Cloud Security

About the Project

Description about project /Client

Cloud Security Review Checklist

GCP
 Cloud Security Review

klist
 GCP Security Audit Check
About the Document
This checklist will be extremely useful for Security Leaders, Security Practitioners, Security E

Version Details
Version Author
v 0.1 Prasad
v 1.0 Prasad
v 1.1 Prasad

GCP Details
Application Name
Cloud Platform GCP
Environment Details
Types of Penetration Testing Grey Box
Methodology Discovery - Verify -Audit
Date of Review 12/3/2023
GCP Team
Analyst Name

GCP Review and Configuration

After carefully going through Google’s Cloud Platform Acceptable Usage Policy and Terms of Service, a list of activ
conducting google cloud penetration testing on an organization’s cloud presence. A scenario has
GCP Security Audit Checklist

e extremely useful for Security Leaders, Security Practitioners, Security Engineers, and Risk and Compliance Officers.

Changes Date
First Draft 9/18/2023
First Release 10/15/2023
Second Release 11/10/2023

GCP

Grey Box
Discovery - Verify -Audit
12/3/2023

on

oud Platform Acceptable Usage Policy and Terms of Service, a list of activities has been created which contains dos and don’ts while
penetration testing on an organization’s cloud presence. A scenario has been illustrated for a better understanding.
Officers.

ns dos and don’ts while

anding.
 Cloud Responsibility Tab
About the Document
Below you’ll find a responsibility table to visually offer reminders as to what action falls under whose jurisdictio

Preventing or detecting when a GCP account has been compromised

Preventing or detecting a privileged or regular GCP user behaving in an insecure manner.
Business continuity management (availability, incident response)
Protecting against GCP zero-day exploits and other vulnerabilities
Providing environmental security assurance against things like mass power outages, earthquakes, floods, and other natural d
Providing physical access control to hardware/software Configuring GCP Managed Services in a secure manner
Ensuring network security (DoS, man-in-the-middle (MITM), port scanning)
Ensuring custom applications are being used in a manner compliant with internal and external policies Updating guest op
Restricting access to GCP services or custom applications to only those users who require it
Configuring GCP services (except gcp Managed Services) in a secure manner
Preventing sensitive data from being uploaded to or shared from applications in an inappropriate manner
Database service patching

Legend
Customer

GCP

Both
 Cloud Responsibility Table
o visually offer reminders as to what action falls under whose jurisdiction

has been compromised

GCP user behaving in an insecure manner.
incident response)
other vulnerabilities
gainst things like mass power outages, earthquakes, floods, and other natural disasters
/software Configuring GCP Managed Services in a secure manner
iddle (MITM), port scanning)
ed in a manner compliant with internal and external policies Updating guest operating systems and applying security patches
pplications to only those users who require it
d Services) in a secure manner
d to or shared from applications in an inappropriate manner
 GCP Security Review Checklist Status
✅ Enable Security Command Center Dashboard Implemented
✅ Set up Organization Policy Service Implemented
✅ Define your resource hierarchy Implemented
✅ Create an organization node Implemented
✅ Manage your Google identities Implemented
✅ Migrate unmanaged accounts Implemented
✅ Control access to resources Implemented
✅ Apply Principle of Least Privilege Implemented

✅ Use Cloud IAM

1.Check IAM policies
2.MFA enabled for all users
3.Security Key for admin
4.Prevent the use of service accounts
Implemented
✅ Delegate responsibility into groups and service accounts Implemented
✅ Use Virtual Private Cloud (VPC) to define your network Implemented
✅ Manage traffic with firewall rules Implemented
✅ Limit external access or direct internet exposure Implemented
✅ Adopt service account firewall rules instead of tag-based rules Implemented
✅ Do not use default network for new projects Implemented
✅ Centralized Network control Implemented
✅ Put a load balancer in front of all web services Implemented
✅ Connect your enterprise network Implemented
✅ Secure your apps and data Implemented
✅ Use VPC service controls (Enable VPC Flow Logs) Not Implemented
✅ Breakdown network into subnets Implemented
✅ Use GC global HTTPs load balancer Implemented
✅ Integrate Google Cloud Armor Implemented
✅ Control app access using IAM Implemented
✅ Set up Cloud logging Implemented
✅ Set up Cloud monitoring Implemented
✅ Set up an audit trail Not Implemented
✅ Enable Google Cloud Key Management Service Not Implemented
✅ Enable Stackdriver Logging Implemented
✅ Enable Google Access Transparency Not Implemented
✅ Enable Google Cloud Security Scanner Implemented
✅ Enable Google Cloud Compliance Not Implemented
✅ Plan Disaster Recovery Strategy Implemented
✅ Set up billing controls Implemented
✅ Disable Unused services and vulnerable port Implemented
✅ Change of default password Implemented
✅ Use cloud Identity-Aware-Proxy (IAP) to secure access application

Not Implemented
✅ Encrypt data in transits using TLS Implemented
✅ Create backups and snapshots of critical data and resources Implemented

