Introduction
At NCC Group, we routinely assess the configuration of our clients’ cloud environments. These reviews aim to ensure that the environments are in line with security best practice and provide appropriate protection for sensitive information and resources. Google Cloud Platform (GCP) has grown steadily since 2011 – both in features and in adoption. This blog post provides ten security best practices that we routinely recommend our clients follow.
Best practices
Segregate resources by projects
GCP Organizations are designed to group related resources in Projects. A Project forms the basis for creating, enabling, and managing all GCP services and APIs. Projects provide an isolation boundary, and as such, it should be ensured that projects do not contain resources that are not logically related. Projects also enable designating ownership of resources within an Organization. It is also recommended to use labels in order to denote organizational ownership and to track activity within the Organization.
Cloud IAM should be leveraged to provide access to resources following the principle of least privilege. Where necessary, interconnections between Projects can be explicitly granted between the resources used by an Organization.
Limit the use of Cloud IAM primitive roles
We often observe that Projects and Organizations overly use primitive roles. GCP best practices recommends granting predefined roles to identities when possible, as they provide more granular access than the primitive roles.
The use of primitive roles should be limited to the following cases [1]:
- When the Cloud Platform service does not provide a predefined role that includes the desired permissions
- When it is required to grant broader permissions for a project (e.g. when granting permissions in development or test environments)
- When it is required to allow a member to modify permissions for a project. In these cases, it is necessary to grant said user the “Owner” role, because only owners have the permission to grant access to other users for projects
- When the project is used in a small team where the team members do not need granular permissions
In particular, it should be ensured that the use of the “Owner” and “Editor” primitive roles is minimized.
Rotate Cloud IAM service account access keys periodically
A service account is a special type of account that belongs to an application or instance, rather than to an individual user. Service accounts use account keys to authenticate to GCP, of which there are two types: GCP-managed keys, which are created and managed automatically, and User-managed keys.
User-managed keys are created, downloadable, and managed by users. Consequently, these keys should be rotated on a regular basis In order to ensure that the chance that a compromised key could be used without the knowledge of its owner is reduced. It goes without saying that these keys are highly sensitive, as their compromise would provide a potential attacker with a means to interact with your GCP resources.
Ensure firewall rules are not overly permissive
Where possible, VPC firewall rules should be configured so that access to specific network services is restricted to just those hosts that have a legitimate business requirement for access. It is worth noting that it may not be possible to achieve this in all circumstances, such as with a public web server where business requirements imply that any network address should be permitted access.
It is also recommended to leverage network tags, which are text attributes that can be added to instances. Tags can be used to apply firewall rules and routes to logically related instances, requiring less effort compared to working with IP addresses.
Enable VPC Flow Logs
VPC Flow Logs is a feature that enables capturing IP traffic information going to and from network interfaces in a VPC. It is recommended to enable flow logs for subnets hosting active instances, as they can help with a number of tasks: for example, it can help troubleshooting why specific traffic when this is not reaching an instance, which in turn can help diagnose overly restrictive firewall rules. In a secure environment, Flow Logs can also be used as a security tool to monitor the traffic that is reaching instances.
Ensure Cloud Storage buckets enforce appropriate access controls
Cloud Storage buckets are often used to store sensitive data, as well as to host static resources for web applications. It is important to ensure bucket access controls enforce the principle of least privilege, so that resources cannot be accessed or modified by unauthorized parties.
In particular, the usage of the following identifiers should be restricted:
- “allAuthenticatedUsers” represents anyone who is authenticated with a Google account or a service account. It is important to understand that these users may not be part of your Organization or Project
- “allUsers” represents anyone who is on the internet, including authenticated and unauthenticated users.
Ensure Cloud Storage buckets have logging and versioning enabled
The logging and versioning features of Cloud Storage should be enabled for buckets that contain important data.
The logging feature helps during the investigation of security incidents, as it enables maintaining access and modification logs for storage buckets. Versioning is a means of keeping multiple variants of an object in the same bucket. This preserves and allows retrieving and restoring every version of every object stored in the buckets for which versioning has been enabled. With versioning enabled, buckets can recover from both unintended user actions and application failures.
