Google cloud iam policies

Ensure instances do not use default Compute Engine service account

Ensure instances do not use default service account with full access to cloud APIs

Ensure IAM users are not assigned Service Account User or Service Account Token creator roles at project level

Ensure Service Account does not have admin privileges

Ensure roles do not impersonate or manage Service Accounts used at folder level

Ensure roles do not impersonate or manage Service Accounts used at organizational level

Ensure default Service Account is not used at project level

Ensure default Service Account is not used at organization level

Ensure default Service Account is not used at folder level

Ensure roles do not impersonate or manage Service Accounts used at project level

Ensure a MySQL database instance does not allow anyone to connect with administrative privileges

Ensure GCP Cloud KMS key rings is not publicly accessible