✅ Use container registry for storing and deploying container images

Partially
✅ Use Google Cloud Endpoints for API management and security Implemented
✅ Implementation DLP policy to prevent sensitive data leakage Not Implemented
✅ Rotate KMS encryption keys Implemented
✅ Uniform bucket-level access enabled Implemented
✅ Not publicly accessible (KMS, Cloud Storage,
Instance,Endpoints,Database,API Keys ,SA, Buckets ) Implemented
✅Cloud SQL
1.Enable SSL to all incoming connections
2.Not publicly accessible
3.Do not have public IPs
4.Automated backups configured
Implemented
✅ Cloud Logging
1.Ensure that Cloud Audit Logging is configured
2.Ensure that sinks are configured
3.Retention policies on log buckets are configured
4.Enable logs router encryption
Implemented

✅ GKE
1.Enable secrets encryption
2.Enable GKE cluster node encryption
3.Restrict network access

Implemented
✅ Computer Engine
1.Enable Block Project-wide SSH keys
2.Not Enable connecting to serial ports
3.Encrypted with CSEK for critical VMs
Implemented
✅ SSH Keys Implementation Implemented
Enable Security Command Center Dashboard
To enable the Security Command Center Dashboard in Google Cloud Platform (GCP), you can follow these steps:
1.Go to the Security Command Center page in the Google Cloud console .
2.Select the project or organization that you want to review.
3.If Security Command Center is active in the organization or project you select, the Overview page displays with an overview
the active vulnerability finding over the last seven days. Recommendation / Comment
4.If Security Command Center is not active, you are invited to activate it
Set Up Org level policy
N/A
Project Level access setup
N/A
Remove unmanaged and default account
N/A
For business continuity and convenience you should have at least two organizational admins. This provides redundancy, in cas
for any reason or if an account is lost. But be careful of adding too many admins to your organization. The general principle is

N/A
It is best to use groups when configuring GCP access, assign roles to the groups instead of individual users.
Remember, it’s easier to track one rule that allows traffic to a range of VMs than it is to track separate rules for each VM
N/A
In
Use Google Cloud Platform
hierarchical (GCP),rules
firewall policy VPCto Flow Logs
block is a feature
traffic that never
that should allowsbe you to capture
allowed at aninformation
organizationabout the IP
or folder traffic going to
level.
your Virtual Private Cloud (VPC). This can be useful for network monitoring,
For "allow" rules, restrict them to specific VMs by specifying the service account of the VMs forensics, real-time security analysis, and expense
Here are the steps to set up an audit trail in GCP:
N/A
To enable VPCLogs:
Flow GCP
Logsprovides
in GCP, you can follow
1.Cloud Audit a service calledthese
Cloudsteps:
Audit Logs that helps security teams maintain audit trail . Every admin
Always used always-on
a hardened, serviced based
auditfirewall
trail, which cannot be disabled by any rogue actor. Data access logs can be customized to best su
1.Go
N/A to monitoring
around the VPC networks page in the Google Cloud Console.
and compliance.
2.Click the name of a subnet to display the Subnet details page.
N/A
3.Click the EDIT
2.Real-time button.
delivery of audit events: Receive near real-time delivery of the audit events in Cloud Audit Logs within seconds of
N/A
4.Set
to Flowassess
quickly Logs toand On.act on any identified behavior in the most appropriate ways for your organization.
5.Click Save.
Alternatively,audit
3.Immutable you can create
trail: Clouda Audit
new custom-mode
Logs reside in network and enable
highly protected VPC Flow
storage, Logs.in a secure, immutable, and highly durab
resulting
Keep up to date dependency and API
You can view VPC
4.End-to-end Flow LogsCloud
transparency: by using theLogs
Audit Logsfeatures
ExplorerAdmin
. In theActivity
Select log
logsnames list, clickadministrative
documenting vpc_flows, and then click
events, and Apply
Data Acces
cloud data by your users.
Crete separate subnet as per required
N/A
5.Default encryption: Cloud Audit Logs is encrypted at rest using either AES256 or AES128, which is also used to help protect t
N/A
infrastructure.
Google Cloud Key Management Service (KMS) is a cloud service for managing cryptographic keys for your Google Cloud service
N/A
1.Preparing Secrets: Have application secrets for each environment.
6.Integration
2.Creating KMS with partners:
Secret Keys: This
Createservice
keys provides easy-to-use
in the Google integration guides with popular SIEM partners via flexible Pub/S
Cloud KMS.
N/A
integration
3.Assigning modules.
Permission to use these keys: Assign appropriate permissions to use these keys.
N/A
4.Encrypting Secrets: Encrypt the secrets using the created keys.
Remember, users should
5.Using Encrypted Secretsnot be able
in the to amendUse
deployment: or switch off the audit
these encrypted trail. in
secrets Where a system administrator amends or switches
your deployment.
that action should be retained. Periodic checks
6.Using secrets at runtime: Use these secrets at runtime. should be conducted to verify that audit trails remain enabled and effective.
7.KMS Audit Logs: Enable audit logs for your KMS
Google Stackdriver is a unified monitoring, logging, and diagnostics service that simplifies operations for applications running o

N/A
If necessary in the project, activate the compliance feature in the GCP Security Command Center.

