diff --git a/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py b/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py
index fa1ee855c0..b824af3e26 100644
--- a/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py
+++ b/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py
@@ -1,5 +1,5 @@
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
-from checkov.common.models.enums import CheckCategories
+from checkov.common.models.enums import CheckCategories, CheckResult
 
 
 class GKEClientCertificateDisabled(BaseResourceValueCheck):
@@ -8,7 +8,11 @@ def __init__(self):
         id = "CKV_GCP_13"
         supported_resources = ['google_container_cluster']
         categories = [CheckCategories.KUBERNETES]
-        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+        # The google provider defaults issue_client_certificate to false, which is exactly the
+        # desired state. Omitting master_auth/client_certificate_config therefore leaves client
+        # certificate auth disabled, so a missing block should pass rather than fail.
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.PASSED)
 
     def get_inspected_key(self):
         """
diff --git a/tests/terraform/checks/resource/gcp/test_GKEClientCertificateDisabled.py b/tests/terraform/checks/resource/gcp/test_GKEClientCertificateDisabled.py
index fd06b95381..686ed71b4c 100644
--- a/tests/terraform/checks/resource/gcp/test_GKEClientCertificateDisabled.py
+++ b/tests/terraform/checks/resource/gcp/test_GKEClientCertificateDisabled.py
@@ -12,6 +12,13 @@ def test_success(self):
         scan_result = check.scan_resource_conf(conf=resource_conf)
         self.assertEqual(CheckResult.PASSED, scan_result)
 
+    def test_success_omitted_block(self):
+        # The google provider defaults issue_client_certificate to false, so a cluster that omits
+        # master_auth/client_certificate_config still has client certificate auth disabled.
+        resource_conf = {'name': ['google_cluster'], 'location': ['us-central1']}
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.PASSED, scan_result)
+
     def test_failure(self):
         resource_conf = {'name': ['google_cluster'], 'master_auth': [{'client_certificate_config': [{'issue_client_certificate': [True]}]}]}
         scan_result = check.scan_resource_conf(conf=resource_conf)