The 20 essential best practices for production-grade GCP security, organized into 5 categories — IAM, encryption, networking, operations, and compliance. These are the standard implementation patterns for the Zero Trust era.
# 1. SA キー作成禁止 constraints/iam.disableServiceAccountKeyCreation = true # 2. 信頼ドメイン制限 constraints/iam.allowedPolicyMemberDomains = ["example.com"] # 3. VM 外部 IP 制限 constraints/compute.vmExternalIpAccess = DENY # 4. リソースリージョン制限 constraints/gcp.resourceLocations = ["asia-northeast1", "asia-northeast2"] # 5. Uniform Bucket-level Access 強制 constraints/storage.uniformBucketLevelAccess = true # 6. Shielded VM 強制 constraints/compute.requireShieldedVm = true # 7. OS Login 強制 constraints/compute.requireOsLogin = true
| Category | Product |
|---|---|
| Identity | Cloud Identity / Workspace |
| IAM | IAM, PAM, Workload Identity Federation |
| Keys | Cloud KMS, Cloud HSM, Cloud EKM |
| Network | Cloud Armor, VPC SC, Cloud IDS |
| Zero Trust | IAP, BeyondCorp Enterprise, Chrome Enterprise Premium |
| SIEM / Threat Detection | Security Command Center Enterprise (consolidated SCC + Chronicle + Mandiant) |
| Data Protection | Sensitive Data Protection (formerly DLP), Confidential Computing |
| Compliance | Assured Workloads, Access Transparency, Customer Lockbox |
What should be the top GCP security priorities?
1. Eliminate Basic Roles (Owner/Editor) and switch to Predefined Roles. 2. Ban Service Account keys and adopt Workload Identity. 3. Enable VPC SC + CMEK. 4. Turn on all Cloud Audit Logs. 5. Deploy Security Command Center Enterprise.
Is Security Command Center required?
Strongly recommended for production. Standard is free, and Premium is now SCC Enterprise (consolidated in 2024). It bundles a wide range of threat detection and compliance checks into a single platform.
Where should a Zero Trust implementation start?
Start with the combination of Cloud Identity, Endpoint Verification, IAP, Context-Aware Access, and VPC Service Controls. BeyondCorp Enterprise (Chrome Enterprise Premium) provides the integrated package.
Should you never create Service Account keys?
If Workload Identity Federation can replace them, do not create them. Enforce the ban organization-wide with the Organization Policy <code>constraints/iam.disableServiceAccountKeyCreation</code>.
How many encryption options are there?
Google Default (automatic), CMEK (Customer-managed), CSEK (Customer-supplied), Cloud HSM, Cloud EKM (external HSM), and Confidential Computing (encryption in use).
How should PII and sensitive data be handled?
Detect and mask with Sensitive Data Protection (formerly DLP), encrypt with CMEK, prevent exfiltration with VPC SC, and log every access via Audit Logs.
What compliance certifications does GCP support?
ISO 27001 / 27017 / 27018 / 27701, SOC 2/3, PCI DSS, HIPAA BAA, FedRAMP, GDPR, and more. Assured Workloads automates regulatory compliance.
What is the DDoS defense?
Google Front End (GFE) automatically mitigates L3/L4 DDoS, while Cloud Armor (Standard / Plus / Enterprise) covers L7 plus WAF and Adaptive Protection.
Related Security Articles
GCP Professional Cloud Security Engineer (PCSE) 完全ガイド|IAM・KMS・BeyondCorp・SCC
Google Cloud Professional Cloud Security Engineer の試験範囲、IAM / Cloud KMS / VPC Service Controls / BeyondCorp / Security Command Center、AWS SCS・Azure SC-100 比較を詳解。
GCP IAM 完全ガイド|Role 体系・Service Account・Workload Identity・Conditions
Google Cloud IAM の全機能を解説。Primitive / Predefined / Custom Role、Service Account、Workload Identity Federation、IAM Conditions、Organization Policy、PAM、Cloud Identity を網羅。
GCP VPC 設計パターン完全ガイド|Shared VPC・Peering・Cloud NAT・Cloud Armor
Google Cloud VPC のグローバルアーキテクチャ、Shared VPC、VPC Peering、Hierarchical Firewall、Cloud NAT、Cloud Armor、ロードバランサ 7 種類の使い分け、Flow Logs 活用を解説。
GCP PCSE 試験対策|BeyondCorp Enterprise・VPC Service Controls・IAP 詳細ガイド
Google Cloud Professional Cloud Security Engineer (PCSE) のゼロトラスト領域を深掘り。BeyondCorp Enterprise / Chrome Enterprise Premium / VPC Service Controls / IAP / Context-Aware Access を解説。
* Google Cloud is a trademark of Google LLC. For the latest details, see the official GCP security best practices.
Practice with certification-focused question sets
Visit GCP Exam PrepNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Google Cloud Certification Roadmap (2026)
Choose your GCP certification path — Foundational, Associate...
CDL Cloud Digital Leader: Complete Exam Guide (2026)
Pass the Cloud Digital Leader exam — cloud business value, G...
GAIL Generative AI Leader: Complete Exam Guide (2026)
Pass the Generative AI Leader exam — Gemini, Vertex AI, Work...
Vertex AI Fundamentals for GCP Certs (2026)
Vertex AI basics every cert candidate needs — Workbench, Pip...
Associate Cloud Engineer (ACE): Complete Guide (2026)
Pass the Associate Cloud Engineer exam — Console, gcloud, pr...