GCP Hardening

This section covers Google Cloud Platform hardening across the six security domains. Each domain page maps cross-cutting principles (covered in the General section) onto specific GCP services and configuration primitives — Cloud IAM, organization policies, VPC Service Controls, Security Command Center, and the platform's native control planes.

Content is authored progressively: IAM ships first as a pilot (Phase 5), followed by Network, Data Protection, Logging & Detection, Workloads, and Incident Response in subsequent phases.

Domains

• IAM — org policy, service account key elimination, Workload Identity Federation, VPC Service Controls
• Network — VPC design, hierarchical firewall policies, Private Google Access, Cloud Armor, Cloud DNS DNSSEC
• Data Protection — bucket-level IAM, public access prevention, CMEK with Cloud KMS, Cloud DLP, Secret Manager
• Logging & Detection — Cloud Audit Logs, aggregated sinks, Security Command Center Premium
• Workloads — Shielded VM, OS Login, GKE hardening, Binary Authorization, Artifact Registry scanning
• Incident Response — SCC findings to Pub/Sub automation, forensic snapshots, GKE IR
• GenAI Security — Vertex AI service account scoping, VPC Service Controls, Gemini safety filters, CMEK, Data Access audit logs, data residency, RAG grounding source auth, Model Garden org policy
• Kubernetes — GKE private cluster, Workload Identity, Binary Authorization, Shielded Nodes, gVisor, Cloud Audit Logs, Pod Security Standards, network policy default-deny

This page is a Phase 2 stub. Section overview content arrives in later phases.