ComplyJet's Google Cloud integration gives you always-on visibility across your entire GCP estate — compute, storage, databases, serverless, messaging, and identity. The moment you connect your GCP project, ComplyJet begins pulling configuration and runtime state directly from Google Cloud APIs, mapping every signal to 20+ security and privacy frameworks including SOC 2, ISO 27001, HIPAA, and GDPR — and surfacing drift the instant it appears.
Whether you run Compute Engine instances and Cloud SQL, or a cloud-native stack spanning Cloud Run, App Engine, Firestore, and Pub/Sub, ComplyJet turns your entire GCP footprint into a single, always-current source of audit-ready evidence — built for the speed and budgets of SaaS startups.
24/7
Continuous monitoring
Compliance automation
How ComplyJet automates SOC 2 / ISO 27001 for GCP
Proving your GCP environment is secure used to mean manually checking firewall rules, bucket permissions, SQL backup settings, and IAM configurations across every project and region — then repeating the process every quarter. Most teams spend weeks collecting this evidence, and it's stale by the time it lands with the auditor.
1
Connect once
Create a GCP Service Account with read-only IAM roles — ComplyJet guides you through the exact permissions required. No user accounts, no write access, takes under 10 minutes.
2
Monitor continuously
ComplyJet polls your GCP projects around the clock, tracking configuration state across compute, storage, databases, messaging, and networking across every region you use.
3
Collect evidence automatically
Every passing and failing check is timestamped and stored as audit evidence — no screenshots, no manual exports, no last-minute prep before an audit.
4
Get alerted on drift
The moment a misconfiguration appears — a bucket opens to public, SSH is exposed, a backup lapses — ComplyJet flags it in real time so your team can remediate before it becomes an audit finding.
The result: your SOC 2 and ISO 27001 evidence is always current, your auditor gets a clean documented trail, and your engineers never have to stop shipping to prepare for a review.
See the GCP integration live
30 minutes. We'll walk through exactly how ComplyJet monitors your GCP environment, collects evidence, and maps checks to SOC 2, ISO 27001, and HIPAA.
Book a Demo →
GCP resources
What Resources does ComplyJet sync from GCP?
ComplyJet pulls and monitors the following Google Cloud services in real time. Click any resource to see what's tracked.
GCP Compute Engine
Instances, firewall rules, SSH access configuration, VPC network assignment, and CPU utilization alarm coverage.
GCP App Engine
App Engine services, SSH access settings, and CPU utilization alarm coverage.
GCP Cloud Run
Cloud Run services and jobs tracked for inventory and compliance context.
GCP Cloud Storage
Buckets, encryption settings, public access IAM bindings, and versioning or retention policy configuration.
GCP Cloud SQL
Instances, encryption configuration, automated backup settings, and alarm coverage for CPU, memory, storage, and disk I/O.
GCP Cloud Datastore / Firestore
Encryption configuration and request/read/write volume alarm coverage for Datastore and Firestore databases.
GCP Bigtable
Cluster encryption settings and alarm coverage for CPU and storage utilization.
GCP Pub/Sub
Subscriptions and message age alarm configuration to surface processing backlogs.
GCP Cloud Tasks
Task queue configuration tracked for inventory and compliance context.
GCP IAM
User accounts, MFA status, account-to-employee mapping for access reviews.
GCP VPC
Subnets and VPC flow log configuration for network traffic visibility.
Continuous checks
What automated tests does ComplyJet run on GCP?
ComplyJet covers every critical security dimension of your GCP environment — identity, compute, storage, databases, networking, and audit logging — continuously, with every result stored as audit evidence. Click any area to see the checks.
Identity & Access
GCP IAM accounts, MFA, account lifecycle
Admin accounts protected with multi-factor authentication: Verifies MFA is enforced on all GCP user accounts with console access.
Cloud access revoked on employee departure: Verifies no active GCP accounts are mapped to former employees.
Shared account use detected and flagged: Ensures every GCP account is linked to exactly one individual.
Compute — Compute Engine & App Engine
VPC assignment, SSH access, public ports, CPU monitoring
Compute Engine instances assigned to a VPC network: Verifies every instance is attached to a VPC — no instances running outside a defined network boundary.
Public internet access limited to required ports: Checks that firewall rules restrict inbound public traffic on Compute Engine to only necessary ports.
Remote shell access blocked from public internet: Verifies SSH is not reachable from public IP ranges on Compute Engine instances and App Engine services.
CPU utilization monitored and alarmed: Confirms alert policies are active for CPU utilization on Compute Engine instances and App Engine services.
Cloud Storage
Encryption, public access, versioning
Storage buckets encrypted at rest: Verifies server-side encryption is configured on every Cloud Storage bucket in scope.
Public bucket access restricted: Confirms no IAM bindings allow public or all-authenticated-user access on any bucket.
Object version history or retention policy enabled: Checks that versioning or a retention policy is configured on each bucket so objects can be recovered.
Cloud SQL
Encryption, backups, CPU, memory, storage, disk I/O monitoring
Cloud SQL encrypted at rest: Verifies encryption is configured on every Cloud SQL instance in scope.
