The GCP Security Baseline: 20 misconfigurations we fix first

A pragmatic baseline catches most risks with minimal bureaucracy. Here’s what we fix first on nearly every new engagement.

1) Org & billing hygiene

Create clear folder structure by environment/product. Lock project creation to infra owners.

Set budget alerts with anomaly detection. Tie billing accounts to least‑privileged groups.

2) Org Policies that matter

Require CMEK where appropriate for storage/big data; restrict external service accounts; disable legacy APIs where feasible.

Block public IPs for new VM defaults; prefer Private Access/PSC.

3) IAM and service accounts

Inventory keys; rotate or remove. Adopt Workload Identity Federation for CI/CD and cross‑cloud, avoiding long‑lived keys.

Purge Owner roles; use custom roles for special cases; implement break‑glass with alerting.

4) Logging you can use

Enable Data Access logs for sensitive services; centralise routing to BigQuery or SIEM with retention you can afford.

Create log‑based metrics for key events (priv esc, perimeter egress, SCC High findings).

5) Network reality

Prefer Private Service Connect/Access; control egress via NAT with logging. Put Cloud Armor/WAF in front of public apps.

Assess VPC Service Controls only where data exfil risk and architecture warrant it.

6) Data protection

Use Secret Manager; rotate credentials. Define KMS key hierarchy and rotation cadence. Use DLP detectors surgically, not everywhere.

7) Readiness & drills

Write the IR runbook, then test it. Schedule quarterly restore drills. Review SCC findings monthly with owners.

This article is for engineering guidance. It is not legal advice.