Home Integrations GCP integration guide

GCP integration guide

Last updated on Jan 29, 2026

Overview

Humadroid's GCP integration automatically collects compliance evidence from your Google Cloud Platform infrastructure. Once connected, it continuously monitors your GCP environment and gathers evidence that satisfies controls for SOC 2 and ISO 27001 compliance frameworks.

Key Benefits

  • Automated evidence collection - No more manual screenshots or exports

  • Compliance-focused collection - Evidence collected on schedule (weekly or monthly)

  • Auto-verification - Many evidence sources are automatically checked against compliance rules

  • Multi-framework support - Single integration satisfies controls across SOC 2 and ISO 27001

Security Model

  • Read-only access - Humadroid cannot modify your GCP resources

  • Service Account authentication - Secure credential handling with least-privilege permissions

  • Encrypted credential storage - Service account keys encrypted at rest

  • Full audit trail - All API calls logged in your Cloud Audit Logs

Evidence Sources

The GCP integration collects 15 distinct evidence types across six categories:

Identity & Access Management

IAM Policy

  • Description: Documents IAM policy bindings and role assignments across the project

  • Frequency: Monthly

  • Auto-Verify: Yes

IAM Service Accounts

  • Description: Inventories all service accounts with keys and usage patterns

  • Frequency: Monthly

  • Auto-Verify: Yes

IAM MFA Status

  • Description: Verifies multi-factor authentication enforcement for users

  • Frequency: Monthly

  • Auto-Verify: Yes

Logging & Monitoring

Audit Logs Status

  • Description: Verifies Cloud Audit Logs are enabled and properly configured

  • Frequency: Monthly

  • Auto-Verify: Yes

Audit Log Events

  • Description: Audit trail of API calls and administrative events

  • Frequency: Monthly

  • Auto-Verify: No

Monitoring Alerts

  • Description: Cloud Monitoring alert policies configuration

  • Frequency: Monthly

  • Auto-Verify: Yes

VPC Flow Logs

  • Description: Network traffic logging configuration for VPCs

  • Frequency: Monthly

  • Auto-Verify: Yes

Security Services

Security Findings

  • Description: Security Command Center findings and threat detection

  • Frequency: Weekly

  • Auto-Verify: No

Network Security

Firewall Rules

  • Description: VPC firewall rules configuration and security analysis

  • Frequency: Monthly

  • Auto-Verify: Yes

Encryption & Data Protection

Storage Encryption

  • Description: Verifies Cloud Storage buckets have encryption enabled

  • Frequency: Monthly

  • Auto-Verify: Yes

Storage Public Access

  • Description: Verifies Cloud Storage buckets block public access

  • Frequency: Monthly

  • Auto-Verify: Yes

SQL Encryption

  • Description: Verifies Cloud SQL instances have encryption enabled

  • Frequency: Monthly

  • Auto-Verify: Yes

Compute Encryption

  • Description: Verifies Compute Engine disks are encrypted

  • Frequency: Monthly

  • Auto-Verify: Yes

KMS Key Rotation

  • Description: Verifies Cloud KMS keys are configured for automatic rotation

  • Frequency: Monthly

  • Auto-Verify: Yes

Backup & Recovery

SQL Backups

  • Description: Cloud SQL backup execution and configuration monitoring

  • Frequency: Weekly

  • Auto-Verify: Yes

SOC 2 Control Coverage

The GCP integration provides evidence for the following SOC 2 (2017) Trust Services Criteria:

CC6 - Logical and Physical Access Controls

CC6.1 - Logical Access Security

The entity implements logical access security software, infrastructure, and architectures to protect information assets

  • IAM Policy - Access policies enforce least-privilege principles

  • IAM MFA Status - Multi-factor authentication is enforced

  • IAM Service Accounts - Service account credentials are properly managed

  • Storage Encryption - Data at rest is encrypted

  • SQL Encryption - Databases are encrypted

  • Compute Encryption - Compute disks are encrypted

  • KMS Key Rotation - Encryption keys are properly rotated

CC6.2 - User Registration and Authorization

Prior to issuing system credentials and granting access, the entity registers and authorizes new users

  • IAM Policy - Complete inventory of users with access and role bindings

  • IAM Service Accounts - Service account creation and authorization records

CC6.3 - Removal of Access Rights

The entity removes credentials and disables system access when no longer required

  • Audit Log Events - Access revocation events are logged

  • IAM Service Accounts - Inactive or unused service accounts identified

CC6.6 - Logical Access Security Measures

The entity implements controls to prevent or detect and act upon unauthorized logical access