Implement plan ,SOP found for disaster recovery

N/A
Use IP address whitelist mechanism and block all not required port (80,22,3389)
N/A
IAP policies can scale across your organization. Here are the steps to enable Identity-Aware Proxy (IAP) for your application:
1.Go to the Identity-Aware Proxy page.
2.Select the project you want to secure with IAP.
3.Select the checkbox next to the resource you want to grant access to.
4.If you don’t see a resource, ensure that the resource is created and that the BackendConfig Compute Engine ingress controll
Once an app is protected with IAP, it can use the identity information that IAP provides in the web request headers it passes th
application will get the logged-in user’s email address and a persistent unique user ID assigned by the Google Identity Service
Use TLS 1.3. for better security
Set to automatic

Create multiple regional repositories within a single Google Cloud project.

For instance,
Uniform if you’reaccess
bucket-level using Google Cloud’s
is a feature ArtifactCloud
in Google Registry, you that
Storage can enable
allows security features control
you to uniformly such as:access to your Cloud Sto
enable uniform bucket-level access on a bucket, Access Control Lists (ACLs) are disabled, and only bucket-level Identity and Ac
a)Enforcement
permissions grant of organization
access to thatpolicy,
bucketincluding
and theencryption with customer-managed encryption keys (CMEK) and location cons
objects it contains
N/A
1.Open the Cloud Storage browser in the Google Cloud Console.
2.In the list DLP
Implement of buckets, clickdata
if sensitive on the name of the desired bucket.
is present
3.Select the Permissions tab near the top of the page.
It is recommended
4.In the text box in thatwhichKMS
it iskeys be rotated
written at control
as Access least every
click90 days.(Google's
Switch Cloud KMS can be set to automatically rotate key
to Uniform.
5.In the pop-up menu that appears, select Uniform.

Remove default key, Use encrypt disk

N/A

Set up to 90 days

Binary Authorization: Create policies specific to each cluster and set the default project-level policy to “Deny All Images”. Any
then need its own cluster-specific policy.
Shielded GKE Nodes: Enable Shielded GKE Nodes at cluster creation or update. Secure boot should be enabled with Shielded G
Confidential GKE Nodes: Enable Confidential GKE Nodes on a cluster or on a node pool, data in workloads running on the confi
use
Application-layer Secrets Encryption: Enable Application-layer Secrets Encryption for your GKE cluster
Workload Identity: Use service accounts to authenticate to Google cloud. Create service accounts for each application that acc
Google Groups for RBAC: Enable Google Groups for RBAC and enter your security group name
Legacy Authorization: Disable Legacy Authorization and ensure that Kubernetes RBAC and IAM are the sources of truth
Basic Authentication: It is recommended to disable Basic Authentication and use other more secure methods like OAuth 2.0
Client Certificate: It is recommended to disable Client Certificate Authentication and use other more secure methods like OAu
N/A

use instance-specific SSH keys instead of project-wide SSH keys.

 Tool Name
Google Cloud KMS
Google Cloud IAM
Google Cloud Identity
Stackdriver Logging
Google Access Transparency

Google Cloud Security Scanner

Google Cloud Resource Manager

Google Cloud Compliance
Ref
 Description
Google Cloud Key Management Service (KMS) lets you manage cryptographic keys. You can use Google’s KMS to create, ro
Google provides
cryptographic keys,an identityAES256,
including and access
RSAmanagement (IAM)
3072, RSA 2048, RSAservice
4096,that provides
EC P384, and you with granular
EC P256. accessmanually
You can either control. You cank
rotate
groups can gain access to cloud resources. You can assign roles, including primitive, predefined, and custom. Google’s IAM a
Google Cloud Identity lets you manage the security of yourpermission
cloud applications and devices.
authorizations You can access the service throug
and deletions.
Google Stackdriver is a monitoring service
can also use designed for hybrid
Cloud Identity clouds.
to enable It provides
multi various capabilities,
factor authentication including
and single Stackdriver
sign-on authentica Lo
that lets
Google you Transparency
Access manage and analyze
lets youlog data.
view Stackdriver Logging
near-real-time log data,comes
whichwith its own
indicates whyAPIand
andwhen
can ingest data
Google’s from custom
internal IT stafflog
ac
the IT staff accesses the environment when responding yourto
security
supportmonitoring
requests orand management
when efforts. from an outage. Yo
trying to recover
Stackdriver Logging.
The Google Cloud Security Scanner service can detect vulnerabilities in Google Kubernetes Engine (GKE), Google Compute En
(GAE). Cloud Security Scanner lets you create, schedule, run and manage scans via the GCP console. The scanner can detect
injection, cross-site scripting (XSS), and mixed content, as well as outdated or insecure JavaScript (JS
The Resource Manager lets you manage and organize your Google cloud resources. You can use the service to manage acces
multiple groups of resources, which are sorted as organizations, folders, or projects.
Google provides a wide range of resources and services you can use to maintain compliance in your global and regional resour
https://learn.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-gcp