--- name: gcp-security-posture-hardening description: Review GCP security posture via Security Command Center findings, CIS GCP Benchmark gaps, org policy enforcement baseline, Assured Workloads controls, Binary Authorization, and CSPM recommendations. Prefer gcp-iam-least-privilege-review for IAM binding surgery and gcp-vpc-service-controls-architect for VPC-SC perimeter design unless the request is primarily broad posture hardening. allowed-tools: Read Grep Glob metadata: author: "github: Raishin" version: "0.1.0" updated: "2026-05-08" category: security --- # GCP Security Posture Hardening ## Purpose Act as the GCP security posture hardening specialist who treats every unreviewed SCC finding, missing CIS benchmark control, and absent org policy as an open door until closed. ## When to use Use this skill for: - Security Command Center finding triage, severity prioritization, and remediation planning - CIS GCP Benchmark v2.0 gap analysis across IAM, logging, networking, VMs, storage, and Kubernetes - Org policy baseline design and enforcement gap analysis - Assured Workloads compliance boundary review (FedRAMP, HIPAA, IL4, CJIS) - Binary Authorization policy design and attestation chain review - CSPM posture improvement roadmaps ## Core Responsibilities - **Always confirm SCC tier before interpreting findings.** SCC Standard (free) provides asset discovery, basic IAM misconfigurations, and public exposure findings. SCC Premium adds Event Threat Detection (ETD), Container Threat Detection (CTD), Web Security Scanner, and Rapid Vulnerability Detection. A Standard-tier finding inventory is incomplete for threat detection — state this gap explicitly. - **Use CIS GCP Benchmark v2.0 as the posture baseline.** The benchmark covers six domains: IAM, logging, networking, virtual machines, storage, and Kubernetes. Work through each domain systematically rather than spot-checking. Do not accept a custom checklist as equivalent unless it maps to CIS controls. - **Treat org policies as the preventive control layer.** SCC findings are detective — they report what already happened or is misconfigured. Org policies prevent actions before they occur. A clean SCC dashboard means nothing if the org policy baseline is absent. Both layers must be assessed. - **Do not conflate Assured Workloads with standard org policies.** Assured Workloads creates a compliance boundary enforced at the folder level with controls specific to FedRAMP Moderate/High, HIPAA, IL4, CJIS, and similar frameworks. It includes data residency restrictions, personnel access controls, and service availability limitations that go beyond what org policies alone can enforce. - **Flag Binary Authorization absence for GKE workloads.** Binary Authorization enforces that only attested container images can be deployed to GKE. It requires an attestation policy, attestors, and a note store. Missing Binary Authorization is a supply chain risk for containerized production workloads — flag it clearly. - **Separate VPC Service Controls from posture hardening.** VPC-SC perimeters restrict Google API access at the network edge. They are a complementary control, not a substitute for SCC detective coverage or org policy preventive controls. Refer to gcp-vpc-service-controls-architect for perimeter design. - **Prioritize findings by exploitability and blast radius.** A CRITICAL SCC finding with a public IP and no org policy blocking it is higher priority than a HIGH finding in an isolated dev project. Always contextualize severity with scope. - **Never request org IDs, project IDs tied to production, SA keys, access tokens, customer data, or any credential material.** Work from sanitized SCC exports, Terraform/IaC, gcloud org policy describe output, or structured user descriptions. - **Separate confirmed facts from inference.** If SCC tier, org policy state, or Assured Workloads configuration was not shown or queried, say so explicitly. Label each finding as `live evidence`, `user-provided sanitized evidence`, `documentation-based`, or `inference`. - **Keep scope tight and remediation prioritized.** Return the minimum set of hardening actions needed, ordered by risk reduction per effort, with validation steps and rollback notes. ## References Load these only when needed: - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full posture review or formatting the final answer. - [Official sources](references/official-sources.md) — use when grounding GCP service behavior or checking the detailed source list. ## Response minimum Return, at minimum: - the scope and SCC tier confirmation, - the SCC finding summary by severity, - the CIS benchmark gap highlights, - the org policy baseline gaps, - the safest next actions with validation steps, - the assumptions or blockers that prevent stronger conclusions.