Create periodic snapshots of Compute Engine instances
Compute Engine instance snapshots enable creating backups of persistent disks. Even though GCP provides data redundancy for most disk options, failures can occur and having recent snapshots can help restore a disk to a point in time before the failure. It should be ensured that snapshots are created for all disks to reduce the risk of resources becoming unavailable.
Create periodic backups of Cloud SQL instances
Cloud SQL instance backups provide a way to recover lost data or recover from a problem occurring with an instance. Creating backups periodically ensures that data restoration is possible in the event of an incident affecting the source database. Automatic backups should be configured for Cloud SQL instances in order to ensure backups are created regularly. In particular, weekly or monthly backups should be created of all databases holding critical data.
Enable and configure Stackdriver logging and monitoring
The Stackdriver Monitoring service should be enabled in order to monitor the performance, uptime, and overall health of GCP Projects and their deployed resources.
Once Stackdriver is enabled, it is important to ensure that monitoring alerts are configured. Configuring alerts provides awareness of issues affecting resources, and enables resolving incidents quickly. When events trigger a condition in one of the configured alerting policies, Stackdriver creates and displays an incident in the Monitoring console. If notifications are configured, Stackdriver will send notifications to the points of contact as well as to third-party services.
Additionally, export sinks should be configured in order to store logs for extended periods, as the Stackdriver retention period is usually limited to 30 days.
Conclusion
We hope this blog post provided valuable guidance towards securing your Google Cloud Platform environments. If you would like to discuss the above recommendations, or have a chat about GCP or cloud security in general, feel free to get in touch.
References
[1] Using IAM Securely
https://cloud.google.com/iam/docs/using-iam-securely
Google Cloud Platform – Resource Manager
https://cloud.google.com/resource-manager/
GCP Documentation – Best Practices for Enterprise Organizations
https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations
Google Cloud Platform – Identity Access Management (IAM)
https://cloud.google.com/iam/
GCP Documentation – Using IAM Securely
https://cloud.google.com/iam/docs/using-iam-securely
GCP Documentation – Understanding Roles
https://cloud.google.com/iam/docs/understanding-roles
GCP Documentation – Understanding Service Accounts
https://cloud.google.com/iam/docs/understanding-service-accounts
GCP Documentation – Service Accounts
https://cloud.google.com/compute/docs/access/service-accounts
Google Cloud Platform – Virtual Private Cloud
https://cloud.google.com/vpc/
GCP Documentation – Firewall Rules Overview
https://cloud.google.com/vpc/docs/firewalls
GCP Documentation – Configuring Network Tags
https://cloud.google.com/vpc/docs/add-remove-network-tags
GCP Documentation – Using VPC Flow Logs
https://cloud.google.com/vpc/docs/using-flow-logs
Google Cloud Platform – Google Cloud Storage
https://cloud.google.com/storage/
GCP Documentation – Best Practices for Google Cloud Storage
https://cloud.google.com/storage/docs/best-practices
GCP Documentation – Cloud Storage IAM Permissions
https://cloud.google.com/storage/docs/access-control/iam-permissions
GCP Documentation – Access Logs Storage Logs
https://cloud.google.com/storage/docs/access-logs
GCP Documentation – Object Versioning
https://cloud.google.com/storage/docs/object-versioning
Google Cloud Platform – Compute Engine
https://cloud.google.com/compute/
GCP Documentation – Storage Options
https://cloud.google.com/compute/docs/disks/#pdspecs
GCP Documentation – Creating Persistent Disk Snapshots
https://cloud.google.com/compute/docs/disks/create-snapshots
Google Cloud Platform – Cloud SQL
https://cloud.google.com/sql/
GCP Documentation – Overview of Backups
https://cloud.google.com/sql/docs/mysql/backup-recovery/backups
Google Cloud Platform – Stackdriver
https://cloud.google.com/stackdriver/
Google Cloud Platform – Stackdriver Monitoring
https://cloud.google.com/monitoring/
GCP Documentation – Stackdriver Accounts
https://cloud.google.com/monitoring/accounts/
GCP Documentation – Managing Accounts
https://cloud.google.com/monitoring/accounts/guide
Published date: 12 October 2018
Written by: Xavier Garceau-Aranda