iam-account=SERVICE_ACCOUNT_EMAIL

# Create new key (if key-based auth required)
gcloud iam service-accounts keys create key.json \
    --iam-account=SERVICE_ACCOUNT_EMAIL

CIS 2.1 - Enable Cloud Audit Logging

# Enable Data Access audit logs for all services
gcloud projects get-iam-policy PROJECT_ID --format=json > policy.json

# Add auditConfigs section to policy.json:
# {
#   "auditConfigs": [{
#     "service": "allServices",
#     "auditLogConfigs": [
#       {"logType": "ADMIN_READ"},
#       {"logType": "DATA_READ"},
#       {"logType": "DATA_WRITE"}
#     ]
#   }]
# }

gcloud projects set-iam-policy PROJECT_ID policy.json

CIS 3.1 - Delete Default Network

# List default networks
gcloud compute networks list --filter="name=default"

# Delete default network (after removing dependent resources)
gcloud compute firewall-rules list --filter="network=default" \
    --format="value(name)" | xargs -I {} gcloud compute firewall-rules delete {} --quiet

gcloud compute networks delete default --quiet

CIS 3.6 - Restrict SSH Access

# Find firewall rules allowing SSH from 0.0.0.0/0
gcloud compute firewall-rules list \
    --filter="allowed[].ports:22 AND sourceRanges:0.0.0.0/0" \
    --format="table(name,network,sourceRanges)"

# Update firewall rule to restrict source
gcloud compute firewall-rules update RULE_NAME \
    --source-ranges="10.0.0.0/8,192.168.0.0/16"

# Or delete and use IAP for SSH
gcloud compute firewall-rules delete RULE_NAME

# Create IAP-based SSH firewall rule
gcloud compute firewall-rules create allow-ssh-iap \
    --network=NETWORK_NAME \
    --allow=tcp:22 \
    --source-ranges=35.235.240.0/20 \
    --description="Allow SSH through IAP"

CIS 4.4 - Enable OS Login

# Enable OS Login at project level
gcloud compute project-info add-metadata \
    --metadata enable-oslogin=TRUE

# Enable for specific instance
gcloud compute instances add-metadata INSTANCE_NAME \
    --zone=ZONE \
    --metadata enable-oslogin=TRUE

CIS 5.2 - Enable Uniform Bucket Access

# List buckets without uniform access
gcloud storage buckets list \
    --format="table(name,iamConfiguration.uniformBucketLevelAccess.enabled)" \
    --filter="NOT iamConfiguration.uniformBucketLevelAccess.enabled:true"

# Enable uniform bucket access
gcloud storage buckets update gs://BUCKET_NAME \
    --uniform-bucket-level-access

CIS 6.2 - Require SSL for Cloud SQL

# Check SSL requirement status
gcloud sql instances describe INSTANCE_NAME \
    --format="value(settings.ipConfiguration.requireSsl)"

# Enable SSL requirement
gcloud sql instances patch INSTANCE_NAME \
    --require-ssl

Step 5: Create Automated Remediation

Use Cloud Functions to auto-remediate CIS violations:

# Example: Auto-enable uniform bucket access
import functions_framework
from google.cloud import storage

@functions_framework.http
def remediate_bucket_access(request):
    data = request.get_json()

    # Check if this is a uniform bucket access finding
    if data['finding']['category'] != 'BUCKET_POLICY_ONLY_DISABLED':
        return 'Not a bucket policy finding', 200

    bucket_name = data['finding']['resourceName'].split('/')[-1]

    client = storage.Client()
    bucket = client.bucket(bucket_name)

    # Enable uniform bucket-level access
    bucket.iam_configuration.uniform_bucket_level_access_enabled = True
    bucket.patch()

    return f'Enabled uniform access for: {bucket_name}', 200

Step 6: Generate Compliance Reports

Via Console

    - Go to **Security Command Center > Compliance** - Select **CIS GCP Foundations Benchmark** - Click **Export** to download CSV or PDF report - Schedule recurring exports via Pub/Sub notifications

