Do It Yourself
Is Your Google Google Environment Exposed?
“80% of Cloud Breaches Start with Misconfigurations.”
– Gartner
Download our free 15-min Google Cloud Posture Checklist to find and fix critical risks—before attackers do.
This tactical checklist provides deterministic GCP security validation through infrastructure-as-code principles. Operationalize production-ready gcloud commands to programmatically identify: exposed assets violating zero-trust, excessive IAM entitlements, and cryptographic control gaps. Each procedure outputs actionable findings formatted for SIEM ingestion and compliance reporting workflows.
CLI commands to detect open Cloud Storage buckets, public VMs, and unsecured GKE clusters.
Identify overprivileged service accounts and roles with role/owner permissions.
Verify CMEK usage for Persistent Disks, Cloud SQL, and BigQuery datasets.
Map checks to CIS GCP benchmarks and MITRE ATT&CK cloud tactics.
Join leading security professionals who eliminated critical Google Cloud environment risks.
A list of FAQs and PAAs in accordance with the prominent queries around conducting Google Cloud Posture assessment. This can be achieved by utilizing the Do-It-Yourself (DIY) document created by Cy5 with a list of prominent categories and CLI scripts that anyone can use to carry out the assessment.
CSPM continuously scans your GCP environment against security benchmarks—such as CIS and Google-recommended templates—to detect misconfigurations, compliance drift, and vulnerabilities. By automating discovery and remediation recommendations, CSPM helps teams enforce least-privilege access, maintain audit-ready controls, and reduce cloud breach risks.
Read More About CSPM.
A 15-minute checklist offers a repeatable, time-efficient framework to uncover critical GCP risks—public exposures, overprivileged identities, unencrypted data, and missing logs. It prioritizes high-impact findings, slashes manual audit overhead, and empowers security teams to confirm a secure baseline daily with validated gcloud commands.
gcloud compute instances list \
--filter="status:RUNNING AND networkInterfaces[].accessConfigs[].natIP:*" \
--format="table(name,networkInterfaces[].accessConfigs[].natIP:label=EXTERNAL_IP)"
This outputs all running VMs with external IPs in a readable table
gsutil ls | xargs -I {} sh -c '
echo "Checking {}";
gsutil iam get {} \
| grep -E "allUsers|allAuthenticatedUsers" -B2 -A2'
This lists buckets open to allUsers or allAuthenticatedUsers and surrounding ACL details
gcloud sql instances list \
--filter="ipAddresses.type:PRIMARY AND ipAddresses.ipAddress:*" \
--format="table(name, databaseVersion, primaryIpAddress, state)"
This command shows Cloud SQL instances with public IPs and their status.
Control Panel:
gcloud container clusters list \
--format="table(name,location,privateClusterConfig.enablePrivateNodes,masterAuthorizedNetworksConfig.enabled)"
LoadBalancer Services:
kubectl get svc -A -o json \
| jq -r '.items[] | select(.spec.type=="LoadBalancer" and .status.loadBalancer.ingress) | "\(.metadata.namespace)/\(.metadata.name)"'
gcloud compute disks list \
--filter="diskEncryptionKey.rawKey= AND diskEncryptionKey.kmsKeyName=" \
--format="table(name,zone,sizeGb,type,status)"
This outputs disks without CMEK or raw key encryption.
gcloud storage buckets list --format="value(name)" \
| while read bucket; do
echo "Checking $bucket";
gcloud storage buckets describe gs://$bucket \
--format="value(encryption.defaultKmsKeyName)" \
| { read key || echo "No CMEK configured for $bucket"; }
done
This reports which buckets lack a customer-managed KMS key.
gcloud services list --enabled --filter="name~^logging.googleapis.com" \
&& gcloud logging sinks list --format="table(name,destination,filter,createTime)"
Then verify each sink’s retention and destination settings meet your 90-day requirement.
gcloud scc settings describe --organization=ORGANIZATION_ID \
--format="value(orgServiceAccount)"
gcloud scc findings list --organization=ORGANIZATION_ID \
--filter="state=ACTIVE" \
--format="table(resource,category,severity,eventTime)"
These commands confirm SCC onboarding and list active misconfiguration/threat findings.
gcloud logging read \
'protoPayload.methodName~"Delete|SetIamPolicy" AND severity>=NOTICE' \
--freshness=7d \
--format="table(timestamp,protoPayload.methodName,protoPayload.authenticationInfo.principalEmail)"
This surfaces destructive or privilege-escalation calls in the past week.
gcloud projects get-iam-policy $(gcloud config get-value project) \
--format="json" \
| jq -r '.bindings[] | select(.role=="roles/owner" or .role=="roles/editor") | .members[]'
Then review each member to enforce least-privilege and disable unused service accounts.
Embed your gcloud and gsutil scripts as pipeline stages in Cloud Build, GitHub Actions, or Jenkins. Fail builds on critical findings, archive outputs as artifacts, and notify teams via chatops. This enforces continuous posture validation pre-deployment and integrates security into DevOps.