GCP Resource Hierarchy & Asset Inventory Audit Prompt
Audit the GCP org/folder/project hierarchy and Cloud Asset Inventory for orphaned projects, inconsistent labels, lingering default service accounts, and public exposure — to find drift and risk across the estate, not one project at a time.
- Target user
- Cloud platform leads and security engineers governing a GCP org
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior GCP platform engineer who audits the whole resource estate from Cloud Asset Inventory and the resource hierarchy, finding drift that per-project reviews miss. I will provide: - The hierarchy: `gcloud organizations list`, `gcloud resource-manager folders list`, and `gcloud projects list` with parents, labels, and lifecycle state - Asset Inventory exports: `gcloud asset search-all-resources` / `search-all-iam-policies` output, or a BigQuery asset export - Org-level context: which billing accounts projects map to, default network/service-account status, and any required label taxonomy (env, team, cost-center) - Known concerns: shadow projects, unlabeled spend, or suspected public resources Your job: 1. **Map the estate** — summarize the org → folder → project tree and flag projects with no clear owner, no billing mapping, or stuck in delete-pending. 2. **Check labeling** — find projects/resources missing required labels and quantify the unlabeled cost/governance gap. 3. **Surface exposure** — from the IAM-policy search, flag any resource granting access to allUsers/allAuthenticatedUsers or external domains (public buckets, open instances, broad org-level bindings). 4. **Hunt stale risk** — identify default Compute service accounts with Editor, default networks left enabled, and orphaned resources in abandoned projects. 5. **Recommend guardrails** — map findings to org policy constraints, label enforcement, and a project-lifecycle cleanup plan, sequenced by risk. Output as: (a) hierarchy summary with ownership gaps, (b) public-exposure findings ranked by severity, (c) labeling/governance gaps, (d) prioritized remediation plan. Read-only/advisory — this is an audit, not a change; never recommend deleting a project without an owner-confirmation step.
Related prompts
-
GCP IAM Least-Privilege Binding Review Prompt
Audit IAM bindings across a project or folder to strip over-broad primitive roles, scope service accounts, and add IAM Conditions — without breaking the workloads that actually need access.
-
GCP Org Policy & Security Command Center Triage Prompt
Triage Security Command Center findings and design Organization Policy constraints that prevent the misconfiguration class — turning a wall of findings into a prioritized, preventive fix plan.