Google Cloud

Top 20 GCP Security Best Practices: Zero Trust, CMEK, VPC SC, SCC

2026-05-24
NicheeLab Editorial Team

The 20 essential best practices for production-grade GCP security, organized into 5 categories — IAM, encryption, networking, operations, and compliance. These are the standard implementation patterns for the Zero Trust era.

IAM (5 items)

  1. Ban Basic Roles (Owner/Editor/Viewer): switch to Predefined Roles + Custom Roles in production
  2. Workload Identity Federation: fully eliminate SA key creation
  3. Google Group-based IAM: never grant directly to individual users (prevents access leaks when staff leave)
  4. SA Impersonation: temporarily borrow another SA's permissions (no key required)
  5. Privileged Access Manager (PAM): Just-in-time privileged roles with approval workflow

Encryption and Key Management (4 items)

  1. Apply CMEK across all services: GCS, BQ, Compute, Spanner, Pub/Sub, and more
  2. Cloud HSM / EKM: mandatory for finance, healthcare, and regulated industries
  3. Automatic key rotation: 90 days recommended
  4. Confidential Computing: encrypt VM/GKE memory too (encryption in use)

Networking (4 items)

  1. VPC Service Controls: protect the API layer of BigQuery, GCS, and similar services with a Perimeter
  2. Private Google Access + Restricted VIP: access Google APIs without an external IP
  3. Cloud Armor (Plus / Enterprise): WAF + DDoS + Adaptive Protection
  4. Hierarchical Firewall Policy: enforce minimum rules at the organization/folder level

Zero Trust (3 items)

  1. Identity-Aware Proxy (IAP): gate web/SSH traffic with OAuth + Context-Aware authentication
  2. BeyondCorp Enterprise: Endpoint Verification + Context-Aware Access integrated
  3. Chrome Enterprise Premium: browser-layer DLP + Threat Prevention

Operations and Monitoring (2 items)

  1. Enable all Cloud Audit Logs: export to BQ including Data Access Logs and retain long-term
  2. Security Command Center Enterprise: SIEM (Chronicle) + integrated threat detection

Compliance (2 items)

  1. Assured Workloads: automate regulatory compliance for HIPAA, FedRAMP, EU Sovereign, and more
  2. Sensitive Data Protection (formerly DLP): auto-detection of PII + masking + tokenization

Essential Organization Policy Examples

# 1. SA キー作成禁止
constraints/iam.disableServiceAccountKeyCreation = true

# 2. 信頼ドメイン制限
constraints/iam.allowedPolicyMemberDomains = ["example.com"]

# 3. VM 外部 IP 制限
constraints/compute.vmExternalIpAccess = DENY

# 4. リソースリージョン制限
constraints/gcp.resourceLocations = ["asia-northeast1", "asia-northeast2"]

# 5. Uniform Bucket-level Access 強制
constraints/storage.uniformBucketLevelAccess = true

# 6. Shielded VM 強制
constraints/compute.requireShieldedVm = true

# 7. OS Login 強制
constraints/compute.requireOsLogin = true

Security Product Map (2026)

CategoryProduct
IdentityCloud Identity / Workspace
IAMIAM, PAM, Workload Identity Federation
KeysCloud KMS, Cloud HSM, Cloud EKM
NetworkCloud Armor, VPC SC, Cloud IDS
Zero TrustIAP, BeyondCorp Enterprise, Chrome Enterprise Premium
SIEM / Threat DetectionSecurity Command Center Enterprise (consolidated SCC + Chronicle + Mandiant)
Data ProtectionSensitive Data Protection (formerly DLP), Confidential Computing
ComplianceAssured Workloads, Access Transparency, Customer Lockbox

Integrated Zero Trust Architecture

  1. Require SSO + 2FA + FIDO2 in Cloud Identity
  2. Collect device posture with Endpoint Verification
  3. Define Access Levels in Access Context Manager
  4. Gate web and SSH traffic with IAP
  5. Prevent BQ/GCS API exfiltration with VPC SC
  6. Cover external-facing WAF + DDoS with Cloud Armor
  7. Gain end-to-end visibility + threat detection via SCC Enterprise
  8. Aggregate all logs and run detections in Chronicle SIEM

What should be the top GCP security priorities?

