Google Cloud Platform- Let’s dive into Security Best Practices - I

Google Cloud Platform has a lot to offer but at the same time it comes with numerous security aspects to take care of. When I started working on GCP I got swamped with the security misconfigurations usually made while configuring GCP projects. Let’s check out some of these in this blog-

Google VPC

1. Default VPC must never be used. Create a new network with the regions, IP address ranges, and follow rules that your organization needs, then delete the default network, so it is not accidentally used. The default network automatically has several firewall rules that are not desirable for the production environment. Even you can disable automatic creation of default network in first place while creating the GCP project by applying below constraint constraints/compute.skipDefaultNetworkCreation
2. If using Default network make sure to restrict or remove the following rules

default-allow-internal

default-allow-ssh

default-allow-rdp

default-allow-icmp

3. VPC firewall rules should be configured to restrict access to services to hosts with legitimate requirement for access.

0.0.0.0/0 or wildcard (*) should not be used for allowing access to services.

Use only service account based firewall rules. Network tags should be avoided.

Expose the services on specific ports and ensure none of the other ports are open.

4. Private Google access should be enabled for VPC network. It enables VM instances on a VPC subnet to reach Google APIs and services using an internal IP address rather than an external IP address.

5. Enable VPC flow logs to record network flows/traffic.

Identity and Access Management(IAM)

1. Avoid using Primitive roles such as Owner, Editor and Viewer. These roles give wide access to the project. Instead grant predefined roles to allow the least permissive access necessary. Predefined roles are managed by Google and their permissions are automatically updated as necessary. For example, when new features or services are added to GCP, all related predefined roles will be updated as needed. This process involves the analysis of actually required permissions by the users or service accounts in order to work smoothly. For example a member needs access to below permissions

bigquery.jobs.create, bigquery.tables.create, bigquery.tables.get, bigquery.tables.getData, bigquery.tables.update, bigquery.tables.updateData

assigning predefined role “Bigquery Data Editor” and “Bigquery Job User” in place of Editor role will reduce the ample amount of excessive permissions. You can also make use of IAM Recommender tool to analyze the permissions over a period of last 90 days used by the members.

2. Utilizing Custom Roles based on your need also helps in enforcing least privilege principle. Identify predefined roles required to run an application and create a custom role out of these predefined roles. Assign these custom roles to the service accounts and users.

3. Ensure that IAM users don’t have service account privileges. Adding any user as “service account actor” , “service account user”, “service account token creator” will enable these users to have service account privileges. Only authorized corporate IAM users should have these roles.

4. Avoid granting Owner role to all members of the team and follow the principle of least privileges. Grant owner role only if someone needs to change IAM policies.

5. Grant roles to a Google group instead of individual users whenever possible.

Service Accounts

1. Avoid using default service accounts as they provide editor role to the service it is associated with. Create Custom service accounts for each of the service and grant only the required permissions to each service account. A single service account for multiple services that require different permissions will end up having more excessive permissions. Compromise of such service account is of a high risk. Some service agents also have high privileged role such as Container Registry service agent . We should limit these privileges as well.
2. Using Google Managed keys is always encouraged but if user managed key is a requirement, proper security controls should be in place for Storing SA keys, Distributing keys, periodic rotation of keys, Encryption of keys.
3. Apply Organizational policy constraint constraints/iam.disableServiceAccountKeyCreation to restrict service account key creation by users.

Watch out for next article on Best Security Practices in GCP.

https://www.amazon.com/Hands-Penetration-Testing-Web-Applications-ebook/dp/B0917Q2LR8