Via BigQuery Query

-- CIS Compliance Summary Report
WITH cis_findings AS (
  SELECT
    JSON_EXTRACT_SCALAR(sourceProperties, '$.compliance_standards[0].ids[0]') AS cis_control,
    category,
    severity,
    state,
    resource.name AS resource_name
  FROM `PROJECT_ID.scc_export.findings`
  WHERE JSON_EXTRACT_SCALAR(sourceProperties, '$.compliance_standards[0].standard') = 'cis'
)
SELECT
  cis_control,
  category,
  severity,
  COUNT(*) AS finding_count,
  COUNTIF(state = 'ACTIVE') AS active_count,
  COUNTIF(state = 'INACTIVE') AS resolved_count
FROM cis_findings
GROUP BY cis_control, category, severity
ORDER BY severity DESC, finding_count DESC;

Create Compliance Dashboard

# Export to BigQuery for Looker Studio dashboard
gcloud scc findings list ORGANIZATION_ID \
    --source="-" \
    --filter='sourceProperties.compliance_standards.standard="cis"' \
    --format="json" > cis_findings.json

# Load into BigQuery
bq load --source_format=NEWLINE_DELIMITED_JSON \
    compliance.cis_findings \
    cis_findings.json

Step 7: Set Up Compliance Alerting

# Create Pub/Sub notification for new CIS violations
gcloud scc notifications create cis-violations-alert \
    --organization=ORGANIZATION_ID \
    --pubsub-topic=projects/PROJECT_ID/topics/security-alerts \
    --filter='state="ACTIVE" AND severity="HIGH" AND sourceProperties.compliance_standards.standard="cis"'

Best Practices for CIS Compliance

  • Enable Premium SCC - Required for CIS compliance mapping and reporting
  • Scan at organization level - Ensure all projects are covered
  • Prioritize by severity - Address CRITICAL and HIGH findings first
  • Implement automated remediation - Reduce mean time to remediate
  • Schedule weekly compliance reviews - Track progress over time
  • Document exceptions - Maintain approved deviations with justification
  • Use organization policies - Prevent new violations proactively
  • Export to SIEM - Integrate with existing security operations

CIS Control Priority Matrix

PriorityCIS ControlsRisk
Critical3.6, 3.7, 5.1, 6.1Public exposure, data breach
High1.4, 1.5, 2.1, 4.2Privilege escalation, audit gaps
Medium3.1, 4.4, 5.2, 6.2Attack surface, best practice
Low4.5, 6.4Defense in depth

Need help achieving CIS compliance in Google Cloud? Contact InventiveHQ for expert guidance on cloud security frameworks and compliance automation.

Frequently Asked Questions

Find answers to common questions

The CIS GCP Foundations Benchmark is a set of security configuration best practices developed by the Center for Internet Security specifically for Google Cloud Platform. It covers identity management, logging, networking, virtual machines, storage, SQL databases, BigQuery, and Cloud KMS. The benchmark provides actionable, consensus-driven guidance to secure GCP environments against common threats.

Expert GCP Management

From architecture design to managed operations, we handle your Google Cloud infrastructure.

Learn About Cloud Infrastructure ManagementExplore Cloud Optimization

Related Articles

How to Enable Cloud Audit Logs in GCP

Complete guide to enabling and configuring Google Cloud Audit Logs. Learn to set up Admin Activity logs, Data Access logs, log sinks, exports to BigQuery, and retention policies for compliance and security monitoring.

Read More →

GCP Cloud Armor Setup Guide: WAF, Rate Limiting, and DDoS Protection

Complete guide to setting up Google Cloud Armor for web application security. Covers WAF policies, OWASP Top 10 protection, rate limiting, adaptive protection, and DDoS mitigation for applications behind load balancers.

Read More →

GCP Data Loss Prevention (DLP) API Guide

Discover and protect sensitive data with Google Cloud DLP API. Learn to configure InfoTypes, run inspection jobs, implement de-identification, and integrate with BigQuery.

Read More →
Back to Google Cloud