1. Eliminate Basic Roles (Owner/Editor) and switch to Predefined Roles. 2. Ban Service Account keys and adopt Workload Identity. 3. Enable VPC SC + CMEK. 4. Turn on all Cloud Audit Logs. 5. Deploy Security Command Center Enterprise.

Is Security Command Center required?

Strongly recommended for production. Standard is free, and Premium is now SCC Enterprise (consolidated in 2024). It bundles a wide range of threat detection and compliance checks into a single platform.

Where should a Zero Trust implementation start?

Start with the combination of Cloud Identity, Endpoint Verification, IAP, Context-Aware Access, and VPC Service Controls. BeyondCorp Enterprise (Chrome Enterprise Premium) provides the integrated package.

Should you never create Service Account keys?

If Workload Identity Federation can replace them, do not create them. Enforce the ban organization-wide with the Organization Policy <code>constraints/iam.disableServiceAccountKeyCreation</code>.

How many encryption options are there?

Google Default (automatic), CMEK (Customer-managed), CSEK (Customer-supplied), Cloud HSM, Cloud EKM (external HSM), and Confidential Computing (encryption in use).

How should PII and sensitive data be handled?

Detect and mask with Sensitive Data Protection (formerly DLP), encrypt with CMEK, prevent exfiltration with VPC SC, and log every access via Audit Logs.

What compliance certifications does GCP support?

ISO 27001 / 27017 / 27018 / 27701, SOC 2/3, PCI DSS, HIPAA BAA, FedRAMP, GDPR, and more. Assured Workloads automates regulatory compliance.

What is the DDoS defense?

Google Front End (GFE) automatically mitigates L3/L4 DDoS, while Cloud Armor (Standard / Plus / Enterprise) covers L7 plus WAF and Adaptive Protection.

Related Security Articles

GCP Professional Cloud Security Engineer (PCSE) 完全ガイド|IAM・KMS・BeyondCorp・SCC

Google Cloud Professional Cloud Security Engineer の試験範囲、IAM / Cloud KMS / VPC Service Controls / BeyondCorp / Security Command Center、AWS SCS・Azure SC-100 比較を詳解。

GCP IAM 完全ガイド|Role 体系・Service Account・Workload Identity・Conditions

Google Cloud IAM の全機能を解説。Primitive / Predefined / Custom Role、Service Account、Workload Identity Federation、IAM Conditions、Organization Policy、PAM、Cloud Identity を網羅。

GCP VPC 設計パターン完全ガイド|Shared VPC・Peering・Cloud NAT・Cloud Armor

Google Cloud VPC のグローバルアーキテクチャ、Shared VPC、VPC Peering、Hierarchical Firewall、Cloud NAT、Cloud Armor、ロードバランサ 7 種類の使い分け、Flow Logs 活用を解説。

GCP PCSE 試験対策|BeyondCorp Enterprise・VPC Service Controls・IAP 詳細ガイド

Google Cloud Professional Cloud Security Engineer (PCSE) のゼロトラスト領域を深掘り。BeyondCorp Enterprise / Chrome Enterprise Premium / VPC Service Controls / IAP / Context-Aware Access を解説。

* Google Cloud is a trademark of Google LLC. For the latest details, see the official GCP security best practices.

Check what you learned with practice questions

Practice with certification-focused question sets

Visit GCP Exam Prep
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Google Cloud

Google Cloud Certification Roadmap (2026)

Choose your GCP certification path — Foundational, Associate...

Google Cloud

CDL Cloud Digital Leader: Complete Exam Guide (2026)

Pass the Cloud Digital Leader exam — cloud business value, G...

Google Cloud

GAIL Generative AI Leader: Complete Exam Guide (2026)

Pass the Generative AI Leader exam — Gemini, Vertex AI, Work...

Google Cloud

Vertex AI Fundamentals for GCP Certs (2026)

Vertex AI basics every cert candidate needs — Workbench, Pip...

Google Cloud

Associate Cloud Engineer (ACE): Complete Guide (2026)

Pass the Associate Cloud Engineer exam — Console, gcloud, pr...

Browse all Google Cloud articles (103)
© 2026 NicheeLab All rights reserved.