{"results":[{"id":"ar-access-scopes-can-restrict-beyond-iam","text":"Compute Engine VM access scopes can further restrict Artifact Registry access beyond IAM roles — the default `read-only` scope blocks writes even if the SA has Writer role; `cloud-platform` scope is needed for push.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-cloudrun-cross-project-service-agent","text":"Cloud Run cross-project Artifact Registry access requires granting roles to the Cloud Run Service Agent (`service-PROJECT-NUMBER@serverless-robot-prod.iam.gserviceaccount.com`), not just the runtime service account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-iam-roles-project-or-repository-level","text":"Artifact Registry IAM roles can be granted at two levels: project-wide (applies to all repositories) or repository-specific.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-orgs-after-may-2024-no-auto-editor","text":"Organizations created after May 3, 2024 enforce `iam.automaticIamGrantsForDefaultServiceAccounts` by default, preventing automatic Editor role grants to default service accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-tags-attach-to-repos-not-artifacts","text":"Resource Manager tags attach to Artifact Registry repositories only, not individual artifacts, for conditional IAM access control.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-virtual-repo-roles-cascade-all-upstreams","text":"Virtual repository IAM roles apply to all upstream repositories regardless of individual upstream repo permissions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-admin-cannot-set-iam-policy","text":"`roles/dns.admin` can manage DNS records but cannot set IAM policies on zones (lacks `setIamPolicy` permission).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-billing-fully-optimizable","text":"Cloud Run billing is fully optimizable through request-based pay-per-use default, CUD discounts shared across Cloud Run, GKE, and Compute Engine, and zero-cost for IAM-denied requests.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-deploy-required-roles","text":"Deploying to Cloud Run requires `roles/run.developer`, `roles/iam.serviceAccountUser`, and `roles/artifactregistry.reader`; cross-project additionally needs `roles/iam.serviceAccountTokenCreator`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-iam-denied-requests-not-billed","text":"Requests denied by IAM policy are not billed in Cloud Run.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gce-os-login-integrates-ssh-with-iam","text":"OS Login integrates SSH key management with IAM roles, providing admin vs non-admin access control.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-abstraction-inversion-simplicity-demands-deeper-expertise","text":"GCP managed services create an abstraction inversion where operational simplicity demands deeper technical expertise than self-managed alternatives: services require application-level awareness of delivery semantics, rotation patterns, and IAM granularity, AND infrastructure decisions are comprehensively immutable across networking and service configuration — so mistakes require both deep domain knowledge to avoid and full resource recreation to correct.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-data-governance-requires-upfront-commitment-and-ongoing-engineering","text":"GCP data governance demands simultaneous mastery of two orthogonal time horizons: upfront architectural commitment (immutable infrastructure decisions, dual IAM/CMEK control planes compounding with cross-layer irrecoverability) AND ongoing per-service protection engineering (Cloud SQL triple investment, GCS defense-in-depth, CMEK blast radius management) — neither dimension compensates for deficiency in the other.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-dual-governance-effective-defense-in-depth","text":"GCP's dual security governance (IAM access control + CMEK data control) combined with KMS operational safety (duty-separated, non-disruptive rotation) achieves effective layered defense where compromise of one governance surface does not compromise the other and routine operations cannot accidentally breach either.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-immutability-prevents-configuration-drift","text":"GCP's comprehensive infrastructure immutability combined with managed services' requirement for deep application-level understanding prevents configuration drift in production: resources remain as designed throughout their lifecycle and operators who understand delivery semantics, rotation patterns, and IAM granularity configure them correctly from the start.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-managed-service-risk-concentrates-in-naming-and-identity","text":"GCP managed service risk concentrates in naming and identity dimensions: GKE naming collisions cascade through the managed service chain granting unintended IAM identity across Cloud Run, Pub/Sub, and Secret Manager integrations, while every managed service independently demands mastery of both application semantics and identity lifecycle — making naming conventions the single highest-leverage security control across the platform.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-managed-services-require-dual-mastery-application-and-identity","text":"GCP managed services require dual mastery spanning application semantics and identity lifecycle: Pub/Sub and Secret Manager demand application-level awareness of delivery guarantees, rotation semantics, and IAM granularity mismatches, while the container security chain from build provenance through runtime identity adds a parallel lifecycle requiring coordinated namespace/SA naming discipline — application-level and identity-level expertise cannot substitute for each other.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-platform-adoption-requires-shifted-not-reduced-investment","text":"GCP platform adoption demands engineering investment that is shifted rather than reduced: managed services redirect operational complexity to networking and identity design while security governance requires upfront immutable architectural commitments across IAM, CMEK, and infrastructure layers — the total engineering surface area is comparable to self-managed infrastructure, just differently distributed.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-security-dual-control-plane-access-and-data","text":"GCP security governance operates through two independent, non-overlapping control planes: IAM controls who can access resources via layered deny-first evaluation with service account hardening, while CMEK controls whether data remains readable at all via key lifecycle — compromising one plane does not compromise the other, but production security requires operating both simultaneously.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-security-eight-focus-areas","text":"The security pillar has eight focus areas: infrastructure security, IAM, data security, AI/ML security, SecOps, application security, governance/risk/compliance, and logging/auditing/monitoring.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":85,"limit":20,"offset":0}