  • Firewall Rules - VPC firewall rules restrict access appropriately

  • VPC Flow Logs - Network traffic is monitored

  • Storage Public Access - Storage buckets are not publicly exposed

CC6.7 - Data Transmission Controls

The entity restricts transmission and movement of data

  • Storage Encryption - Data is encrypted during storage and transfer

  • SQL Encryption - Database data is encrypted

  • Compute Encryption - Compute disks are encrypted

  • KMS Key Rotation - Encryption keys are managed securely

CC7 - System Operations

CC7.1 - Security Monitoring

The entity monitors system components for anomalies and security events

  • Security Findings - Security Command Center detects threats

  • Monitoring Alerts - Alerts are configured for security events

CC7.2 - Security Event Logging

The entity identifies and logs security events

  • Audit Logs Status - Audit logging is properly configured

  • Audit Log Events - Security events are recorded

  • VPC Flow Logs - Network activity is logged

CC7.3 - Security Incident Response

The entity evaluates security events and responds to identified incidents

  • Security Findings - Threats are detected and tracked

  • Monitoring Alerts - Incident alerts are configured

CC7.4 - Security Alerting

The entity implements alerting mechanisms for security events

  • Monitoring Alerts - Alert policies are configured and active

CC8 - Change Management

CC8.1 - Change Management

The entity authorizes, documents, and controls infrastructure changes

  • Audit Log Events - Infrastructure changes are logged

A1 - Availability

A1.2 - Recovery Procedures

The entity's recovery procedures support system recovery in accordance with recovery objectives

  • SQL Backups - Database backups are maintained and executed successfully

ISO 27001:2022 Control Coverage

The GCP integration provides evidence for the following ISO 27001:2022 Annex A controls:

A.5 - Organizational Controls

A.5.15 - Access Control

Rules to control physical and logical access to information and other associated assets shall be established and implemented

  • IAM Policy - Access policies enforce security requirements

  • IAM MFA Status - Strong authentication is required

  • IAM Service Accounts - Service account access is managed

  • Firewall Rules - Network access is controlled

A.5.16 - Identity Management

The full life cycle of identities shall be managed

  • IAM Policy - Complete inventory of identities

  • IAM Service Accounts - Service account lifecycle management

A.5.17 - Authentication Information

Allocation and management of authentication information shall be controlled

  • IAM MFA Status - MFA is properly configured

  • IAM Service Accounts - Service account keys are managed

A.5.18 - Access Rights

Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed

  • IAM Service Accounts - Service account access is reviewed

  • Audit Log Events - Access changes are logged

A.5.23 - Cloud Services Security

Processes for acquisition, use, management and exit from cloud services shall be established

  • Security Findings - Cloud threat detection is active

  • Audit Logs Status - Cloud activity is logged

A.8 - Technological Controls

A.8.3 - Information Access Restriction

Access to information and other associated assets shall be restricted

  • Storage Public Access - Data is not publicly accessible

  • Firewall Rules - Network access is restricted

A.8.9 - Configuration Management

Configurations, including security configurations, shall be established, documented, implemented, monitored and reviewed

  • Firewall Rules - Security configurations are documented

A.8.12 - Data Leakage Prevention

Data leakage prevention measures shall be applied

  • Storage Public Access - Public exposure is prevented

  • Security Findings - Data exfiltration attempts are detected

  • VPC Flow Logs - Data transfers are monitored

A.8.13 - Information Backup

Backup copies of information, software and systems shall be maintained and regularly tested

  • SQL Backups - Backups are executed regularly

A.8.15 - Logging

Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed

  • Audit Logs Status - API activity is logged

  • VPC Flow Logs - Network activity is logged

  • Monitoring Alerts - Logs are monitored for anomalies

A.8.16 - Monitoring Activities

Networks, systems and applications shall be monitored for anomalous behaviour

  • Security Findings - Threat monitoring is active

  • Monitoring Alerts - System monitoring is configured

A.8.20 - Networks Security

Networks and network devices shall be secured, managed and controlled

  • Firewall Rules - Network security rules are configured

  • VPC Flow Logs - Network traffic is monitored

A.8.24 - Use of Cryptography

Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented

  • Storage Encryption - Cloud Storage is encrypted

  • SQL Encryption - Databases are encrypted

  • Compute Encryption - Compute disks are encrypted

  • KMS Key Rotation - Encryption keys are rotated

Verification Rules

Auto-verified evidence sources are checked against the following compliance thresholds:

IAM Policy

  • Overly permissive roles: Flagged

  • Primitive roles (Owner/Editor): Flagged for review

  • External members: Documented

IAM Service Accounts

  • Maximum key age: 90 days

  • Unused service accounts: Flagged

  • User-managed keys: Documented

IAM MFA Status

  • MFA enforcement: Required

  • Organization policy: Should enforce MFA

Audit Logs Status

  • Admin Activity logs: Required (always on)

  • Data Access logs: Recommended

  • Log retention: 400+ days recommended

Storage Security

  • All buckets encrypted: Required (default in GCP)

