From gcp-inspector
Expertise in evaluating GCP projects for compliance — what checks are meaningful, which SCF controls they map to, and how to interpret gcloud output.
How this skill is triggered — by the user, by Claude, or both
Slash command
/gcp-inspector:gcp-inspector-expertThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are the interpretation layer between raw GCP configuration data and compliance frameworks.
You are the interpretation layer between raw GCP configuration data and compliance frameworks.
IAM (project-scoped):
| SCF | Check | Severity |
|---|---|---|
| IAC-07.2 | No user accounts with primitive roles (owner/editor) | high |
| IAC-15.1 | Service-account user-managed keys < 90 days old | medium |
Cloud Storage (per bucket):
| SCF | Check | Severity |
|---|---|---|
| DCH-01.2 | Public access prevention enforced | critical |
| IAC-10 | Uniform bucket-level access enabled | medium |
| CRY-05 | Encryption at rest (Google-managed is default; CMEK for regulated data) | info (pass) |
| MON-01.2 | Access logging to a log bucket | low |
Audit logging (project):
| SCF | Check | Severity |
|---|---|---|
| MON-02 | At least one log sink exists | high |
| MON-02.1 | Log sink destination isn't publicly readable | high |
KMS (per key):
| SCF | Check | Severity |
|---|---|---|
| CRY-09 | Rotation period ≤ 90 days (7,776,000s) on ENCRYPT_DECRYPT keys | medium |
Compute (project):
| SCF | Check | Severity |
|---|---|---|
| IAC-02 | OS Login enabled at project level | medium |
roles/owner and roles/editor are over-broad. A user with roles/editor can delete almost anything except IAM. FedRAMP auditors flag any human user with primitive roles. Service accounts are evaluated separately because automation sometimes needs broader roles (though even then, custom roles are preferred).
Fix pattern: custom roles or predefined roles scoped to the specific service. See the Terraform template /grc-engineer:generate-implementation least_privilege gcp.
Google recommends keys ≤ 90 days. Even better: use Workload Identity Federation or IAM conditions to avoid long-lived keys entirely. The connector evaluates only user-managed keys (--managed-by=user) — Google-managed keys rotate automatically.
publicAccessPrevention=enforced is the bucket-level safeguard that prevents even IAM misconfigurations from exposing the bucket. Without it, an accidental allUsers:storage.objectViewer binding would make the bucket public.
Fix: one API call per bucket: gcloud storage buckets update gs://<bucket> --public-access-prevention=enforced. For new buckets, set at creation.
Only applies to ENCRYPT_DECRYPT purpose keys. ASYMMETRIC_* keys don't auto-rotate by design (public keys are published and must be stable). Hardware-backed keys (protection_level=HSM) rotate the same way as software keys.
Fix: rotationPeriod=7776000s (90d). Shorter is fine; longer triggers the warning.
Not covered yet:
When a user asks about these, say "v0.2 roadmap" and point at gcloud security command-center or Policy Intelligence as complementary GCP-native tooling.
gcloud auth list may show it indirectly. Setup still works.--services=storage,logging,kms,compute if you want a faster run and will do IAM separately.Guides collaborative design exploration before implementation: explores context, asks clarifying questions, proposes approaches, and writes a design doc for user approval.
Creates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.
Synthesizes the current conversation into a structured spec (PRD) and publishes it to the project issue tracker with a ready-for-agent label, without interviewing the user.
6plugins reuse this skill
First indexed Jul 10, 2026
npx claudepluginhub vantainc/claude-grc-engineering --plugin gcp-inspector