Skip to main content

Overview

DSALTA connects to Google Cloud Platform (GCP) using read-only API access to collect compliance evidence automatically. Data syncs every 24 hours and feeds into your Data Library modules.
Read-only access. DSALTA never modifies, creates, or deletes resources in your Google Cloud Platform (GCP) environment.

How to Connect

  1. Go to Integrations in the DSALTA sidebar.
  2. Find Google Cloud Platform (GCP) and click Connect.
  3. Authenticate with admin-level access.
  4. Select the scope (accounts, projects, or resources to monitor).
  5. DSALTA performs an initial sync (5-15 minutes). Checks activate after sync completes.

Automated Compliance Checks

Each check below runs automatically every 24 hours. Click any check for step-by-step remediation guidance.
CheckDescription
GCP users should have MFA enabledChecks that MFA is enabled for all GCP user accounts.
GCP should redirect HTTP to HTTPSChecks that GCP redirects HTTP traffic to HTTPS.
GCP should be on HTTPSChecks that GCP services are accessible over HTTPS.
Google Security Command Center should be enabledChecks that Google Security Command Center is enabled.
Reported incidents should be closed in Security Command CenterChecks that incidents detected in Google Security Command Center are closed.
GCP bucket storage should be encryptedChecks that GCP Cloud Storage buckets are encrypted at rest.
GCP VPC subnet flow logs should be capturedChecks that VPC subnet flow logs are enabled in GCP.
GCP Kubernetes clusters should have logging and monitoring enabledChecks that GCP Kubernetes clusters have logging and cloud monitoring enabled.
GKE Kubernetes Web UI Dashboard should be disabledChecks that the Kubernetes Web UI Dashboard is disabled in GKE.
GKE Metadata Server should be enabledChecks that GKE Metadata Server is enabled on node pools.
GCP Firestore read frequency should be monitoredChecks that GCP Firestore read frequency is being monitored.
GCP Firestore write frequency should be monitoredChecks that GCP Firestore write frequency is being monitored.
GCP Compute instance CPU utilization should be monitoredChecks that GCP Compute instance CPU utilization is being monitored.
GCP Compute instances should be protected from direct internet trafficChecks that GCP Compute instances are not directly exposed to the internet.
GCP Cloud SQL CPU utilization should be monitoredChecks that GCP Cloud SQL CPU utilization is being monitored.
GCP Cloud SQL should be encryptedChecks that GCP Cloud SQL databases are encrypted at rest.
GCP Cloud SQL memory utilization should be monitoredChecks that GCP Cloud SQL memory utilization is being monitored.
GCP Cloud SQL backup should be enabledChecks that GCP Cloud SQL automated backups are enabled.
GCP Cloud SQL should be protected from direct internet trafficChecks that GCP Cloud SQL instances are not directly exposed to the internet.
GCP Cloud SQL connections should require SSLChecks that GCP Cloud SQL requires SSL for all connections.
GCP Cloud Spanner should be encryptedChecks that GCP Cloud Spanner databases are encrypted at rest.
GCP Bigtable should be encryptedChecks that GCP Bigtable instances are encrypted at rest.
GCP Bigtable CPU utilization should be monitoredChecks that GCP Bigtable CPU utilization is being monitored.
GCP Bigtable storage utilization should be monitoredChecks that GCP Bigtable storage utilization is being monitored.
GCP Cloud Storage buckets should be protected from direct internet trafficChecks that GCP Cloud Storage buckets are not publicly accessible.
GCP BigQuery datasets should be protected from direct internet trafficChecks that GCP BigQuery datasets are not publicly accessible.
GCP Cloud Storage should have uniform bucket-level access enabledChecks that GCP Cloud Storage buckets have uniform bucket-level access enabled.
GCP BigQuery storage should be encryptedChecks that GCP BigQuery storage is encrypted at rest.
GCP KMS encryption keys should be protected from direct internet trafficChecks that GCP KMS encryption keys are not directly exposed to the internet.
GCP KMS encryption keys should be rotated within 90 daysChecks that GCP KMS encryption keys are rotated within 90 days.
GCP essential contacts should be configuredChecks that GCP essential contacts are configured for the project.
GCP log sink should be configured for all log entriesChecks that a GCP log sink is configured to capture all log entries.
GCP service account keys should only be GCP-managedChecks that GCP service account keys are GCP-managed only.
GCP service account user-managed keys should be rotated every 90 daysChecks that user-managed GCP service account keys are rotated within 90 days.
GCP service accounts should not have admin privilegesChecks that GCP service accounts do not have admin-level privileges.
GCP service account user role should not be assigned at project levelChecks that the GCP service account user/token creator role is not assigned at the project level.
Infrastructure entities should be classifiedChecks that all GCP infrastructure entities are classified by criticality.
Reported incidents should be closed in DSALTAChecks that incidents reported in GCP Security Command Center are resolved in DSALTA.
Users should be identifiedChecks that GCP users are identified and documented.
User access to critical systems should be validChecks that users with access to critical systems are authorized in GCP.
Google Security Command Center vulnerability alerts should be resolved within SLAChecks that Google Security Command Center vulnerability alerts are resolved within SLA.

Troubleshooting

Re-authenticate from Integrations → Google Cloud Platform (GCP) → Reconnect. This usually happens when API tokens expire.
Verify the connected account has admin permissions. Try a manual sync from the integration settings.