  • Customer-managed keys (CMEK): Recommended

  • Public access blocked: Required

  • Uniform bucket-level access: Recommended

SQL Security

  • All instances encrypted: Required

  • Automated backups enabled: Required

  • Backup retention period: 7+ days

  • SSL/TLS required: Recommended

Network Security

  • No open SSH (0.0.0.0/0:22): Required

  • No open RDP (0.0.0.0/0:3389): Required

  • VPC Flow Logs enabled: Required

  • Default deny rules: Recommended

KMS Key Rotation

  • Automatic rotation enabled: Required

  • Rotation period: 90 days recommended

Security Services

  • Security Command Center enabled: Recommended

  • Cloud Monitoring alerts configured: Recommended

Summary: Control Coverage Matrix

SOC 2 Controls by Evidence Source

IAM Policy

  • CC6.1: Yes

  • CC6.2: Yes

IAM Service Accounts

  • CC6.1: Yes

  • CC6.2: Yes

  • CC6.3: Yes

IAM MFA Status

  • CC6.1: Yes

Audit Logs Status

  • CC7.2: Yes

Audit Log Events

  • CC6.3: Yes

  • CC7.2: Yes

  • CC8.1: Yes

Monitoring Alerts

  • CC7.1: Yes

  • CC7.3: Yes

  • CC7.4: Yes

VPC Flow Logs

  • CC6.6: Yes

  • CC7.2: Yes

Security Findings

  • CC7.1: Yes

  • CC7.3: Yes

Firewall Rules

  • CC6.6: Yes

Storage Encryption

  • CC6.1: Yes

  • CC6.7: Yes

Storage Public Access

  • CC6.6: Yes

SQL Encryption

  • CC6.1: Yes

  • CC6.7: Yes

Compute Encryption

  • CC6.1: Yes

  • CC6.7: Yes

KMS Key Rotation

  • CC6.1: Yes

  • CC6.7: Yes

SQL Backups

  • A1.2: Yes

ISO 27001 Controls by Evidence Source

IAM Policy

  • A.5.15: Yes

  • A.5.16: Yes

IAM Service Accounts

  • A.5.15: Yes

  • A.5.16: Yes

  • A.5.17: Yes

  • A.5.18: Yes

IAM MFA Status

  • A.5.15: Yes

  • A.5.17: Yes

Audit Logs Status

  • A.5.23: Yes

  • A.8.15: Yes

Audit Log Events

  • A.5.18: Yes

Monitoring Alerts

  • A.8.15: Yes

  • A.8.16: Yes

VPC Flow Logs

  • A.8.12: Yes

  • A.8.15: Yes

  • A.8.20: Yes

Security Findings

  • A.5.23: Yes

  • A.8.12: Yes

  • A.8.16: Yes

Firewall Rules

  • A.5.15: Yes

  • A.8.3: Yes

  • A.8.9: Yes

  • A.8.20: Yes

Storage Encryption

  • A.8.24: Yes

Storage Public Access

  • A.8.3: Yes

  • A.8.12: Yes

SQL Encryption

  • A.8.24: Yes

Compute Encryption

  • A.8.24: Yes

KMS Key Rotation

  • A.8.24: Yes

SQL Backups

  • A.8.13: Yes

Getting Started

To set up the GCP integration:

  1. Navigate to Settings > Integrations > GCP

  2. Click Connect GCP Project

  3. Follow the setup wizard to create a Service Account in your GCP project

  4. Download and upload the Service Account JSON key

  5. Validate the connection

  6. Enable evidence sources for your compliance controls

For detailed setup instructions, see the GCP Setup Guide.

GCP Permissions Required

The integration requires read-only permissions via a Service Account with the following roles:

Recommended Roles

  • Security Reviewer (roles/iam.securityReviewer)

  • Viewer (roles/viewer)

  • Cloud Asset Viewer (roles/cloudasset.viewer)

Core Permissions

resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.get
iam.roles.list
logging.logEntries.list
logging.sinks.list
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.get
cloudkms.keyRings.list
storage.buckets.list
storage.buckets.get
storage.buckets.getIamPolicy
cloudsql.instances.list
cloudsql.backupRuns.list
compute.instances.list
compute.disks.list
compute.firewalls.list
compute.subnetworks.list
compute.networks.list
securitycenter.findings.list
securitycenter.sources.list
monitoring.alertPolicies.list
cloudasset.assets.searchAllResources

GCP Service Feature Matrix

Standard GCP Project

  • IAM policy audit: Yes

  • Service account inventory: Yes

  • Firewall rules audit: Yes

  • Storage encryption check: Yes

  • Storage public access check: Yes

  • Cloud SQL encryption: Yes

  • Cloud SQL backups: Yes

  • Compute disk encryption: Yes

  • KMS key rotation: Yes

  • VPC Flow Logs: Yes

  • Cloud Audit Logs: Yes

  • Security Command Center: Requires activation

  • Cloud Monitoring: Yes

Organization-Level Features

Some features provide enhanced coverage at the organization level:

  • Organization-wide IAM policies

  • Cross-project security findings

  • Centralized audit log aggregation

  • Organization policy constraints

Note: Organization-level features require additional permissions at the organization level.