GCP - Security Best Practices
Rajeev kumar
Director | Cyber Security Trainer | SME | Security Architect | Public Speaker | NGO | Founder
Summary of Topics
A.???Using IAM Securely
B.???Rotate Cloud IAM service Account Access Keys periodically
C.???Enable VPC Flow Logs
D.???Ensure Cloud Storage Buckets have Logging and Versioning enabled
E.????Ensure Cloud Storage Buckets enforce appropriate Access Controls
F.????Access Logs & Storage Logs
G.???Object Versioning
H.???Ensure firewall rules are not overly permissive
I.??????Managing SSH Keys on Compute
J.????Encryption At-Rest & In-Motion
K.???Key Management Service
L.????Securing Google Cloud Databases
M.???3 ways to configure Robust Firewall on GCP
N.???User Account, Authorization & Password Management
O.???Compute Engine Security
P.????Org Images
Q.???Cloud Identity-aware-proxy
About GCP Security Basics
[A]
[B]
[C]
[D]
More information about understanding service accounts can be found at:
[E]
[F]
More information about Resource Hierarchy for Access Control can be found at:
[F]
1.????Best Practice: Using IAM Securely
Grant Service Account Actor role on service account, not project.
More information about using IAM Securely can be found at:
2.????Best Practice: Rotate Cloud IAM service account access keys periodically
A service account is a special type of account that belongs to an application or instance, rather than to an individual user. Service accounts use account keys to authenticate to GCP, of which there are two types: GCP-managed keys, which are created and managed automatically, and User-managed keys.
User-managed keys are created, downloadable, and managed by users. Consequently, these keys should be rotated on a regular basis In order to ensure that the chance that a compromised key could be used without the knowledge of its owner is reduced. It goes without saying that these keys are highly sensitive, as their compromise would provide a potential attacker with a means to interact with your GCP resources.
3.????Best Practice: Enable VPC Flow Logs
VPC Flow Logs is a feature that enables capturing IP traffic information going to and from network interfaces in a VPC. It is recommended to enable flow logs for subnets hosting active instances, as they can help with a number of tasks: for example, it can help troubleshooting why specific traffic when this is not reaching an instance, which in turn can help diagnose overly restrictive firewall rules. In a secure environment, Flow Logs can also be used as a security tool to monitor the traffic that is reaching instances
More information about VPC flow logs can be found at:
4.????Best Practice: Ensure Cloud Storage buckets have logging and versioning enabled
The logging and versioning features of Cloud Storage should be enabled for buckets that contain important data.
The logging feature helps during the investigation of security incidents, as it enables maintaining access and modification logs for storage buckets. Versioning is a means of keeping multiple variants of an object in the same bucket. This preserve and allows retrieving and restoring every version of every object stored in the buckets for which versioning has been enabled. With versioning enabled, buckets can recover from both unintended user actions and application failures.
5.????Best Practice: Ensure Cloud Storage buckets enforce appropriate access controls
Cloud Storage buckets are often used to store sensitive data, as well as to host static resources for web applications. It is important to ensure bucket access controls enforce the principle of least privilege, so that resources cannot be accessed or modified by unauthorized parties.
In particular, the usage of the following identifiers should be restricted:
6.????Best Practice: Access Logs & Storage Logs
This topic discusses how to download and review access logs and storage information for your Cloud Storage buckets,
Cloud Storage offers access logs and storage logs in the form of CSV files that you can download and view. Access logs provide information for all of the requests made on a specified bucket and are created hourly, while the daily storage logs provide information about the storage consumption of that bucket for the last day. The access logs and storage logs are automatically created as new objects in a bucket that you specify. Analyse the logs using?Google BigQuery. Data access log should be provided to very limited people.
More information about Access & Storage Logs can be found at:
7.????Best practice: Object Versioning
To support the retrieval of objects that are deleted or overwritten, Cloud Storage offers the Object Versioning feature. This page describes the feature and the options available when using it. To learn how to enable and use Object Versioning see?Using Object Versioning.
Enable Object Versioning to protect your Cloud Storage data from being overwritten or accidentally deleted. Enabling Object Versioning increases?storage costs, which can be partially mitigated by configuring?Object Lifecycle Management?to delete older object versions.
领英推荐
More information about Object Versioning can be found at:
8.????Best Practice: Ensure firewall rules are not overly permissive
Where possible, VPC firewall rules should be configured so that access to specific network services is restricted to just those hosts that have a legitimate business requirement for access
9.?????Best Practice: Managing SSH Keys on compute
If you just want to access your resources through web console or gcloud, automatic key management is enough. If you want to use existing on-prem keys, you can manage manually by setting them on SSH keys metadata field and that would be public key for your instances. If you want to allow all of your developers to all VM’s in project, you can set once public key in project metadata that gets inherited by all instances. Instance metadata for a contractor or specific individual.
More information about SSH Keys can be found at:
10.??Best Practice: Encryption @ Rest & In-Motion
More information about Encryption At-Rest & In-Motion can be found at:
11.??Best Practice: Key management Service
How to keep secret as secret- One person or one team can manage the keys, another person or another team can manage the secrets. First thing to do is take the API secret key, send it to cloud KMS, pick the particular key and key ring wanted, and it gives us the encrypted blob to store. Place it in a Google Cloud Storage in a bucket as the encrypted blob. When application starts it does two things. First it connects to Google Cloud Storage and reads that blob from the bucket. Setup all permissions and role to pull that down. As next step it goes to cloud KMS, it sends the encrypted blob, and then it returns a decrypted version of it, and says here is your API key. So it makes sense of delinking and separation of duties.
More information about GCP KMS can be found at:
More information about GCP Secret Management can be found at:
12.??Best Practice: Securing google cloud databases
project metadata Implement security control on Data Security, Access Controls, Configuration (Password Management, Service Account, Logging & Alerting), Application Considerations, Self-hosted database concerns etc.
More information about GCP database security can be found at:
13.??Best Practice: Configure robust firewall on GCP
ü?Configure firewall rules with Service Accounts - firewall rules using service accounts, instead of using tags,?
ü?Creating custom IAM role for the InstanceAdmin - custom role?with more restricted permissions that disable the ability to set tags on VMs
ü?Using subnetworks to partition workloads - using source or destination IP CIDR ranges if the workloads can be partitioned into subnetworks of distinct ranges
More information about GCP database security can be found at:
14.??Best Practice: User Account, Authorization & Password Management
More information about GCP database security can be found at:
15.??Best Practice: Compute Engine Security
More information about Securely Connecting to VM Instances can be found at:
More information about Verifying VM Identity can be found at:
16.??Best Practice: Org Images
More information about Image Management can be found at:
17.??Best Practice: Cloud identity-aware-proxy
Other Security Best Practices
[A]
[B]
[C]
GCP Security Bookmarks-
About GCP Platform Security –
GCP Security & Identity –
GCP Security new features –
GCP Best practices for Enterprise Organizations –
GCP Security – How-To-Guides