Cloud SQL daily automated backups enabled: Confirms automated backups are active on every Cloud SQL instance.
CPU, memory, storage, and disk I/O monitored and alarmed: Checks alert policies are active for all key performance metrics on each Cloud SQL instance.
NoSQL Databases — Datastore, Firestore, Bigtable
Encryption, request/read/write volume monitoring, cluster performance
Cloud Datastore encrypted at rest: Confirms encryption is enabled on Datastore (GCP encrypts by default — ComplyJet verifies the setting is active).
Cloud Datastore request volume monitored and alarmed: Checks an alert policy is active for request count on Datastore.
Firestore encrypted at rest: Confirms encryption is enabled on Firestore databases.
Firestore read and write volume monitored and alarmed: Verifies alert policies are active for read and write operations on Firestore.
Bigtable clusters encrypted at rest: Verifies encryption is configured on every Bigtable cluster.
Bigtable CPU and storage utilization monitored and alarmed: Checks alert policies are active for CPU and storage utilization on each Bigtable cluster.
Networking, Messaging & Audit
VPC flow logs, Pub/Sub queue health, log retention
VPC flow logs enabled for network visibility: Confirms VPC flow logs are active on subnets so network traffic can be audited.
Pub/Sub message queue processing delays alarmed: Checks an alert policy is active for message age on Pub/Sub subscriptions to catch processing backlogs.
Audit log retention configured for at least one year: Verifies a log sink with sufficient retention exists so audit logs are preserved for compliance requirements.
GCP customers
Teams already running GCP with ComplyJet
Real startups. Real GCP stacks. Real audit outcomes.
Setup
How to Integrate GCP with ComplyJet
Takes under 10 minutes. No code required — just a read-only Service Account key.
1
Log in to ComplyJet and go to Integrations
Find GCP in the integrations list and click Connect.
2
Create a read-only Service Account in GCP
ComplyJet provides the exact IAM roles to assign — read-only Viewer and monitoring roles scoped to the services being monitored. No write access is required.
3
Download the Service Account key and upload it to ComplyJet
ComplyJet validates the connection and confirms which GCP projects are in scope for monitoring.
4
ComplyJet begins syncing immediately
Your GCP resources appear in the inventory within minutes, automated checks start running, and evidence collection begins.
Need help connecting multiple GCP projects or organisations? Reach out to our support team.
Framework coverage
What Controls Are Automated Across SOC 2 / ISO 27001 / HIPAA
ComplyJet maps every GCP check to the relevant framework controls and maintains an always-current evidence record for your auditor.
SOC 2
Logical access, network security, monitoring, audit trail, availability
CC6.1
Logical access security: MFA enforcement across GCP IAM accounts, access revocation on termination, unique account assignment.
CC6.6
Network access restrictions: Compute Engine public port restrictions, SSH blocked on Compute Engine and App Engine, VPC assignment enforced.
CC6.8
Detection and prevention of unauthorized access: public bucket access blocked, VPC flow logs enabled.
CC7.1
System monitoring: alert policy coverage across Compute Engine, App Engine, Cloud SQL, NoSQL databases, and Pub/Sub.
CC8.1
Change management audit trail: log sink configured with at least one year of retention.
A1.2
Recovery and availability: Cloud SQL daily backups, Cloud Storage versioning or retention policy.
ISO 27001
Access control, authentication, logging, network security, cryptography, backup
A.5.15
Access control: MFA enforcement, account uniqueness, access revocation on departure.
A.5.17
Authentication information: MFA required on all GCP accounts, account lifecycle enforced.
A.8.6
Capacity management: performance alarms for Compute Engine, App Engine, Cloud SQL, Bigtable, Datastore, Firestore, and Pub/Sub.
A.8.15
Logging: log sink with minimum one-year retention ensures audit logs are durably preserved.
A.8.20
Network security: Compute Engine VPC assignment, public port restrictions, SSH blocked, VPC flow logs enabled.
A.8.24
Use of cryptography: encryption at rest for Cloud Storage, Cloud SQL, Datastore, Firestore, and Bigtable.
A.8.32
Information backup: Cloud SQL daily automated backups, Cloud Storage versioning or retention policy.
HIPAA
Access control, encryption, audit controls, integrity, transmission security
§164.312(a)(1)
Access control: MFA enforcement, unique user identification, access revocation on termination.
§164.312(a)(2)(i)
Unique user identification: each GCP account linked to one individual, shared accounts flagged.
§164.312(a)(2)(iv)
Encryption and decryption: encryption at rest across Cloud Storage, Cloud SQL, and all NoSQL database services.
§164.312(b)
Audit controls: log sink with one-year minimum retention ensures audit activity is preserved.
§164.312(c)(2)
Integrity: Cloud Storage versioning or retention policy, Cloud SQL daily automated backups.
§164.312(e)(2)(ii)
Transmission security: SSH blocked on Compute Engine and App Engine, public port restrictions enforced.
.svg){kind=logo}
.png)
.png)
.png)
