GCP security checklist

A concise, opinionated checklist you can print or save as PDF. Start with org & IAM, then network and data.

1. Org & Folders: separate prod/non‑prod; restrict project creation.
2. Org Policies: restrict external service accounts; require CMEK where fit; disallow legacy APIs.
3. Billing: alerts; per‑env budgets; anomaly detection.
4. IAM: inventory service accounts; remove owners; adopt WIF; rotate keys; break‑glass with alerts.
5. Logging: centralise to BQ/SIEM; enable Data Access logs for sensitive services.
6. Network: Private Access/PSC; egress via NAT with logging; Cloud Armor/WAF for public endpoints.
7. Data: Secret Manager; KMS hierarchy; rotation playbook; DLP detectors where sensible.
8. SCC: enable; tune; alert routes; monthly review.
9. Backups/DR: test restores; document RTO/RPO; quarterly drill.
10. IR: runbook; comms; evidence workflow; tabletop.

Tip: capture decisions in a living doc; link evidence to your compliance tool (Vanta/Drata/etc.).